@Haitao Huang , when using service.spec.ports[].protocol=SCTP
, Services of service.spec.type
set to ClusterIP
or NodePort
, are supported by kube-proxy
. FEATURE STATE: Kubernetes v1.20 [stable]
According to the Kubernetes documentation,
For type=LoadBalancer Services, SCTP support depends on the cloud provider offering this facility. (Most do not).
Services of service.spec.type=LoadBalancer
with service.spec.ports[].protocol=SCTP
are not supported in AKS, at the time of writing, as Azure Load Balancer currently supports only TCP/UDP-based protocols such as HTTP, HTTPS and SMTP, and protocols used for real-time voice and video messaging applications. [Reference]
If you try to create a Service of type LoadBalancer
on AKS with service.spec.ports[].protocol=SCTP
you would see messages like the following in the Events
section of kubectl describe service
:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal EnsuringLoadBalancer 4s (x2 over 11s) service-controller Ensuring load balancer
Warning SyncLoadBalancerFailed 3s (x2 over 9s) service-controller Error syncing load balancer: failed to ensure load balancer: only TCP and UDP are supported for Azure LoadBalancers
Calico and Azure Network Policies both accept networkpolicy.spec.egress[].ports[].protocol=SCTP
and networkpolicy.spec.ingress[].ports[].protocol=SCTP
As a stable feature in upstream Kubernetes, the SCTPSupport
feature gate is enabled by default. When the feature gate is enabled, you can set the protocol field of a NetworkPolicy to SCTP
. FEATURE STATE: Kubernetes v1.20 [stable]
To disable SCTP
at a cluster level, the SCTPSupport
feature gate must be disabled for the API server with --feature-gates=SCTPSupport=false,….
Reference which is not possible in AKS since AKS is a managed Kubernetes Service and the control plane is abstracted from the user. Reference
!! EDIT:
However, currently although kube-proxy
accept SCTP
as a valid protocol, for ClusterIP
and NodePort
Services, the latest shipped AKS node image AKSUbuntu-1804gen2containerd-2021.09.19
based on the 5.4.0-1056-azure
kernel does not support SCTP
.
Here was bunch of tests that I executed:
- SSH into an AKS node.
- Performed the following:
# grep SCTP /proc/net/protocolsroot@aks-nodepool1-29819654-vmss000000:/# chroot /host
# cat /proc/net/protocols
<redacted STDOUT: No entry for SCTP>
# apt install lksctp-tools
<STDOUT and STERR logs redacted>
# checksctp
checksctp: Protocol not supported
This is done as part of security hardening of the AKS agent node host OS per CIS 3.5.2 audit. [Reference]
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.