azure cni NATing to DST node address

9/13/2018

I have a two node cluster in AKS using advanced networking and the azure CNI network plugin. The VNET that the cluster is installed into already exists. The cluster only has two nodes with a few pods deployed. Our problem is that during pod to pod connectivity, the clients pod SRC ip address seems to get natted to the ip address of node that the destination pod is deployed to.

that is:

ip address of node0 is 100.64.24.4 ip address of node1 is 100.64.24.35.

pod A has an ip address of 100.64.24.63 and is deployed on node1

pod B runs nginx has an ip address of 100.64.24.21 and is deployed on node0

when ever I do a call from pod A to pod B we see that the pod sees the SRC address of the call as 100.64.24.4(node0) and not 100.64.24.63(podA).

Is this normal for this network plugin? Is there anyway to change this behaviour? Currently this breaks inter-pod TLS client authentication as the client certificate has a CN or SAN that is resolvable to the src pods ip but the server side pod sees the call as coming from the node ip. This means it wont TLS client auth handshake because that ip doesnt resolve to the CN or any SAN in the cert

-- Baldey
azure-aks
azure-kubernetes

0 Answers