Closed swgriffith closed 2 weeks ago
indeed, it is roadblocker to automatic provisioning of clusters. it is impossible to deploy automatically anything than simple http cluster from scripts
people build brittle workarounds https://github.com/googleforgames/agones/pull/2124
also i cannot set ingress installed via helm with static ip as ingress requires static ip to be created within that hidden new group
Action required from @Azure/aks-pm
This issue has been resolved via feature: #3958
When you create a cluster with Node Public IP enabled, and then try to expose a pod through the host network, there's no mechanism to update the cluster network security group to allow the pod traffic. You need to go into the MC_ resource group and manually edit the cluster NSG to allow the pod port through.
Need a recommended and supported approach. It would be great if there was a way to detect the pod is using host networking and trigger an NSG update, but not sure if that's feasible.
Steps to recreate.
Create a cluster with node public IP enabled in a pre-created Vnet/Subnet az aks create -g EphNodePublicIP -n nodepubip --enable-node-public-ip --vnet-subnet-id /subscriptions/XXX-XXX-XXX/resourceGroups/EphNodePublicIP/providers/Microsoft.Network/virtualNetworks/aksdemo/subnets/aks
Deploy a workload using host networking: kubectl apply -f https://raw.githubusercontent.com/swgriffith/azure-guides/master/aks-node-pubip/nginx-node-pubip.yaml
Try to curl one of the node public IPs for a node hosting an instance of the nginx pod. Curl will fail because the MC_ nsg isnt allowing port 80
Go to the MC_ resource group and edit the nsg to allow inbound on port 80
Curl the node public IP again. Traffic will flow to the nginx pod