From 538734b74bb3453ffdb17014bb7cc47cd1e9d0c3 Mon Sep 17 00:00:00 2001 From: Jack Francis Date: Thu, 14 Dec 2017 13:36:06 -0800 Subject: [PATCH 1/2] for your consideration --- docs/kubernetes/features.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/kubernetes/features.md b/docs/kubernetes/features.md index 07ad1fd55f..8726e34e13 100644 --- a/docs/kubernetes/features.md +++ b/docs/kubernetes/features.md @@ -166,7 +166,21 @@ Per default Calico still allows all communication within the cluster. Using Kube ## Custom VNET -ACS Engine supports deploying into an existing VNET. Operators must specify the ARM path/id of Subnets for the `masterProfile` and any `agentPoolProfiles`, as well as the first IP address to use for IP allocation in `firstConsecutiveStaticIP`. Additionally, to prevent source address NAT'ing within the VNET, we assign to the `vnetCidr` property in `masterProfile` the CIDR block that represents the usable address space in the existing VNET. +ACS Engine supports deploying into an existing VNET. Operators must specify the ARM path/id of Subnets for the `masterProfile` and any `agentPoolProfiles`, as well as the first IP address to use for IP static IP allocation in `firstConsecutiveStaticIP`. Additionally, to prevent source address NAT'ing within the VNET, we assign to the `vnetCidr` property in `masterProfile` the CIDR block that represents the usable address space in the existing VNET. + +Depending upon the size of the VNET address space, during deployment, it is possible to experience IP address assignment collision between the required Kubernetes static IPs (one each per master and one for the API server load balancer, if more than one masters) and Azure CNI-assigned dynamic IPs (one for each NIC on the agent nodes). In practice, the larger the VNET the less likely this is to happen; some detail, and then a guideline. + +First, the detail: + +* Azure CNI assigns dynamic IP addresses from the "beginning" of the subnet IP address space (for example, nearer "1" in "10.0.0.0/24) +* acs-engine will require a range of up to 16 unused IP addresses in multi-master scenarios (1 per master for up to 5 masters, and then the next 10 IP addresses immediately following the "last" master for headroom reservation, and finally 1 more for the load balancer immediately adjacent to the afore-described _n_ masters+10 sequence) to successfully scaffold the network stack for your cluster + +A guideline that will remove the danger of IP address allocation collision during deployment: + +* If possible, assign to the `firstConsecutiveStaticIP` configuration property an IP address that is near the "end" of the available IP address space in the desired subnet. + * For example, if the desired subnet is a `/24`, choose the "239" address in that network space + +In larger subnets (e.g., `/16`) it's not as practically useful to push static IP assignment to the very "end" of large subnet, but as long as it's not in the "first" `/24` (for example) your deployment will be resilient to this edge case behavior. Before provisioning, modify the `masterProfile` and `agentPoolProfiles` to match the above requirements, with the below being a representative example: From 083fb4a0e08bab6d0f2b17849ec87f1ea1d0e681 Mon Sep 17 00:00:00 2001 From: Jack Francis Date: Thu, 14 Dec 2017 14:11:37 -0800 Subject: [PATCH 2/2] 10.0.0.4 is the first IP address available for dynamic allocation --- docs/kubernetes/features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kubernetes/features.md b/docs/kubernetes/features.md index 8726e34e13..90e59748f3 100644 --- a/docs/kubernetes/features.md +++ b/docs/kubernetes/features.md @@ -172,7 +172,7 @@ Depending upon the size of the VNET address space, during deployment, it is poss First, the detail: -* Azure CNI assigns dynamic IP addresses from the "beginning" of the subnet IP address space (for example, nearer "1" in "10.0.0.0/24) +* Azure CNI assigns dynamic IP addresses from the "beginning" of the subnet IP address space (specifically, it looks for available addresses starting at ".4" ["10.0.0.4" in a "10.0.0.0/24" network]) * acs-engine will require a range of up to 16 unused IP addresses in multi-master scenarios (1 per master for up to 5 masters, and then the next 10 IP addresses immediately following the "last" master for headroom reservation, and finally 1 more for the load balancer immediately adjacent to the afore-described _n_ masters+10 sequence) to successfully scaffold the network stack for your cluster A guideline that will remove the danger of IP address allocation collision during deployment: