I just found this on ops/puppet.git:
arturo@endurance:~/git/wmf/operations/puppet $ git grep 172.20 hieradata/cloud.yaml:profile::gitlab::runner::docker_subnet: "172.20.0.0/16" hieradata/cloud/eqiad1/devtools/hosts/gitlab-runner-1003.yaml:profile::gitlab::runner::docker_subnet: '172.20.0.0/16' hieradata/common/profile/wmcs/cloud_private_subnet.yaml:profile::wmcs::cloud_private_subnet::supernet: 172.20.0.0/16
I.e, there are more than 1 thing making use of the 172.20.0.0/16 CIDR, which can cause confusion and other problems.
This is allocated in netbox https://netbox.wikimedia.org/ipam/prefixes/652/ as "WMCS cloud-private aggregate".