GKE 上的入口。 运行 指定服务健康检查

Question

我尝试在 Google Kubernetes 引擎上为 2 个服务的负载均衡器使用入口：

这里是入口配置：

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: basic-ingress

spec:
  rules:
  - http:
      paths:
      - path: /*
        backend:
          serviceName: web
          servicePort: 8080
      - path: /v2/keys
        backend:
          serviceName: etcd-np
          servicePort: 2379

其中 web 是来自 google 个样本的示例服务：

apiVersion: v1
kind: Service
metadata:
  name: web
  namespace: default
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    run: web
  type: NodePort

----
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  namespace: default
spec:
  selector:
    matchLabels:
      run: web
  template:
    metadata:
      labels:
        run: web
    spec:
      containers:
      - image: gcr.io/google-samples/hello-app:1.0
        imagePullPolicy: IfNotPresent
        name: web
        ports:
        - containerPort: 8080
          protocol: TCP

但是第二个服务是带有 NodePort 服务的 ETCD 集群：

---
apiVersion: v1
kind: Service
metadata:
  name: etcd-np
spec:
  ports:
  - port: 2379
    targetPort: 2379
  selector:
    app: etcd
  type: NodePort

但我在日志中看到只有第一个入口规则正常工作：

ingress.kubernetes.io/backends: {"k8s-be-30195--ebfd7339a961462d":"UNHEALTHY","k8s-be-30553--ebfd7339a961462d":"HEALTHY","k8s-be-31529--ebfd7339a961462d":"HEALTHY"}

我 etcd-np 工作正常这不是 etcd 的问题，我认为问题是 etcd 服务器在 GET / 请求上用 404 应答并且入口级别的一些健康检查不允许使用它。

这就是为什么我有 2 个问题:

1 ) 如何为入口上的每个后端路径提供健康检查 url

2) 如何调试此类问题。我现在看到的是

kubectl describe ingress basic-ingress
Name:             basic-ingress
Namespace:        default
Address:          4.4.4.4
Default backend:  default-http-backend:80 (10.52.6.2:8080)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *           
              /*         web:8080 (10.52.8.10:8080)
              /v2/keys   etcd-np:2379 (10.52.0.2:2379,10.52.2.4:2379,10.52.8.4:2379)
Annotations:  ingress.kubernetes.io/backends:
                {"k8s-be-30195--ebfd7339a961462d":"UNHEALTHY","k8s-be-30553--ebfd7339a961462d":"HEALTHY","k8s-be-31529--ebfd7339a961462d":"HEALTHY"}
              ingress.kubernetes.io/forwarding-rule: k8s-fw-default-basic-ingress--ebfd7339a961462d
              ingress.kubernetes.io/target-proxy: k8s-tp-default-basic-ingress--ebfd7339a961462d
              ingress.kubernetes.io/url-map: k8s-um-default-basic-ingress--ebfd7339a961462d
Events:       <none>

但它没有向我提供有关此事件的任何信息

UP

kubectl describe svc etcd-np

Name:                     etcd-np
Namespace:                default
Labels:                   <none>
Annotations:              Selector:  app=etcd
Type:                     NodePort
IP:                       10.4.7.20
Port:                     <unset>  2379/TCP
TargetPort:               2379/TCP
NodePort:                 <unset>  30195/TCP
Endpoints:                10.52.0.2:2379,10.52.2.4:2379,10.52.8.4:2379
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

Answer 1

根据 doc.

A Service exposed through an Ingress must respond to health checks from the load balancer. Any container that is the final destination of load-balanced traffic must do one of the following to indicate that it is healthy:

1. Serve a response with an HTTP 200 status to GET requests on the / path.
2. Configure an HTTP readiness probe. Serve a response with an HTTP 200 status to GET requests on the path specified by the readiness probe. The Service exposed through an Ingress must point to the same container port on which the readiness probe is enabled.

For example, suppose a container specifies this readiness probe:

...
readinessProbe:
  httpGet:
    path: /healthy

Then if the handler for the container's /healthy path returns an HTTP 200 status, the load balancer considers the container to be alive and healthy.

现在，由于 ETCD 在 /health 处有一个运行状况端点，就绪探测将看起来像

...
readinessProbe:
  httpGet:
    path: /health

如果在 ETCD 中启用了 mTLS，这会变得有点棘手。为避免这种情况，请检查 docs.