New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calico for Windows does not work with nginx load balancer or nginx-ingress #2236
Comments
Hi SteveCurran, AKS bot here 👋 I might be just a bot, but I'm told my suggestions are normally quite good, as such:
|
Triage required from @Azure/aks-pm |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
@SteveCurran as responded on yammer, please open a case for this so we can investigate. |
Triage required from @Azure/aks-pm |
@SteveCurran Calico requires WinDSR so AKS enables WinDSR by default when enabling Calico on Windows nodes. For your request |
@SteveCurran Do you have two or more AKS clusters and the nginx load balancer is in one cluster? Could you share the topology in your environment with us so we can investigate why the nginx load balancer does not work with nginx-ingress controllers in different AKS clusters when WinDSR is enabled? |
@AbelHu Very simple. We have one nginx (1.19.8) outside of cluster, forwards to the service with an azure provisioned public ip. With DSR enabled we get gateway timeout. No problems with clusters without DSR enabled. |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
@AbelHu Microsoft support is now telling us that DSR/AKS does not support the use of in cluster ingress controller similar to nginx. "DSR AKS does not seem to support using Load balancer service type due to current floating IP limitation I am hoping there is a way to turn off DSR in 1.20.+ Otherwise we will have to incur the cost of configuring and using an application gateway for each/all clusters. Our costs will significantly increase due to this limitation. We will have to modify all of our pipelines to accommodate this change. |
@SteveCurran, we can disable WinDSR in your subscription if you need to turn off DSR in 1.20.x. This feature is included in AKS RP release v20210429 so we can disable WinDSR in your subscription after v20210429 is available. |
@AbelHu will disabling WinDSR also disable it for linux nodes. DSR on linux has the same issues. |
@SteveCurran No. WinDSR is a Windows feature. cc @xuto2 for DSR on Linux. |
Triage required from @Azure/aks-pm |
@SteveCurran if you have not upgraded to v1.20.x, please file a support ticket to ask AKS PG to disable WinDSR in your subscriptions before upgrading. |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
1 similar comment
Issue needing attention of @Azure/aks-leads |
@SteveCurran Could you try to set
Reference: https://docs.microsoft.com/en-us/azure/aks/ingress-basic |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
The fix in kubeproxy is done in below PRs. I think that it will be fixed with Windows calico after the new k8s versions are supported in AKS. |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
@AbelHu Thanks for fixing this. We can now use nginx-ingress in aks 1.21.2 running windows calico. |
What happened:
We are testing calico network policy for windows with 1.20.2. Our current configuration is a nginx load balancer directing traffic to nginx-ingress controllers in different AKS clusters. Unfortunately it appears since calico for windows requires and enables WinDSR it prevents network flow from nginx and nginx-ingress. Exposing the service with a public load balancer and making requests directly to the service's load balancer works.
What you expected to happen:
I would like clarification that this is indeed the case and what possible work arounds are available. Having to expose each deployment's endpoint with a public load balancer will be costly. Are there plans to implement windows calico network policies without the use of WinDSR? Does anyone know if WinDSR(DSR) will eventually support the use of ingress controllers?
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment: Mix node Linux/Windows pools
kubectl version
): 1.20.2The text was updated successfully, but these errors were encountered: