feat: add DisableOutboundSNAT feature #1708
Conversation
sylr
force-pushed
the
disable-outbound-nat
branch
2 times, most recently
from
2b039b8
to
2eae604
Compare
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
sylr
force-pushed
the
disable-outbound-nat
branch
from
2eae604
to
3b8ec46
Compare
|
Here is the current default implementation that I'm referring to: |
pkg/api/types.go
Outdated
| @@ -116,6 +116,7 @@ type FeatureFlags struct { | |||
| EnableCSERunInBackground bool `json:"enableCSERunInBackground,omitempty"` | |||
| BlockOutboundInternet bool `json:"blockOutboundInternet,omitempty"` | |||
| EnableIPv6DualStack bool `json:"enableIPv6DualStack,omitempty"` | |||
| DisableOutboundSNAT bool `json:"disableOutboundSnat,omitempty"` | |||
There was a problem hiding this comment.
does this belong in KubernetesConfig instead? featureFlags is not meant to be used for k8s configuration but instead allow testing of experimental features without exposing them in docs. The loadBalancerSku and excludeMasterFromStandardLB knobs are in KubernetesConfig for example.
There was a problem hiding this comment.
If you do move it to KubernetesConfig, could you also include it in docs/topics/clusterdefinitions.md?
Yep, for SLB with outbound rules defined, |
jackfrancis
force-pushed
the
disable-outbound-nat
branch
from
3b8ec46
to
79dad8b
Compare
| @@ -80,6 +80,62 @@ func getK8sMasterVars(cs *api.ContainerService) (map[string]interface{}, error) | |||
| kubernetesVersion = orchProfile.OrchestratorVersion + AzureStackSuffix | |||
| } | |||
|
|
|||
| provisionScriptParametersCommonString := "[concat(" + | |||
There was a problem hiding this comment.
Thank you @sylr for this code maintenance improvement :)
@CecileRobertMichon @devigned @mboersma FYI
(Also, I manually validated that nothing was lost during translation.)
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
jackfrancis
force-pushed
the
disable-outbound-nat
branch
from
d9bb943
to
3f14d1b
Compare
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
pkg/api/types.go
Outdated
| @@ -320,6 +320,7 @@ type CloudProviderConfig struct { | |||
| CloudProviderRateLimitQPSWrite string `json:"cloudProviderRateLimitQPSWrite,omitempty"` | |||
| CloudProviderRateLimitBucket int `json:"cloudProviderRateLimitBucket,omitempty"` | |||
| CloudProviderRateLimitBucketWrite int `json:"cloudProviderRateLimitBucketWrite,omitempty"` | |||
| CloudProviderDisableOutboundSNAT bool `json:"cloudProviderDisableOutboundSnat,omitempty"` | |||
There was a problem hiding this comment.
Snat instead of SNAT ?
sylr
force-pushed
the
disable-outbound-nat
branch
from
0818c73
to
546c1df
Compare
jackfrancis
force-pushed
the
disable-outbound-nat
branch
from
2ec4ad6
to
380664a
Compare
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Codecov Report
@@ Coverage Diff @@
## master #1708 +/- ##
==========================================
+ Coverage 71.6% 71.67% +0.07%
==========================================
Files 142 142
Lines 24817 24881 +64
==========================================
+ Hits 17770 17834 +64
Misses 5911 5911
Partials 1136 1136 |
|
Hi all, Just checking in to see updates on this item ? Currently facing an issue of Standard LB not honoring outbound rules because of Let me know if there is anything I can contribute \ test out. |
Signed-off-by: Sylvain Rabot <[email protected]>
Signed-off-by: Sylvain Rabot <[email protected]>
jackfrancis
force-pushed
the
disable-outbound-nat
branch
from
cfeb7b0
to
c17be20
Compare
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| o.KubernetesConfig.CloudProviderDisableOutboundSNAT = to.BoolPtr(false) | ||
| } | ||
| } else { | ||
| // CloudProviderDisableOutboundSNAT is only valid in the context of Standard LB, statically set to false if not Standard LB |
There was a problem hiding this comment.
Can we drop a note in docs about this?
| @@ -73,6 +73,18 @@ $ aks-engine get-versions | |||
| | maximumLoadBalancerRuleCount | no | Maximum allowed LoadBalancer Rule Count is the limit enforced by Azure Load balancer. Default is 250 | | |||
| | kubeProxyMode | no | kube-proxy --proxy-mode value, either "iptables" or "ipvs". Default is "iptables". See https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/ for further reference. | | |||
| | outboundRuleIdleTimeoutInMinutes | no | Specifies a value for IdleTimeoutInMinutes to control the outbound flow idle timeout of the agent standard loadbalancer. This value is set greater than the default Linux idle timeout (15.4 min): https://pracucci.com/linux-tcp-rto-min-max-and-tcp-retries2.html | | |||
| | cloudProviderBackoff | no | Use the Azure cloudprovider exponential backoff implementation when encountering retry-able errors from the Azure API. Defaults to `true` for Kubernetes v1.14.0 and greater. | | |||
There was a problem hiding this comment.
@CecileRobertMichon There was a rather large cloudprovider config documentation gap, so I used this PR as an excuse to backfill that info.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sylr If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/azp run pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Sylvain Rabot [email protected]
Reason for Change:
aks-engine currently does not allow to specify the cloud provider setting
disableOutboundSnat.Issue Fixed:
Related to #1689
Fixes #1001
Requirements:
Notes: