Why does kube controller manager has service ip range specified? I noticed that, . . .

gopi m:
Why does kube controller manager has service ip range specified?
I noticed that, besides the kube-apiserver, even the controller manager manifest also has service ip range. Just to experiment, I changed the IP range in apiserver (without changing in the other) and created a new service and it took the IP from that new/changed IP range (and the one in controller manager wasn’t used). May I know the reason behind having ip range defined in 2 different places to start with?

Shwetha Shenoy:
interesting. Was the flag --allocate-node-cidrs also set? https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/

Shwetha Shenoy:

gopi m:
that’ set to true… (by the way, this is from this lab: https://uklabs.kodekloud.com/topic/practice-test-service-networking-2/)

But not sure how that plays a role here.
Any comments from moderators??

- command:
- kube-controller-manager
- --allocate-node-cidrs=true
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --bind-address=
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-cidr=
- --cluster-name=kubernetes
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --controllers=*,bootstrapsigner,tokencleaner
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --leader-elect=true
- --port=0
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=
- --use-service-account-credentials=true

Hi @gopi m fyi:

Shwetha Shenoy:
@unnivkn he already tried updating the cluster-ip range value only in the apiserver and not in controller-manager. The services took the new ip range from api-server. So it seems like the value in controller-manager is not used.

Hi @gopi m @Shwetha Shenoy may I know how he concluded that the service-IP used is based on the IP range provided on the api-server & not the one given in the controller-manager? keep in mind we are using IP-Range not any individual IP. Also the configuration is wrong, we have to follow the same ip-range on both api-server & controller-mgr.

gopi m:
@unnivkn initially it was for both and i changed it to in api server alone. The pod got 11.x.x.x don’t remember exactly. My query is also as to why this range is specified in 2 places (seems very counter-intuitive) and I was checking what would happen when the two are not same. + @Shwetha Shenoy for her ref

Hi @gopi m as per my analysis your question is valid. I thought the modified IP will be the subset of original IP or vice versa. I have noticed both are in different network. eg, If the modified IP is, then it will be a subset of original IP.
original IP Range → → to →
modified IP Range → → to →
So looks like the IP you updated in kube-api server is taking precedence over the modified IP in the kube-controller. Any way k8s is expecting same IP range for both. Nothing wrong in experimenting our own systems, not on production systems :slightly_smiling_face: