Internal Load balancer created for public cluster

[jsturtevant]

/kind feature

Describe the solution you'd like

I created a cluster using make create-workload-cluster which uses the default flavor for workload cluster. The workload cluster was created with an internal and public load balancer for the control plane. If I create a public cluster using aks-engine I do not get a internal load balancer.

It makes sense to have an internal load balancer for private clusters. Is there a reason for internal load balancer for public clusters? Is there reason to keep it or should only create when private clusters are enabled (#486)?

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• cluster-api-provider-azure version: master branch
• Kubernetes version: (use kubectl version): any
• OS (e.g. from /etc/os-release):

[jsturtevant]

@CecileRobertMichon creating this from our conversation awhile back. @jackfrancis maybe you have some insight here?

[CecileRobertMichon]

@jackfrancis does AKS Engine currently provision an internal LB for non-private clusters?

@justaugustus @awesomenix do you have any context on why the internal LB was originally added in capz?

[jackfrancis]

@CecileRobertMichon it does if there are more than one VMs backing the control plane. If there's only one VM, then no.

[CecileRobertMichon]

@jackfrancis even since Azure/aks-engine#2953?

[jackfrancis]

That PR didn't change the Load Balancer implementation. I'll confirm.

[jackfrancis]

That PR was for control plane-originating requests to self-route. Other cluster traffic (e.g., from nodes) needs a LB to ensure a response when a single control plane VM goes offline.

[jackfrancis]

Confirmed:

$ az network lb list -g kubernetes-westus2-17672 | jq '. | length'
3

From a cluster built w/ this config:

...
    "masterProfile": {
      "count": 3,
...

[CecileRobertMichon]

Thanks Jack!

@jsturtevant does that answer the question?

[awesomenix]

Originally the Internal LB was created for worker nodes to communicate with control plane (so that it doesnt go through public load balancer <- save money :)), not sure if thats recently changed. Just as jack mentioned.

[jzhoucliqr]

Went through current code and also checked a running cluster, seems the internalLB is created but not used, all kubelets (cp and worker) still talk to the public LB.

The kubeadm init/join config is generated by CAPI, right now with v1alpha3 cluster.Spec only have one APIEndpoint, which should be the public LB, so seems it's not possible to generate kubeadm join config with another internal APIEndpoint.

v1alpha2 have APIEndpoint as an array under cluster.Status, it was possible to do this, maybe that was how this design came from.

[CecileRobertMichon]

/kind bug

[CecileRobertMichon]

/assign

[CecileRobertMichon]

/close

[k8s-ci-robot]

@CecileRobertMichon: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.