Add support & documentation on using Azure CNI with capz

[CecileRobertMichon]

/kind feature

Describe the solution you'd like
[A clear and concise description of what you want to happen.]
https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

• Pod stuck in ContainerCreating state with Failed to find the master interface warning. Azure/azure-container-networking#1945
• add e2e test coverage for Azure CNI v1 using single NIC per linux node #3343
• Update Azure VM Images to enable DHCP on eth0 instead of using Azures IMDS endpoint #3342
• Update Azure CNI v1 nodeAffinity labels Azure/azure-container-networking#1897

A little lower priority issue, but must be solved to support multiple NICs on control plane.

• With the support for configurable network interfaces, user should be able to create multiple subnets for a control-plane node #3506

Environment:

• cluster-api-provider-azure version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[richardcase]

This would be good for installing the CNI: kubernetes-sigs/cluster-api#3050

[CecileRobertMichon]

@mboersma is this one you'd be interested in working on? It's a relatively hi-pri one because it's a blocker for IPv6 (cc @jsturtevant)

[mboersma]

@CecileRobertMichon yes indeed, I can probably start on this tomorrow.

[CecileRobertMichon]

/priority important-soon

[CecileRobertMichon]

/assign

[CecileRobertMichon]

/unassign
/milestone next

[jackfrancis]

An implementation question: is the version of Azure CNI currently configurable?

cc @craiglpeters

[CecileRobertMichon]

@jackfrancis not sure I understand the question? There is no Azure CNI implementation currently.

[jackfrancis]

A reminder to use the "transparent" mode configuration when implementing a capz + Azure CNI scenario. This AKS Engine PR configures Azure CNI for "transparent" mode by default:

Azure/aks-engine#3958

The vanilla installation method that AKS Engine follows (download the public release tarball and untar/gzip it) delivers a default configuration of "bridge" mode. AKS Engine modifies this to "transparent" by sed replacing the appropriate value:

https://github.com/Azure/aks-engine/blob/master/parts/k8s/cloud-init/artifacts/cse_config.sh#L288

Not pretty, but there you have it.

[CecileRobertMichon]

ref https://github.com/Azure/azure-container-networking/blob/master/acncli/deployment/manager.yaml

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

[dthorsen]

@CecileRobertMichon @nawazkh I have pushed my commit. The tests are passing and I spun up a few workload clusters from tilt with various privateIPConfiguration counts, public IP allocation enabled/disabled, etc. I have to sign off for the night but let me know what you think tomorrow.

[dthorsen]

Here is a link to the Azure CNI Manager daemonset that can be used to install the Azure CNI quite easily.

https://github.com/Azure/azure-container-networking/blob/ef1bff6046156dec56b46664f516921bd423e9e0/tools/acncli/deployment/manager.yaml

[rbtr]

@dthorsen this is not a supported tool, don't recommend it for this use please.

[dthorsen]

That is disappointing, because it seems to do exactly what is required. It was very easy to get up and running this way. Is there a way it could become a supported tool? Otherwise it may be something that makes sense for CAPZ to fork and support, but that seems somewhat redundant if there is already a tool that does this. The functionality needed is pretty trivial, basically just install the CNI binaries, drop the config, and sleep forever. It seems strange to support the CNI, but not a k8s native installation method.

[jackfrancis]

@rbtr @tamilmani1989 can you provide more information? In lieu of an official solution, why is wrapping a daemonset around the published manifest in the official Azure CNI repo not recommended?

[rbtr]

@jackfrancis @dthorsen in short, the image referenced by that manifest is unmaintained and not prod-ready.

We built it for our CI/nonprod debugging with no intent of public use. It is technically capable of installing the CNI binary, but I can't support CAPZ using/recommending it for use. Maybe most importantly, we have moved past needing it internally and it isn't getting updates.

I did previously try to engage here to offer what will be an official supported solution but that didn't seem to get anyone's attention. This tool is being used for CNI install in AKS already and could probably trivially be extended for CAPZ, but I need some clarification on the requirements to make that happen. I suspect this will be sufficient, but if some CAPZ folks would like to contribute, we accept PRs 🙂

[jackfrancis]

It seems based on @dthorsen's experience that the now-abandoned installer image can be used as the set of functional requirements. @dthorsen did that container image simply install the ipam stuff with a sufficient amount of UX configuration to fulfill all of the needs of Azure CNI v1 on a capz-built node? E.g.:

env:
            - name: AZURE_CNI_OS
              value: <insert value here>
            - name: AZURE_CNI_TENANCY
              value: <insert value here>
            - name: AZURE_CNI_MODE
              value: <insert value here>
            - name: AZURE_CNI_IPAM
              value: <insert value here>
            - name: AZURE_CNI_EXEMPT
              value: <insert value here>

@rbtr would it be possible to extend the tool AKS is using to (1) include v1 of the CNI components with (2) the configuration above?

[nawazkh]

Sorry, I haven't been active at posting updates on this test effort but I am actively working on this!
So far, Cecile and I have tested Dane's PR of allocating PrivateIPConfigs to a VM, and it works as expected.
I now am working on getting Azure CNI up-and-running in a test cluster.

[CecileRobertMichon]

/milestone v1.8

[CecileRobertMichon]

/lifecycle active

[nawazkh]

/milestone next

[k8s-ci-robot]

@nawazkh: You must be a member of the kubernetes-sigs/cluster-api-provider-azure-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Cluster API Provider Azure Maintainers and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone next

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nawazkh]

I created two other issues to track the branched out effort to enable Azure CNI on CAPZ

Enabling Azure CNI v1

• Update Azure VM Images to enable DHCP on eth0 instead of using Azures IMDS endpoint #3342
• Update Azure CNI v1 nodeAffinity labels Azure/azure-container-networking#1897

Azure CNI v1 with one NIC per node

High Priority

• add e2e test coverage for Azure CNI v1 using single NIC per linux node #3343
• add documentation and tilt support for using azure cni v1 with one NIC per linux node #3610

Azure CNI v1 with multiple NIC per node

High Priority

• Pod stuck in ContainerCreating state with Failed to find the master interface warning. Azure/azure-container-networking#1945

Low Priority

• With the support for configurable network interfaces, user should be able to create multiple subnets for a control-plane node #3506

[nawazkh]

closing this issue in favor of epic tracking this effort #3611
/close

[k8s-ci-robot]

@nawazkh: Closing this issue.

In response to this:

closing this issue in favor of epic tracking this effort #3611
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.