我试图找到有关 Kubernetes 中 NGINX 入口控制器公开的指标的文档,但到目前为止,我还没有找到任何关于指标及其含义的可靠来源。
例如,有三个不同的request_size指标(sum、bucket、count)。
从我的猜测sum和count相互关联。为了获得平均请求大小,我可能会做类似sum by (method) (request_size_sum{...}) / sum by (method) (request_size_count{...}).
但是bucket,尤其是什么是什么le?
目前在 Ubuntu Server 20 LTS 上运行全新的“多合一 VM”(堆叠的主/从方法)kubernetes v1.21.1-00,使用
还安装了 kubernetes-dashboard(但我想这对我的问题并不重要?)。使用本指南安装大使:https ://www.getambassador.io/docs/edge-stack/latest/topics/install/yaml-install/我遇到了服务卡在“待定”状态的问题。
kubectl get svc -n ambassador打印出以下内容
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ambassador LoadBalancer 10.97.117.249 <pending> 80:30925/TCP,443:32259/TCP 5h
ambassador-admin ClusterIP 10.101.161.169 <none> 8877/TCP,8005/TCP 5h
ambassador-redis ClusterIP 10.110.32.231 <none> 6379/TCP 5h
quote ClusterIP 10.104.150.137 <none> 80/TCP 5h
虽然将服务中的typefromLoadBalancer更改为NodePort正确设置,但我不确定随之而来的影响。同样,我想在这里使用大使作为入口组件 - 使用我的设置(只有一台机器),可能不需要“真正的”负载平衡。
为了覆盖所有子域内容,我设置了一个通配符记录以指向我的机器,这意味着我有一个*.k8s.my-domain.com指向该主机的 CNAME。不知道,这种方法对于设置入口是否那么聪明。
嗨,我正在学习 kubernetes,但在公开服务时遇到了麻烦。我想将流量从 HAProxy 路由到我的集群。我正在使用自己的裸机服务器。
编辑:我还创建了一个入口控制器。
现在,当我描述我的入口时,我可以看到工作机器的 IP 地址,但我仍然知道
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
并且不知道如何访问我的 pod...
示例配置:
部署.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: apache
labels:
app: apache-test
spec:
replicas: 1
selector:
matchLabels:
app: apache-test
template:
metadata:
labels:
app: apache-test
spec:
containers:
- name: apache
image: httpd
ports:
- containerPort: 80
服务.yaml
apiVersion: v1
kind: Service
metadata:
name: apache-test-service
spec:
selector:
app: apache-test
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
入口.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apache-test-ingress
spec:
rules:
- host: apache-test.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: apache-test-service
port:
number: 80
怎么了?
描述入口:
Name: apache-test-ingress
Namespace: default
Address: 192.168.6.72
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
apache-test
/ apache-test-service:80 (10.44.0.1:80)
Annotations: <none>
Events: <none>
描述服务:
Name: apache-test-service
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=apache-test
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.104.63.167
IPs: 10.104.63.167
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.44.0.1:80
Session Affinity: None
Events: <none>
描述控制器:
Name: ingress-nginx-controller-55bc4f5576-vpsgb
Namespace: ingress-nginx
Priority: 0
Node: kubernetes-node02/192.168.6.72
Start Time: Sun, 16 May 2021 16:47:26 +0200
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=ingress-nginx
app.kubernetes.io/name=ingress-nginx
pod-template-hash=55bc4f5576
Annotations: <none>
Status: Running
IP: 10.36.0.1
IPs:
IP: 10.36.0.1
Controlled By: ReplicaSet/ingress-nginx-controller-55bc4f5576
Containers:
controller:
Container ID: docker://7daf566a039aba0d06f856b0adcc03659423ec2462c33d9a79f820b58dfcbf98
Image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
Image ID: docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
Ports: 80/TCP, 443/TCP, 8443/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Args:
/nginx-ingress-controller
--election-id=ingress-controller-leader
--ingress-class=nginx
--configmap=$(POD_NAMESPACE)/ingress-nginx-controller
--validating-webhook=:8443
--validating-webhook-certificate=/usr/local/certificates/cert
--validating-webhook-key=/usr/local/certificates/key
State: Running
Started: Sun, 16 May 2021 16:47:28 +0200
Ready: True
Restart Count: 0
Requests:
cpu: 100m
memory: 90Mi
Liveness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
Readiness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
Environment:
POD_NAME: ingress-nginx-controller-55bc4f5576-vpsgb (v1:metadata.name)
POD_NAMESPACE: ingress-nginx (v1:metadata.namespace)
LD_PRELOAD: /usr/local/lib/libmimalloc.so
Mounts:
/usr/local/certificates/ from webhook-cert (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ftnfs (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
webhook-cert:
Type: Secret (a volume populated by a Secret)
SecretName: ingress-nginx-admission
Optional: false
kube-api-access-ftnfs:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: kubernetes.io/os=linux
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
来自 POD 的日志不显示任何内容...来自入口控制器的日志:
I0516 14:47:28.871207 8 flags.go:208] "Watching for Ingress" class="nginx"
W0516 14:47:28.871287 8 flags.go:213] Ingresses with an empty class will also be processed by this Ingress controller
W0516 14:47:28.872068 8 client_config.go:614] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0516 14:47:28.872594 8 main.go:241] "Creating API client" host="https://10.96.0.1:443"
I0516 14:47:28.887394 8 main.go:285] "Running in Kubernetes cluster" major="1" minor="21" git="v1.21.0" state="clean" commit="cb303e613a121a29364f75cc67d3d580833a7479" platform="linux/amd64"
I0516 14:47:29.768986 8 main.go:105] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0516 14:47:29.772688 8 main.go:115] "Enabling new Ingress features available since Kubernetes v1.18"
W0516 14:47:29.775841 8 main.go:127] No IngressClass resource with name nginx found. Only annotation will be used.
I0516 14:47:29.793896 8 ssl.go:532] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
I0516 14:47:29.829161 8 nginx.go:254] "Starting NGINX Ingress controller"
I0516 14:47:29.848934 8 event.go:282] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress-nginx", Name:"ingress-nginx-controller", UID:"0cf6bc98-71b3-4387-a535-7d3dcb956fc8", APIVersion:"v1", ResourceVersion:"401441", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap ingress-nginx/ingress-nginx-controller
I0516 14:47:30.936661 8 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"apache-test-ingress", UID:"6e3c5757-28cf-4a68-be98-827fd69ee86f", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"400092", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0516 14:47:31.030103 8 nginx.go:296] "Starting NGINX process"
I0516 14:47:31.030266 8 leaderelection.go:243] attempting to acquire leader lease ingress-nginx/ingress-controller-leader-nginx...
I0516 14:47:31.030658 8 nginx.go:316] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
I0516 14:47:31.031274 8 controller.go:146] "Configuration changes detected, backend reload required"
I0516 14:47:31.040799 8 leaderelection.go:253] successfully acquired lease ingress-nginx/ingress-controller-leader-nginx
I0516 14:47:31.041189 8 status.go:84] "New leader elected" identity="ingress-nginx-controller-55bc4f5576-vpsgb"
I0516 14:47:31.054203 8 status.go:204] "POD is not ready" pod="ingress-nginx/ingress-nginx-controller-55bc4f5576-vpsgb" node="kubernetes-node02"
I0516 14:47:31.129614 8 controller.go:163] "Backend successfully reloaded"
I0516 14:47:31.129922 8 controller.go:174] "Initial sync, sleeping for 1 second"
I0516 14:47:31.130053 8 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-55bc4f5576-vpsgb", UID:"16d9fca9-8ac9-4fc1-be40-056540857035", APIVersion:"v1", ResourceVersion:"401513", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
I0516 14:48:31.054140 8 status.go:284] "updating Ingress status" namespace="default" ingress="apache-test-ingress" currentValue=[] newValue=[{IP:192.168.6.72 Hostname: Ports:[]}]
I0516 14:48:31.067947 8 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"apache-test-ingress", UID:"6e3c5757-28cf-4a68-be98-827fd69ee86f", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"401625", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
描述 POD
Name: apache-67487b7c8b-8jbgb
Namespace: default
Priority: 0
Node: kubernetes-node01/192.168.6.71
Start Time: Sun, 16 May 2021 15:13:07 +0200
Labels: app=apache-test
pod-template-hash=67487b7c8b
Annotations: <none>
Status: Running
IP: 10.44.0.1
IPs:
IP: 10.44.0.1
Controlled By: ReplicaSet/apache-67487b7c8b
Containers:
apache:
Container ID: docker://70e4e3c4e01dffa11aa3c945f297e2cf3bc8af249c8d900c8aa30381ce7f56e6
Image: httpd
Image ID: docker-pullable://httpd@sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 16 May 2021 15:13:10 +0200
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-c8dfx (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-c8dfx:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
编辑:我使用了一个入口控制器:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.46.0/deploy/static/provider/baremetal/deploy.yaml
所以,我想要一个指向我的 nginx 入口 LB 的静态 IP。
gcloud compute addresses create test-ip --global
gcloud compute addresses describe test-ip --global
它为我提供了一个我现在可以使用的静态 IP。
详细输出:
address: 34.120.62.131
addressType: EXTERNAL
creationTimestamp: '2021-02-10T10:27:32.806-08:00'
description: ''
id: '6370409738458995579'
ipVersion: IPV4
kind: compute#address
name: dashboard-ip
networkTier: PREMIUM
status: RESERVED
我正在尝试遵循本指南说明,但“稳定”的 helm repos 已经消失,我尝试使用的 helm 图表如下。我不确定这是否是推荐与 helm 一起使用的,但鉴于它归 K8s 组织所有,这似乎是正确的选择。
帖子中引用的选项不再存在,因此我从图表中获取所有值并覆盖似乎正确的值,尽管我在黑暗中拍摄。
controller:
service:
loadBalancerIP: "34.120.62.131"
使用以下方法安装图表:
helm install samir ingress-nginx/ingress-nginx -f override.yml
在这一点上,它陷入了状态。
k logs service/samir-ingress-nginx-controller (gke_esnet-sd-dev_us-central1-c_test-dashboard-ansible/default)
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v0.44.0
Build: f802554ccfadf828f7eb6d3f9a9333686706d613
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.6
-------------------------------------------------------------------------------
I0211 18:13:45.281578 6 flags.go:208] "Watching for Ingress" class="nginx"
W0211 18:13:45.281650 6 flags.go:213] Ingresses with an empty class will also be processed by this Ingress controller
W0211 18:13:45.282066 6 client_config.go:614] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0211 18:13:45.282327 6 main.go:241] "Creating API client" host="https://10.11.240.1:443"
I0211 18:13:45.293561 6 main.go:285] "Running in Kubernetes cluster" major="1" minor="17+" git="v1.17.14-gke.1600" state="clean" commit="7c407f5cc8632f9af5a2657f220963aa7f1c46e7" platform="linux/amd64"
I0211 18:13:45.407646 6 main.go:105] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0211 18:13:45.434246 6 ssl.go:532] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
I0211 18:13:45.473930 6 nginx.go:254] "Starting NGINX Ingress controller"
I0211 18:13:45.495884 6 event.go:282] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"default", Name:"samir-ingress-nginx-controller", UID:"7eee0403-5f51-4cda-bd76-84d977ac473e", APIVersion:"v1", ResourceVersion:"446265", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap default/samir-ingress-nginx-controller
I0211 18:13:46.674807 6 nginx.go:296] "Starting NGINX process"
I0211 18:13:46.675212 6 leaderelection.go:243] attempting to acquire leader lease default/ingress-controller-leader-nginx...
I0211 18:13:46.675645 6 nginx.go:316] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
I0211 18:13:46.675885 6 controller.go:146] "Configuration changes detected, backend reload required"
I0211 18:13:46.678746 6 status.go:84] "New leader elected" identity="samir-ingress-nginx-controller-57f8695bcc-d4pmq"
I0211 18:13:46.772343 6 controller.go:163] "Backend successfully reloaded"
I0211 18:13:46.772435 6 controller.go:174] "Initial sync, sleeping for 1 second"
I0211 18:13:46.772584 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"default", Name:"samir-ingress-nginx-controller-57f8695bcc-959pw", UID:"fcb5dbc0-7c43-4330-8641-a00514103afd", APIVersion:"v1", ResourceVersion:"446293", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
I0211 18:14:18.716021 6 leaderelection.go:253] successfully acquired lease default/ingress-controller-leader-nginx
I0211 18:14:18.716815 6 status.go:84] "New leader elected" identity="samir-ingress-nginx-controller-57f8695bcc-959pw"
有什么我想念的吗?
注意:我确实偶然发现了这个替代图表。这似乎更接近我在上面链接的stackoverflow帖子中引用的内容,尽管即使使用它我也无法让它工作。创建集群时我可能错过了一个选项吗?
服务.yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
io.kompose.service: grafana
name: grafana
spec:
ports:
- name: "3000"
port: 3000
targetPort: 3000
selector:
io.kompose.service: grafana
status:
loadBalancer: {}
部署:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.service: grafana
name: grafana
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: grafana
strategy: {}
template:
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.service: grafana
spec:
containers:
- env:
- name: GF_SERVER_DOMAIN
# value: "testing.esamir.com"
value: "direct.esamir.com"
- name: GF_SERVER_ROOT_URL
value: "%(protocol)s://%(domain)s:%(http_port)s/"
- name: GF_SERVER_SERVE_FROM_SUB_PATH
value: "true"
- name: GF_DATABASE_URL
valueFrom:
configMapKeyRef:
name: grafanaconfig
key: url
image: grafana/grafana:7.4.0-ubuntu
name: grafana
ports:
- containerPort: 3000
resources: {}
restartPolicy: Always
status: {}
入口-nginx 配置:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-kubernetes-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: testing1.com
http:
paths:
- backend:
serviceName: hello-kubernetes-second
servicePort: 80
- host: testing2.com
http:
paths:
- backend:
serviceName: dashboard
servicePort: 3000
如果我在 testing1.com 上连接到 http 或 https,它正在运行一个简单的 hello-world kubernetes 应用程序。一切都完美无缺。
如果我在 https 或 http 上连接到 testin2.com,我会收到 503 错误。“503服务暂时不可用”
查看日志,我发现了这个错误:“2021-02-09 15:34:25.309 PSTError getting Endpoints for Service "test/dashboard": no object matching key "test/dashboard" in local store"
作为参考,我的所有清单都部署在 K8 的 test 命名空间下。
我在网上找到的大多数参考资料都在谈论确保服务具有有效的端点。
kubectl 获取端点 --namespace 测试
NAME ENDPOINTS AGE
grafana 10.68.5.23:3000 6h4m
hello-kubernetes-second 10.68.3.9:8080,10.68.5.5:8080,10.68.6.6:8080 6h22m
nginx-ingress-nginx-controller 10.68.5.8:443,10.68.5.8:80 6h20m
nginx-ingress-nginx-controller-admission 10.68.5.8:8443 6h20m
kubectl 描述 svc grafana -n 测试
Namespace: test
Labels: io.kompose.service=grafana
Annotations: <none>
Selector: io.kompose.service=grafana
Type: ClusterIP
IP: 10.71.248.111
Port: 3000 3000/TCP
TargetPort: 3000/TCP
Endpoints: 10.68.5.23:3000
Session Affinity: None
Events: <none>
据我所知,我的服务确实有一个有效的端点。我错过了什么?
我有一个亚马逊 EKS 集群,用于托管多个网站,我有一个入口控制器和一个负载均衡器,可以根据需要启动更多 pod。
我通常使用 CNAME 类型“例如别名或名称”将域指向动态集群,但是,我正在处理想要长期移动到 A 记录以获得更多 dns 兼容性等。
除了 F5 BIG IP 之外,AWS 或其他工具中是否有任何服务可用于使用单个静态 IP 指向我的集群?
我在 Azure 和 Ingress 上使用 AKS 和 Let's Encrypt 证书(由https://docs.microsoft.com/en-us/azure/aks/ingress-static-ip配置)
证书链默认为,DST Root CA X3但我想将其更改为替代ISRG Root X1
https://letsencrypt.org/certificates/#cross-signing说
几乎所有的服务器运营商都会选择提供一个链,包括带有主题“Let's Encrypt Authority X3”和颁发者“DST Root CA X3”的中间证书。
你能告诉我,我怎样才能将默认的中间证书更改为Let’s Encrypt Authority X3 (Signed by ISRG Root X1)?
我知道ISRG Root X1应该在 2020 年 9 月 29 日 ( https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html ) 成为默认设置,所以我可以等待(不是最佳的)。但在那之后,这对需要保留的人很有用DST Root CA X3
我正在尝试将 Google Kubernetes Engine Ingress 正确配置为在端口 3000 上运行的负载平衡 Docker 应用程序。我显然在某个地方犯了一个明显的错误,但我不知道在哪里。Ingress 总是说机器不健康,但我能够验证 Web 应用程序正在运行并在 0.0.0.0:3000 上侦听。
除了所述问题之外,我的配置中的任何其他明确的陷阱也值得赞赏。
当前设置如下所示:
部署.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
replicas: 1
selector:
matchLabels:
app: web
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
minReadySeconds: 5
template:
metadata:
labels:
app: web
spec:
containers:
- name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- "/cloud_sql_proxy"
- "-ip_address_types=PRIVATE"
- "-instances=project:us-central1:postgres=tcp:5432"
securityContext:
runAsNonRoot: true
- name: web
image: gcr.io/PROJECT_ID/IMAGE:TAG
ports:
- containerPort: 3000
env:
- name: MASTER_KEY
valueFrom:
secretKeyRef:
name: masterkey
key: MASTER_KEY
resources:
requests:
cpu: 100m
limits:
cpu: 100m
网络服务.yml
apiVersion: v1
kind: Service
metadata:
name: web-service
spec:
selector:
app: web
type: NodePort
ports:
- port: 3000
targetPort: 443
protocol: TCP
name: https
网络入口.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: staging-cluster
networking.gke.io/managed-certificates: cloudflare-origin
spec:
rules:
- host: staging.mydomain.com
http:
paths:
- backend:
serviceName: web-service
servicePort: 443
cloudflare-origin.yml *
apiVersion: networking.gke.io/v1beta2
kind: ManagedCertificate
metadata:
name: cloudflare-origin
spec:
domains:
- staging.mydomain.com
计算地址.yml
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
name: staging-cluster
spec:
location: global
定制化.yml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gke/deployment.yml
- gke/config-connector.yml
- gke/compute-address.yml
- gke/cloudflare-origin.yml
- gke/web-service.yml
- gke/web-ingress.yml
我正在尝试为我的命名空间中的服务设置一个 nginx 入口控制器。其中一个后端服务接受端口 80 上的 HTTP 流量,另一个仅接受端口 443 上的 HTTPS 流量。请参阅这两个服务的描述
$ kubectl describe svc service-1 -n monit
Name: service-1
Namespace: monit
Labels: app=service-1
Annotations: <none>
Selector: app=service-1
Type: ClusterIP
IP: 10.104.185.173
Port: https 443/TCP
TargetPort: 8443/TCP
Endpoints: 10.1.0.95:8443
Session Affinity: None
Events: <none>
$ kubectl describe svc service-2 -n monit
Name: service-2
Namespace: monit
Labels: app=service-2
Annotations: <none>
Selector: app=service-2
Type: ClusterIP
IP: 10.110.93.64
Port: service 80/TCP
TargetPort: 3000/TCP
Endpoints: 10.1.0.87:3000
Session Affinity: None
Events: <none>
这是我的入口配置
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-monit
spec:
rules:
- host: service-2.localhost
http:
paths:
- path: /
backend:
serviceName: service-2
servicePort: 80
- host: service-1.localhost
http:
paths:
- path: /
backend:
serviceName: service-1
servicePort: 443
当我查看 Nginx 配置时,一切正常
$ kubectl describe ingress ingress-monit -n monit
Name: ingress-monit
Namespace: monit
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
service-2.localhost
/ service-2:80 (10.1.0.87:3000)
service-1.localhost
/ service-1:443 (10.1.0.95:8443)
Annotations: Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 31m nginx-ingress-controller Ingress monit/ingress-monit
Normal UPDATE 30m nginx-ingress-controller Ingress monit/ingress-monit
现在的问题是我可以使用http://service-2.localhost/正确访问我的 service-2,但我无法访问 service-1。在 chrome 上访问http://service-1.localhost/给了我
This site can’t be reachedThe webpage at https://service-1.localhost/ might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE
当我查看 Nginx 日志时,我看到:
$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-8crdm -f
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: 0.32.0
Build: git-446845114
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.17.10
-------------------------------------------------------------------------------
. . .
2020/06/02 22:56:47 [error] 2363#2363: *64928 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 192.168.65.3, server: service-1.localhost, request: "GET / HTTP/1.1", upstream: "http://10.1.0.95:8443/", host: "service-1.localhost"
192.168.65.3 - - [02/Jun/2020:22:58:13 +0000] "GET / HTTP/1.1" 200 7817 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 594 0.005 [monit-service-2-80] [] 10.1.0.87:3000 30520 0.005 200 2baefff713047b14a81643650cb50c4c
该错误似乎与 service-1 返回 bad response 相关upstream sent no valid HTTP/1.0 header while reading response header from upstream。问题是如果我使用kubectl proxy我可以正确访问该服务!
有什么想法可以让我弄清楚真正的问题是什么?