Node Public IP Host Network NSG Control

[swgriffith]

When you create a cluster with Node Public IP enabled, and then try to expose a pod through the host network, there's no mechanism to update the cluster network security group to allow the pod traffic. You need to go into the MC_ resource group and manually edit the cluster NSG to allow the pod port through.

Need a recommended and supported approach. It would be great if there was a way to detect the pod is using host networking and trigger an NSG update, but not sure if that's feasible.

Steps to recreate.

1. Create a cluster with node public IP enabled in a pre-created Vnet/Subnet az aks create -g EphNodePublicIP -n nodepubip --enable-node-public-ip --vnet-subnet-id /subscriptions/XXX-XXX-XXX/resourceGroups/EphNodePublicIP/providers/Microsoft.Network/virtualNetworks/aksdemo/subnets/aks

2. Deploy a workload using host networking: kubectl apply -f https://raw.githubusercontent.com/swgriffith/azure-guides/master/aks-node-pubip/nginx-node-pubip.yaml

3. Try to curl one of the node public IPs for a node hosting an instance of the nginx pod. Curl will fail because the MC_ nsg isnt allowing port 80

4. Go to the MC_ resource group and edit the nsg to allow inbound on port 80

5. Curl the node public IP again. Traffic will flow to the nginx pod

[dzmitry-lahoda]

indeed, it is roadblocker to automatic provisioning of clusters. it is impossible to deploy automatically anything than simple http cluster from scripts

[dzmitry-lahoda]

people build brittle workarounds https://github.com/googleforgames/agones/pull/2124

[dzmitry-lahoda]

also i cannot set ingress installed via helm with static ip as ingress requires static ip to be created within that hidden new group

[ghost]

Action required from @Azure/aks-pm

[allyford]

This issue has been resolved via feature: #3958