I am trying to implement diameter using SCTP on Azure AKS. Wonder if this is something currently supported by Azure? The kubernetes version is latest, 1.21.2.
@HaitaoHuang-2464 , when using
service.spec.ports.protocol=SCTP, Services of
service.spec.type set to
NodePort, are supported by
kube-proxy. FEATURE STATE: Kubernetes v1.20 [stable]
According to the Kubernetes documentation,
For type=LoadBalancer Services, SCTP support depends on the cloud provider offering this facility. (Most do not).
service.spec.ports.protocol=SCTP are not supported in AKS, at the time of writing, as Azure Load Balancer currently supports only TCP/UDP-based protocols such as HTTP, HTTPS and SMTP, and protocols used for real-time voice and video messaging applications. [Reference]
If you try to create a Service of type
LoadBalancer on AKS with
service.spec.ports.protocol=SCTP you would see messages like the following in the
Events section of
kubectl describe service:
Type Reason Age From Message ---- ------ ---- ---- ------- Normal EnsuringLoadBalancer 4s (x2 over 11s) service-controller Ensuring load balancer Warning SyncLoadBalancerFailed 3s (x2 over 9s) service-controller Error syncing load balancer: failed to ensure load balancer: only TCP and UDP are supported for Azure LoadBalancers
As a stable feature in upstream Kubernetes, the
SCTPSupport feature gate is enabled by default. When the feature gate is enabled, you can set the protocol field of a NetworkPolicy to
SCTP. FEATURE STATE: Kubernetes v1.20 [stable]
SCTP at a cluster level, the
SCTPSupport feature gate must be disabled for the API server with
--feature-gates=SCTPSupport=false,…. Reference which is not possible in AKS since AKS is a managed Kubernetes Service and the control plane is abstracted from the user. Reference
However, currently although
SCTP as a valid protocol, for
NodePort Services, the latest shipped AKS node image
AKSUbuntu-1804gen2containerd-2021.09.19 based on the
5.4.0-1056-azure kernel does not support
Here was bunch of tests that I executed:
Performed the following:
root@aks-nodepool1-29819654-vmss000000:/# chroot /host # grep SCTP /proc/net/protocols # cat /proc/net/protocols <redacted STDOUT: No entry for SCTP> # apt install lksctp-tools <STDOUT and STERR logs redacted> # checksctp checksctp: Protocol not supported
This is done as part of security hardening of the AKS agent node host OS per CIS 3.5.2 audit. [Reference]
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
11 people are following this question.