Unable to use service.beta.kubernetes.io/azure-disable-load-balancer-floating-ip=true and service.beta.kubernetes.io/azure-shared-securityrule: true together with multiple services #6151
Labels
kind/bug
Categorizes issue or PR as related to a bug.
What happened:
We have a number of services deployed on our AKS cluster with the annotation
service.beta.kubernetes.io/azure-disable-load-balancer-floating-ip=true
. According to the azure docs, this will forward traffic to the backend pools using the DIP of the nodes rather than the frontend IP that is being hit. Within the NSG rule in Azure, we can see rules that are setup looking as suchThese are two services we have set up with separate frontend IPs (e.g. the VIPs in azure terminology). Both of them use port 443 as the listener. However, since floating IP is disabled, the port in the rule is actually the backend node port that will be hit by the service (e.g. ports 31941 and 30685).
When we try adding the annotation
service.beta.kubernetes.io/azure-shared-securityrule: true
to the services, we lose connectivity to one of them after the NSG rule is updated.The new state looks something like this
When we try to telnet to the frontend IP, it is unable to do so
No rule for port 31941 is available, as the second rule will overwrite the first one. It seems that the naming of the rules will clash, as it is no longer the LB listener port that is used in the rule. I believe the logic here is what picks the name
cloud-provider-azure/pkg/provider/azure_standard.go
Line 315 in 64f0448
From what I can tell the sharedsecuritygroup rule will only combine the destination IPs, is it possible to also combine the ports here to condense the rules a bit? (As well as source IPs)
What you expected to happen:
Connectivity to both services should still work.
How to reproduce it (as minimally and precisely as possible):
Details are listed above
Environment:
The text was updated successfully, but these errors were encountered: