K
Q

What is the proper way to deal with the HTTPProxyCIDR WARNING and to setup no_proxy in an environment that sits behind a proxy

3/27/2019

I'm relatively new to k8s. I have now set up a cluster several times to ensure that I understand the process. I have struggled with networking a bit. I am currently initializing as follows:

kubeadm init --apiserver-advertise-address=10.93.98.204 --pod-network-cidr=10.244.0.0/16

In response to this I see the following warning:

[WARNING HTTPProxyCIDR]: connection to "10.96.0.0/12" uses proxy "http://proxy.corp.sensis.                                                                                          com:3128". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges                                                                                           specified correctly as exceptions in proxy configuration

Amongst other things, I am trying to ensure that I configure the cluster correctly, and the overlay network (flannel).

I've attempted to establish the no_proxy environment variable (centos 7).

The way that i tried this was as follows was to update /etc/profile.d/proxy.sh as follows:

printf -v lan '%s,' "10.93.98.204","10.93.98.23","10.93.98.36","10.93.103.236","10.93.97.123","10.93.97.202"
printf -v service '%s,' 10.244.{1..255}.{1..255}
export no_proxy="${lan%,},${service%,},127.0.0.1";
#export no_proxy="${lan%,},10.244.0.0/16,127.0.0.1";
export NO_PROXY=$no_proxy

However, this approach results in a massive string ($no_proxy) that far exceeds the maximum length within the Linux environment.

I've also tried using the pod-network-cidr in the no_proxy (10.244.0.0/16 - commented out in the above)

Two questions: - What is the proper way to deal with this warning (WARNING HTTPProxyCIDR)? - How can I set no_proxy so that my flannel network overlay works and my cluster works

-- Dave Sargrad
kubeadm
kubernetes

Similar Questions

Dynamic namespace variable in helm chart
Issue using readNamespacedPodLog
How to set persistent volume for container with kubernetes on docker for windows
Allow egress traffic to single IP address
Kubernetes Jupyter Server with Example Notebook and Persistent Storage

2 Answers

4/10/2019

The no_proxy/NO_PROXY environment variables should be the way to go. However, you don't need to add every single IP to the string you can just add the whole subnet. Also, looks like you are missing 10.96.0.0/12 from the list.

For example (assuming 10.93.98.0/24 is your LAN subnet):

export no_proxy="10.96.0.0/12,10.93.98.0/24,10.244.0.0/16,127.0.0.1"

Also, make sure Docker noProxy is configured if you are using Docker.

-- Rico
Source: StackOverflow
9/8/2019

The CIDR/IP range does not work in no_proxy in many environments/applications.

We can make a reasonable assumption that we don't access network nodes outside web-proxy thru IP address. In other words, we use FQDN to access, say python.com, google.com, github.com, but not directly using their IP addresses.

With this assumption, we can bypass web-proxy for all direct IP address access.

export no_proxy=localhost,.svc
printf -v allip '%s,' .{0..255}
export no_proxy="$no_proxy,${allip%,}"

This adds .0,.1,.2,...,.255 to the no_proxy env variable. There is no magic here. We just treat IP address as FQDN, so a suffix match works as FQDN no_proxy setting. Say, .120 would match all IP addresses x.x.x.120.

-- B.Z.
Source: StackOverflow