0

I created a AKS cluster following the documentation procedure. I created pod inside the cluster and when getting a tty into them (kubectl exec -it pod-name -- /bin/bash), realized that the containers don't have access to resources outside Azure: I can't ping 8.8.8.8, I can't resolve FQDN of public websites.

I can't find any Azure documentation where it is clearly stated that a pod is supposed to have access to network outside the cluster. I can find this type of documentation where we can read that allowing the outbound flow to a public source is supposed to be the default behaviour (but in practice I can see that it is not the case), I found tons of blogs posts explaining how-to use static IPs for my k8s services, but this is not what I want to know.

What I want to know: is the default behaviour of an Azure Kubernetes cluster to allow outbound traffic, or did I do something wrong in my installation?

dbourcet
  • 175
  • 1
  • 2
  • 10

3 Answers3

1

I have seen problems with ping before in K8s containers, I can curl http://www.google.com in a container on my AKS cluster no problem. Would need to spin up another container with proper networking tools to troubleshoot further. Will attempt later today as time permits.

Ken W MSFT
  • 594
  • 2
  • 6
1

I think, that sending ICMP echo request to remote host is not a best way to verify if egress traffic can be send to outside world without limitation. Try with these commands:

kubectl run -it --rm aks-ip --image=debian --generator=run-pod/v1
apt-get update && apt-get install curl -y
curl -s checkip.dyndns.org

as explained here, in github repository of AKS documentation.

For me it communicates w/o any problem with public DNS addresses.

You may also try to replace standard networkPlugin "kubenet" with Azure CNI when you are mostly connecting from pods to resources outside of the cluster (check this resource on choosing a right network model for your AKS cluster).

Nepomucen
  • 306
  • 1
  • 4
  • I did try curl and wget, but my pod didn't manage to resolve FQDN. Telnet wouldn't open connection on public IP. It seems that the outgoing traffic was not routed to the internet. I know about the Azure CNI plugin and intend to set it up in further steps, but for now on I was only working with the most default behaviours (this is currently a POC I'm doing). Thanks anyway. – dbourcet Apr 19 '19 at 08:27
0

Didn't find a real answer to the question but I found a way to make it works: the Azure documentation states that if no LoadBalancer have been created yet in the cluster, the nodes have no instance level Public IP address. Azure translates the outbound flow to a public source IP address that is not configurable or deterministic.. I didn't manage to see outbound traffic allowed to go on the Internet...

But after creating a LoadBalancer, not even in the same namespace !, then every pod of every namespace manage to see their traffic routed to the Internet.

So no clear answer (why the outgoing traffic of my pods were not routed to the internet without LoadBalancer dispite the documentation statement), but I manage to see the traffic routed after creating a LoadBalancer (even in a different namespace than the pods..). Odd.

dbourcet
  • 175
  • 1
  • 2
  • 10
  • More why this solved it here: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections – Kim Apr 04 '20 at 13:55