Description
Is this a request for help?: No
Is this an ISSUE or FEATURE REQUEST? (choose one): Issue
What version of aks-engine?:
Version: canary
GitCommit: 9bbf434
GitTreeState: clean
Kubernetes version: v1.14.1
What happened:
Per @daschott, windows nodes are deployed with an overly broad NAT exception of 10.0.0.0/8. That overlaps with the actual CIDRs that should be excluded:
cluster CIDR 10.240.0.0/12
service CIDR 10.0.0.0/16
Windows nodes have this:
{
"cniVersion": "0.3.0",
"name": "azure",
"plugins": [
{
"type": "azure-vnet",
"mode": "bridge",
"bridge": "azure0",
"capabilities": {
"portMappings": true,
"dns": true
},
"ipam": {
"type": "azure-vnet-ipam"
},
"dns": {
"Nameservers": [
"10.0.0.10",
"168.63.129.16"
],
"Search": [
"svc.cluster.local"
]
},
"AdditionalArgs": [
{
"Name": "EndpointPolicy",
"Value": {
"Type": "OutBoundNAT",
"ExceptionList": [
"10.240.0.0/12",
"10.240.0.0/12",
"10.0.0.0/8"
]
}
},
{
"Name": "EndpointPolicy",
"Value": {
"Type": "ROUTE",
"DestinationPrefix": "10.0.0.0/16",
"NeedEncap": true
}
}
]
}
]
}Linux nodes have a broad IP masq exclusion set:
I0506 21:03:52.297935 1 ip-masq-agent.go:159] using config: {"nonMasqueradeCIDRs":["10.0.0.0/8","168.63.129.16/32"],"masqLinkLocal":true ,"resyncInterval":60000000000}
What you expected to happen:
No extraneous NAT exceptions
How to reproduce it (as minimally and precisely as possible):
Deploy with this guide: https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md
Anything else we need to know:
Activity