search

MicrosoftDocs / azure-aks-docs

Public sync with private repo azure-aks-docs-pr
Creative Commons Attribution 4.0 International
3 stars 59 forks source link

AKS Learn feedback: Update a private cluster from a private DNS zone to public using the "--private-dns-zone none" is NOT working. #79

Closed lualvare closed 3 weeks ago

lualvare commented 3 weeks ago

Type of issue

Code doesn't work

Feedback

Hello team, I have tested this feature of updating an existing Private cluster from --private-dns-zone=system to --private-dns-zone=none and this is NOT working.

The change happens at the AKS level as expected, however, the AKS nodes still point to the Private FQDN instead of pointing to the PUBLIC FQDN which resolves to the private IP address.

This results on AKS nodes not able to reach the API Server by using the PUBLIC ENDPOINT.

I tested this with AKS 1.29.9 and also 1.30.1 and the NODES are not able to connect to the API Server.

Error seen on VMSS CSE

VM has reported a failure when processing extension 'vmssCSE' (publisher 'Microsoft.Azure.Extensions' and type 'CustomScript'). Error message: 'Enable failed: failed to execute command: command terminated with exit status=52 [stdout] { "ExitCode": "52", "Output": "4a-87a7-4c8e-a296-107894c7d8d6.privatelink.canadacentral.azmk8s.io: NXDOMAIN\n\nServer:\t\t10.1.0.10\nAddress:\t10.1.0.10#53\n\n** server can't find aks-api-connection-essxlb92.d95e424a-87a7-4c8e-a296-107894c7d8d6.privatelink.canadacentral.azmk8s.io:

Page URL

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal

Content source URL

https://github.com/MicrosoftDocs/azure-aks-docs/blob/main/articles/aks/private-clusters.md

Author

@schaffererin

Document Id

028051c9-b3cc-5b7d-c379-c14f2bf78e71

schaffererin commented 3 weeks ago

assign:schaffererin

schaffererin commented 3 weeks ago

Hi, @lualvare! I had no issues updating the cluster using --private-dns-zone none after connecting to the cluster using the az aks get-credentials command. This step wasn't outlined in the article originally. I'd suggest trying to run the update command again after you connect to the cluster. I merged a PR with updates to the article that include the connect to cluster step. I'm going to go ahead and close out this issue for now. If you have any further issues, please feel free to respond in this thread or open up a new GitHub issue. Thank you! #please-close

lualvare commented 3 weeks ago

@schaffererin, thanks for the reply.

I have these questions.

  1. When you connect to the cluster are you able to see the cluster Nodes in Ready State ?
  2. Is this feature just meant to connect from kubectl client to the Public endpoint of API server while the AKS NODES still use the private Endpoint ?
  3. Is this expected that cluster nodes still try to reach the private endpoint and not the public endpoint for the Private API ?

Thank you so much.