Kubernetes,ALB:没有通过入口服务创建 ALB

【问题标题】:Kubernetes, ALB : ALB not getting created for via ingress-serviceKubernetes,ALB:没有通过入口服务创建 ALB
【发布时间】:2020-05-04 07:53:37
【问题描述】:

我正在为 2 个服务创建一个 ALB,并带有注释:merged。这行不通。我在日志中也看不到太多动作。我究竟做错了什么?工作节点具有 AWS 文档中提到的 ALB 入口策略(也添加了下面的策略)。 Kubernetes 没有抱怨,但 ingress-service 没有获得地址,也没有创建 ALB 或目标组。

ALB 控制器:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: alb-ingress-controller
  name: alb-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: alb-ingress-controller
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: alb-ingress-controller
    spec:
      containers:
        - args:

            - --ingress-class=alb
            - --cluster-name=CLUSTER_NAME
            - --aws-vpc-id=vpc-XXXXXXX
            - --aws-region=REGION
          env:
            - name: AWS_ACCESS_KEY_ID
              VALUE: XXXXXX
            - name: AWS_SECRET_ACCESS_KEY
              value: XXXXX
              image: 894847497797.dkr.ecr.us-west-2.amazonaws.com/aws-alb-ingress-controller:v1.0.0
          imagePullPolicy: Always
          name: server
          resources: {}
          terminationMessagePath: /dev/termination-log
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      securityContext: {}
      terminationGracePeriodSeconds: 30
      serviceAccountName: alb-ingress
      serviceAccount: alb-ingress

ALB 入口服务:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    kubernetes.io/ingress.class: merge
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/certificate-arn: ARN
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/subnets: SUBNET-1,SUBNET-2
    alb.ingress.kubernetes.io/security-groups: SG-1,SG-2
    # allow 404s on the health check
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/success-codes: "200,404,302"
spec:
  rules:
    - host: host.domain.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: magento-develop
              servicePort: 80
    - host: sub-domain.host.domain.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: supplier-service
              servicePort: 80

IAM 政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:RemoveTags",
                "elasticloadbalancing:SetIpAddressType",
                "elasticloadbalancing:SetSecurityGroups",
                "elasticloadbalancing:SetSubnets",
                "elasticloadbalancing:SetWebACL"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cognito-idp:DescribeUserPoolClient"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "waf-regional:GetWebACLForResource",
                "waf-regional:GetWebACL",
                "waf-regional:AssociateWebACL",
                "waf-regional:DisassociateWebACL"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "tag:GetResources",
                "tag:TagResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "waf:GetWebACL"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:AssociateWebACL",
                "wafv2:DisassociateWebACL"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "shield:DescribeProtection",
                "shield:GetSubscriptionState",
                "shield:DeleteProtection",
                "shield:CreateProtection",
                "shield:DescribeSubscription",
                "shield:ListProtections"
            ],
            "Resource": "*"
        }
    ]
}


kubectl get ingress
NAME           HOSTS                                    ADDRESS   PORTS   AGE
auth-ingress   host.domain.com,sub-domain.host.domain.com             80      6s

如您所见,没有可用的地址。

【问题讨论】:

    标签: amazon-web-services kubernetes


    【解决方案1】:

    根据this,目前 ALB 入口控制器为每个入口创建新的 ALB,这意味着不支持合并。

    安装merge ingress controller 并删除annotationkubernetes.io/ingress.class: alb

    还要确保在集群上安装 ALB 入口控制器。

    https://akomljen.com/aws-alb-ingress-controller-for-kubernetes/

    【讨论】:

    • 我没有 helm,不知道如何在没有 helm 的情况下使用它
    • 不认为有办法..但可能会在部署 yaml 中放置值
    【解决方案2】:

    我看到您使用的是 alb 控制器版本 1.0.0。您也可以使用升级版本,因为在此版本上发现内存泄漏。

    现在继续解决您遇到的问题。 我了解到您希望将两个或多个服务连接到 alb。

    步骤:

    1. 请检查日志: kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o 'alb-ingress[a-zA-Z0-9-]+') | grep '<ingress-name>'

    2. 移除这个注解 kubernetes.io/ingress.class: 暂时合并。

    3. 请检查公有子网是否被标记为 kubernetes.io/role/elb 到 1

    4. 如果有多个服务,在hosts下添加多个后端服务

          http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: service A
              servicePort: <port -A>
          - path: /<page>/*
            backend:
              serviceName: service B
              servicePort: <port-B>

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2022-12-22
      • 1970-01-01
      • 2020-10-11
      • 1970-01-01
      • 2022-12-01
      • 2020-07-03
      • 2022-08-04
      • 2020-01-23
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode