Please help us with the following problem:
We are using calico from https://docs.projectcalico.org/manifests/calico.yaml to setup Kubernetes network on SDDC cloud. The workers are outside the cloud and when we are joining them to the master the tunl0 interface is not created. What could be the reason? The workers are connecting to the masters via Load Balancer and the port 179 is opened to the both sides - inside the cloud and outside the cloud. If the workers are inside SDDC cloud, everything is fine, so what could be the problem?
What is the link between your external workers and the cloud? You need a properly set up VPN, it won’t work to peer over the internet and it’d be very insecure to do so.
Do the external workers join and show in
kubectl get nodes? What’s the status of the calico-node pods on the external workers?
The logs of the calico-node pods show that they cannot connect to https://10.96.0.1:443. That’s because the tunl0 interface didn’t created on the workers while the join command. We don’t use VPN to connect the masters inside SDDC cloud, we use Load balancer to access them and all Kubernetes and calico ports seems to be opened there. @fasaxc, is there any way to set up calico for the workers outside the cloud without VPN?
I think you’ve misinterpreted that symptom. 10.96.0.1 is the service VIP of the API server. If it’s not working, that usaully means that kube-proxy is not functional.
I’m not familiar with SDDC, is it an on-prem “cloud”; while it’s fairly safe to connect to kubernetes API over TLS, you shouldn’t run IPIP over the internet without a VPN.