Kubernetes nginx ingress 定期给出 404
Kubernetes nginx ingress periodically gives 404
我已经在 AWS 中部署了 kops k8s,一切都在同一个命名空间中。
nginx 入口控制器将流量路由到 https 后端(wordpress 应用程序)。
我可以访问该网站,但不幸的是,每 10~ 次调用只有 1 次获得 http 200。所有其他 9 次获得 404 nginx 未找到。
试图到处搜索但没有运气:(
我的配置:
DNS -> AWS NLB -> 2 个节点
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "True"
nginx.org/ssl-services: test-service
nginx.ingress.kubernetes.io/affinity: "cookie"
spec:
rules:
- host: "test.example.com"
http:
paths:
- path: /
backend:
serviceName: test-service
servicePort: 8443
nginx-service.yaml:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
nginx-daemonset.yaml:
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: nginx-ingress-controller
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
imagePullSecrets:
- name: private-repo
containers:
- name: nginx-ingress-controller
image: private_repo/private_image
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --default-ssl-certificate=$(POD_NAMESPACE)/tls-cert
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 33
resources:
limits:
cpu: 500m
memory: 300Mi
requests:
cpu: 400m
memory: 200Mi
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
wordpress.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-example
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
strategy:
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
restartPolicy: Always
volumes:
- name: volume
persistentVolumeClaim:
claimName: volume-claim
imagePullSecrets:
- name: private-repo
containers:
- name: test-example-httpd
image: private_repo/private_image
imagePullPolicy: Always
ports:
- containerPort: 8443
name: https
- name: test-example-php-fpm
image: private_repo/private_image
imagePullPolicy: Always
securityContext:
runAsUser: 82
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Service
metadata:
name: test-service
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
ports:
- name: https-web
targetPort: 8443
port: 8443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---更新---
kubectl get endpoints,services -n example-ns
NAME ENDPOINTS AGE
endpoints/ingress-nginx 100.101.0.1:8443,100.100.0.4:443,100.101.0.2:443 1d
endpoints/test-service 100.100.0.1:8443,100.101.0.1:8443,100.101.0.2:8443 4h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx LoadBalancer SOME-IP sometext.elb.us-west-3.amazonaws.com 80:31541/TCP,443:31017/TCP 1d
service/test-service ClusterIP SOME-IP <none> 8443/TCP 4h
谢谢!
显然将注释 nginx.ingress.kubernetes.io/ssl-passthrough 从 "True" 更改为 "False" 解决了这个问题。
可能必须在 NGINX 而不是 apache 中对 ssl 终止做一些事情。
我已经在 AWS 中部署了 kops k8s,一切都在同一个命名空间中。
nginx 入口控制器将流量路由到 https 后端(wordpress 应用程序)。
我可以访问该网站,但不幸的是,每 10~ 次调用只有 1 次获得 http 200。所有其他 9 次获得 404 nginx 未找到。 试图到处搜索但没有运气:(
我的配置: DNS -> AWS NLB -> 2 个节点
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "True"
nginx.org/ssl-services: test-service
nginx.ingress.kubernetes.io/affinity: "cookie"
spec:
rules:
- host: "test.example.com"
http:
paths:
- path: /
backend:
serviceName: test-service
servicePort: 8443
nginx-service.yaml:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
nginx-daemonset.yaml:
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: nginx-ingress-controller
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
imagePullSecrets:
- name: private-repo
containers:
- name: nginx-ingress-controller
image: private_repo/private_image
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --default-ssl-certificate=$(POD_NAMESPACE)/tls-cert
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 33
resources:
limits:
cpu: 500m
memory: 300Mi
requests:
cpu: 400m
memory: 200Mi
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
wordpress.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-example
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
strategy:
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
restartPolicy: Always
volumes:
- name: volume
persistentVolumeClaim:
claimName: volume-claim
imagePullSecrets:
- name: private-repo
containers:
- name: test-example-httpd
image: private_repo/private_image
imagePullPolicy: Always
ports:
- containerPort: 8443
name: https
- name: test-example-php-fpm
image: private_repo/private_image
imagePullPolicy: Always
securityContext:
runAsUser: 82
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Service
metadata:
name: test-service
namespace: example-ns
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
ports:
- name: https-web
targetPort: 8443
port: 8443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---更新---
kubectl get endpoints,services -n example-ns
NAME ENDPOINTS AGE
endpoints/ingress-nginx 100.101.0.1:8443,100.100.0.4:443,100.101.0.2:443 1d
endpoints/test-service 100.100.0.1:8443,100.101.0.1:8443,100.101.0.2:8443 4h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx LoadBalancer SOME-IP sometext.elb.us-west-3.amazonaws.com 80:31541/TCP,443:31017/TCP 1d
service/test-service ClusterIP SOME-IP <none> 8443/TCP 4h
谢谢!
显然将注释 nginx.ingress.kubernetes.io/ssl-passthrough 从 "True" 更改为 "False" 解决了这个问题。
可能必须在 NGINX 而不是 apache 中对 ssl 终止做一些事情。