Kubernetes,ALB:没有通过入口服务创建 ALB
[英]Kubernetes, ALB : ALB not getting created for via ingress-service
问题描述
我正在为 2 个服务创建一个 ALB,并带有注释:merged。 这行不通。 我在日志中也看不到太多动作。 我究竟做错了什么? 工作节点具有 AWS 文档中提到的 ALB 入口策略(也添加了下面的策略)。 Kubernetes 没有抱怨,但 ingress-service 没有获得地址,也没有创建 ALB 或目标组。
ALB 控制器:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: alb-ingress-controller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: alb-ingress-controller
spec:
containers:
- args:
- --ingress-class=alb
- --cluster-name=CLUSTER_NAME
- --aws-vpc-id=vpc-XXXXXXX
- --aws-region=REGION
env:
- name: AWS_ACCESS_KEY_ID
VALUE: XXXXXX
- name: AWS_SECRET_ACCESS_KEY
value: XXXXX
image: 894847497797.dkr.ecr.us-west-2.amazonaws.com/aws-alb-ingress-controller:v1.0.0
imagePullPolicy: Always
name: server
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
serviceAccountName: alb-ingress
serviceAccount: alb-ingress
ALB 入口服务:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
kubernetes.io/ingress.class: merge
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/certificate-arn: ARN
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/subnets: SUBNET-1,SUBNET-2
alb.ingress.kubernetes.io/security-groups: SG-1,SG-2
# allow 404s on the health check
alb.ingress.kubernetes.io/healthcheck-path: "/"
alb.ingress.kubernetes.io/success-codes: "200,404,302"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: /*
backend:
serviceName: magento-develop
servicePort: 80
- host: sub-domain.host.domain.com
http:
paths:
- path: /*
backend:
serviceName: supplier-service
servicePort: 80
IAM 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetServerCertificate",
"iam:ListServerCertificates"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:TagResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf:GetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"shield:DeleteProtection",
"shield:CreateProtection",
"shield:DescribeSubscription",
"shield:ListProtections"
],
"Resource": "*"
}
]
}
kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
auth-ingress host.domain.com,sub-domain.host.domain.com 80 6s
如您所见,没有可用的地址。
2 个解决方案
解决方案1
0 2020-05-04 11:52:58
据此,目前 ALB 入口 controller 为每个入口创建新的 ALB,这意味着没有合并支持。
安装合并入口 controller并删除annotationkubernetes.io/ingress.class: alb
还要确保在集群上安装 ALB 入口 controller。
https://akomljen.com/aws-alb-ingress-controller-for-kubernetes/
解决方案2
0 2020-10-16 04:41:52
我看到您使用的是 alb controller 版本 1.0.0。 您也可以使用升级版本,因为在此版本上发现了 memory 泄漏。
现在继续解决您遇到的问题。 我了解到您希望将两个或多个服务连接到 alb。
脚步:
请检查日志:
kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o 'alb-ingress[a-zA-Z0-9-]+') | grep '<ingress-name>'kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o 'alb-ingress[a-zA-Z0-9-]+') | grep '<ingress-name>'删除此注释 kubernetes.io/ingress.class:暂时合并。
请检查公有子网是否已标记为 kubernetes.io/role/elb 为 1
如果有多个服务,在hosts下添加多个后端服务
http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: service A
servicePort: <port -A>
- path: /<page>/*
backend:
serviceName: service B
servicePort: <port-B>
使用 aws alb 入口控制器在 kubernetes pod 中公开服务
[英]Exposing service in kubernetes pods with aws alb ingress controller
这是否可以将 kubernetes 入口 ALB 与 terraform 托管 alb/路由 53 连接,同时在同一个 dns 名称上提供请求?
[英]Is this possible to connect kubernetes ingress ALB with terraform managed alb/route 53 while serving requests on same dns name?
如何使用 kubernetes_ingress terraform 资源创建 AWS ALB?
[英]How to create AWS ALB using kubernetes_ingress terraform resource?
无法在 Terraform 中创建 AWS ALB kubernetes 入口 controller
[英]Can't create AWS ALB kubernetes ingress controller in Terraform
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Kube.netes 中的 AWS ALB 服务
使用 aws alb 入口控制器在 kubernetes pod 中公开服务
ALB Ingress Kubernetes 安全组注释不起作用
AWS 上的 ALB 入口控制器
Ingress 不更新 ALB
具有 ALB 入口的多项服务
这是否可以将 kubernetes 入口 ALB 与 terraform 托管 alb/路由 53 连接,同时在同一个 dns 名称上提供请求?
如何使用 kubernetes_ingress terraform 资源创建 AWS ALB?
无法在 Terraform 中创建 AWS ALB kubernetes 入口 controller
未为 ALB 创建目标组绑定
相关标签