Azure Kubernetes Service with custom routing tables

12/15/2020

We are trying to deploy a Kubernetes cluster with help of Azure Kubernetes Service (AKS) to our existing virtual network. This virtual network has custom route tables.

The deployment process is done via an external application. Permissions should be given to this application with help of Service Principal. As per the documentation says under the Limitations section:

  • Permissions must be assigned before cluster creation, ensure you are using a service principal with write permissions to your custom subnet and custom route table.

We have a security team which are responsible for giving permissions to service principals, managing networking. Without knowing exactly what rules will be written into the route tables by the AKS, they wont give the permission to the proper service principal.

Does somebody know what rules the AKS wants to write into those route tables?

-- Robert
azure
azure-aks
kubernetes
networking

1 Answer

12/16/2020

The documentation you are pointing to is for a cluster using Kubenet networking. Is there a reason why you don't want to use Azure CNI instead? If you are using Azure CNI, you will off course consume more IP adresses, but AKS will not need to write into the route table.

With that said, if you really want to use Kubenet, the rules that will be write on the route table will depend on what you are deploying inside your cluster since Kubenet is using the route table to route the traffic... It will adds rules throughout the cluster lifecycle when you will add Pods, Services, etc.

enter image description here

-- Jean-Philippe Bond
Source: StackOverflow