[英]Kubernetes dashboard: TLS handshake error
I have an EKS 1.18 cluster.我有一个 EKS 1.18 集群。 When I tried to deploy a k8s dashboard, it's failing with the error below.当我尝试部署 k8s 仪表板时,它失败并出现以下错误。
Also, my dashboard svc uses a loadBalancer.此外,我的仪表板 svc 使用 loadBalancer。
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
external-dns.alpha.kubernetes.io/hostname: "test.xxx.net"
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
Pls let me know what does the TLS handshake error
mean?请让我知道TLS handshake error
是什么意思? What should I do to fix this error?我应该怎么做才能修复这个错误?
logs:日志:
2021/03/18 22:03:08 http: TLS handshake error from xx.xxx.x.x:8279: EOF
2021/03/18 22:03:08 http: TLS handshake error from xx.xxx.x.x:34935: EOF
2021/03/18 22:03:08 http: TLS handshake error from xx.xxx.x.x:24437: EOF
2021/03/18 22:03:08 http: TLS handshake error from xx.xxx.x.x:64552: EOF
2021/03/18 22:03:10 http: TLS handshake error from xx.xxx.x.x:5481: EOF
code:代码:
https://github.com/kubernetes/dashboard/releases/tag/v2.0.3 https://github.com/kubernetes/dashboard/releases/tag/v2.0.3
https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
kubectl version
+ kubectl version Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.1", GitCommit:"d647ddbd755faf07169599a625faf302ffc34458", GitTreeState:"clean", BuildDate:"2019-10-02T23:49:20Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.9-eks-d1db3c", GitCommit:"d1db3c46e55f95d6a7d3e5578689371318f95ff9", GitTreeState:"clean", BuildDate:"2020-10-20T22:18:07Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
zerkms already shed some light on the cause of your issue in his comment: zerkms已经在他的评论中阐明了您的问题的原因:
Your ingress presumably does not understand the dashboard terminates tls itself and tries to send naked http requests there.您的入口可能不理解仪表板本身终止 tls 并尝试在那里发送裸 http 请求。 So, whatever you use to ingress/load balance traffic to the app - should be configured to connect via tls.因此,无论您使用什么进入/负载平衡应用程序的流量 - 都应该配置为通过 tls 连接。 – zerkms Mar 19 at 2:55 – zerkms 3 月 19 日 2:55
You also told us that there isn't any ingress configured but you use for connection the domain name, pointing to your LoadBalancer's IP.您还告诉我们,没有配置任何入口,但您用于连接域名,指向您的 LoadBalancer 的 IP。 That's fine but keep in mind that when you create a Service
of LoadBalancer
type on your EKS cluster, by default Classic Load Balancer is created.这很好,但请记住,当您在 EKS 集群上创建LoadBalancer
类型的Service
时,默认情况下会创建Classic Load Balancer 。 It works on layer 7 of the OSI model so it recognizes the https traffic, terminates TLS connection and then sends to your backend pods naked http request.它适用于 OSI model 的第 7 层,因此它可以识别 https 流量,终止 TLS 连接,然后将裸露的 Z80791B3AE7002CB88C246876D9FAA8F8 请求发送到您的后端 pod。 As zerkms already explained, your backend is not prepared to handle such connection as it terminates TLS itself.正如zerkms已经解释的那样,您的后端不准备处理此类连接,因为它会终止 TLS 本身。
As I already mentioned,by default, when you create your LoadBalancer
service, Classic Load Balancer is created.正如我已经提到的,默认情况下,当您创建LoadBalancer
服务时,会创建Classic Load Balancer 。 However you can change this default behaviour by adding to your Service
the following annotation as mentioned here :但是,您可以通过向您的Service
添加此处提到的以下注释来更改此默认行为:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
As Network Load Balancer operates on layer 4 of the OSI model, it simply passes TCP packets to your backend pods without inspecting their content, terminating TLS etc and expects https traffic.由于网络负载均衡器在 OSI model 的第 4 层上运行,它只是将 TCP 数据包传递到您的后端 pod,而不检查它们的内容、终止 TLS 等,并期望 Z5E056C500A1C4B6A7110B50D 流量。
Alternatively you may set up some ingress controller which is configured to support SSL-passthrough like ngix-ingress as the AWS'sALB unfortunatelly doesn't support it.或者,您可以设置一些入口 controller 配置为支持 SSL-passthrough ,如ngix-ingress ,因为不幸的是AWS 的ALB不支持它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.