Containers Cannot Start After Node Pool Scales

[rgrwatson85]

What happened: I used the Kubernetes dashboard to scale my deployment up to 110 pods to force the node pool to scale up. After a VMSS node pool scales up, none of the containers running on a new VMSS instance are able to start up correctly when Kubernetes is managing the lifecycle. We are using this cluster to host Azure Pipelines build agents, and part of the container start up script is to download the agent service from our Azure Devops tenant.

Here is the block of code that is causing the failure.

print_header "[1/5] Determining matching Azure Pipelines agent..."

AZP_AGENT_RESPONSE=$(curl -LsS \
  -u user:$(cat "$AZP_TOKEN_FILE") \
  -H 'Accept:application/json;api-version=3.0-preview' \
  "$VSTS_URL/_apis/distributedtask/packages/agent?platform=linux-x64")

The logs for the pods all show the same error message. curl: (6) Could not resolve host: xxxxxxx.visualstudio.com; Unknown error

Here is the kicker - If I SSH into the AKS node that is trying to run this pod, I can start a new container successfully using docker run ... and it downloads and registers the agent service with Azure DevOps successfully.

This only happens on the nodes that were created due to the scale operation, and the previously existing node is able to create and delete pods without issue.

What you expected to happen: I expected the new VMSS instance created by AKS to be able to start my container successfully.

How to reproduce it (as minimally and precisely as possible):

1. Create an AKS cluster with a Linux node pool backed by a VMSS with only 1 instance.
2. Create a deployment to AKS where the container image is created similarly to this process.
3. Ensure that the deployment does not require an additional node to be created.
4. Ensure that the pod starts up correctly and the agent service(s) has registered with Azure DevOps.
5. From the Kubernetes Dashboard, scale the deployment up to >=110 pods.
6. Wait for scaling operation to complete.
7. Review status of pods running on the new node. The pods should have a status of Running and the container startup should be failing when determining the download url for the agent service.
8. SSH into the node created in the scale up operation.
9. Attempt to start a container instance using the appropriate docker commands.
10. Ensure the container starts successfully and that the agent service has registered with Azure DevOps.

Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version):

  Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"windows/amd64"}
  Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"c52f59bbba5fbf21fbb18e9a06f96e563fe4c20a", GitTreeState:"clean", BuildDate:"2020-01-31T20:00:26Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

• Size of cluster (how many worker nodes are in the cluster?) Initially 1, and after scale operation, there are 2

• General description of workloads in the cluster (e.g. HTTP microservices, Java app, Ruby on Rails, machine learning, etc.) Hosts Azure Pipelines build agents

• Others: The base image for the container is centos:7 and not ubuntu:16.04 as in the examples linked above

[github-actions[bot]]

Action required from @Azure/aks-pm

[rgrwatson85]

The reason this failed is due to the cluster using a custom route table. When a new node was created, it could not do any DNS resolution. We have worked with Microsoft’s global black belts to get this issue resolved.