AKS with virtual nodes limitations

[vivuu1989]

We are using AKS v1.26 and current AKS clusters are configured with AZURE CNI network policy and using the vmms based nodepools. we have Istio service mesh enabled with this cluster and using CSI driver plugin to mount secrets to the pods from keyvault. Also we have a number of daemonset pods running which needed for secretstore mounting and metric server based plugns etc..

Now we have a plan to use the Virtual nodes instead of the current nodepools and when we went through the MS docs, we are not sure whether the virtualnodes are production ready as its having a lot of limitations as listed below.

Using service principal to pull ACR images. Workaround is to use Kubernetes secrets
Virtual Network Limitations including VNet peering, Kubernetes network policies, and outbound traffic to the internet with network security groups.
Init containers
Host aliases
Arguments for exec in ACI
DaemonSets won't deploy pods to the virtual nodes
Virtual nodes support scheduling Linux pods. You can manually install the open source Virtual Kubelet ACI provider to schedule Windows Server containers to ACI.
Virtual nodes require AKS clusters with Azure CNI networking.
Using api server authorized ip ranges for AKS.
Volume mounting Azure Files share support General-purpose V2 and General-purpose V1. However, virtual nodes currently don't support Persistent Volumes and Persistent Volume Claims. Follow the instructions for mounting a volume with Azure Files share as an inline volume.
Using IPv6 isn't supported.
Virtual nodes don't support the Container hooks feature.

We have following query while planning for the virtual node implementation but the docs are not giving much information.

• Since we integrated AKS and ACR during the AKS instalation itself, it will be using the serviceprincipal based imagepull secret . will this supported on Virtual nodes?

• Since we are using Istio service mesh with our apps, its having init containers ans sidecar proxy containers in each apps pods. As virtual node will not support the init containers is it a blocker?

• We have CSI driver plugin enabled to mount the secrets from the keyvault. will this be issue on virtual node?

• Moreover whether the Virtualnodes are production ready and can we add the virtual nodes to our existing AKS clusters which are not enabled wih virtualnodes yet ?

Document link: https://learn.microsoft.com/en-us/azure/aks/virtual-nodes#known-limitations

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: b423e65f-2562-5711-bff0-c4ac3371161c
• Version Independent ID: cf6cd7ae-6849-64da-d6a9-effb6f2fe86a
• Content: Use virtual nodes - Azure Kubernetes Service
• Content Source: articles/aks/virtual-nodes.md
• Service: azure-kubernetes-service
• GitHub Login: @MGoedtel
• Microsoft Alias: magoedte

[RamanathanChinnappan-MSFT]

@vivuu1989 It would be great if you could add a link to the documentation you are following for these steps? This would help us redirect the issue to the appropriate team. Thanks!!

[vivuu1989]

@vivuu1989 It would be great if you could add a link to the documentation you are following for these steps? This would help us redirect the issue to the appropriate team. Thanks!! https://learn.microsoft.com/en-us/azure/aks/virtual-nodes#known-limitations Documents link added.

[RamanathanChinnappan-MSFT]

@vivuu1989 Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

@vivuu1989 Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.

@MGoedtel Can you please check and add your comments on this doc update request as applicable.

[vivuu1989]

Any update on the above?

[MGoedtel]

Assigning to #reassign:nickomang

[vivuu1989]

Its pending for long time. Any update on this?

[rayoef]

Thank you for your dedication to our documentation. Unfortunately, at this time we have been unable to review your issue in a timely manner, and we sincerely apologize for the delayed response. The requested updates have not been made since the creation of this issue, so we've created an internal work item to incorporate your suggestions. We are closing this issue for now, but feel free to comment here as necessary.

please-close