none
If azure aks kubenet cidr's are internal why shouldn't they overlap with other addresses? RRS feed

  • Question

  • after checking out https://docs.microsoft.com/en-us/azure/aks/configure-kubenet, and following the advice there, it appears that for the services, pods and docker cidr's shouldn't overlap with any other addresses used (presumably within the same vnet), eg.

    The --service-cidr is used to assign internal services in the AKS cluster an IP address. This IP address range should be an address space that isn't in use elsewhere in your network environment.

    I'm just not sure why this should be. Are these ip's actually accessible on the vnet? I was under the impression that these cidrs were only within aks, and only a cni cluster would allow direct access. Can anyone elucidate on this matter?

    And I suppose the next question would be, what happens if they do overlap?


    • Edited by Brasso345345 Friday, August 30, 2019 3:35 PM typo
    Friday, August 30, 2019 3:13 PM

All replies

  • https://github.com/Azure/AKS/issues/1175

    Answered by Sean at the aks github:

    If they overlap, then any applications running in the cluster will not be able to reach the endpoints outside the cluster because traffic will always be directed to endpoints backing the Kubernetes service IP. This guidance is defensive on the assumption that such interactions may be required. If you don't need anything running in the cluster to reach the endpoints in the overlapping network range, it should be fine.

    Monday, September 2, 2019 7:34 AM