amazon-web-services - Kubernetes,ALB:没有通过入口服务创建 ALB
问题描述
我正在为 2 个服务创建一个 ALB,并带有注释:merged。这行不通。我在日志中也看不到太多动作。我究竟做错了什么?工作节点具有 AWS 文档中提到的 ALB 入口策略(也添加了下面的策略)。Kubernetes 没有抱怨,但 ingress-service 没有获得地址,也没有创建 ALB 或目标组。
ALB 控制器:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: alb-ingress-controller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: alb-ingress-controller
spec:
containers:
- args:
- --ingress-class=alb
- --cluster-name=CLUSTER_NAME
- --aws-vpc-id=vpc-XXXXXXX
- --aws-region=REGION
env:
- name: AWS_ACCESS_KEY_ID
VALUE: XXXXXX
- name: AWS_SECRET_ACCESS_KEY
value: XXXXX
image: 894847497797.dkr.ecr.us-west-2.amazonaws.com/aws-alb-ingress-controller:v1.0.0
imagePullPolicy: Always
name: server
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
serviceAccountName: alb-ingress
serviceAccount: alb-ingress
ALB 入口服务:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
kubernetes.io/ingress.class: merge
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/certificate-arn: ARN
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/subnets: SUBNET-1,SUBNET-2
alb.ingress.kubernetes.io/security-groups: SG-1,SG-2
# allow 404s on the health check
alb.ingress.kubernetes.io/healthcheck-path: "/"
alb.ingress.kubernetes.io/success-codes: "200,404,302"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: /*
backend:
serviceName: magento-develop
servicePort: 80
- host: sub-domain.host.domain.com
http:
paths:
- path: /*
backend:
serviceName: supplier-service
servicePort: 80
IAM 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetServerCertificate",
"iam:ListServerCertificates"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:TagResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf:GetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"shield:DeleteProtection",
"shield:CreateProtection",
"shield:DescribeSubscription",
"shield:ListProtections"
],
"Resource": "*"
}
]
}
kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
auth-ingress host.domain.com,sub-domain.host.domain.com 80 6s
如您所见,没有可用的地址。
解决方案
我看到您使用的是 alb 控制器版本 1.0.0。您也可以使用升级版本,因为在此版本上发现内存泄漏。
现在继续解决您遇到的问题。我了解到您希望将两个或多个服务连接到 alb。
脚步:
请检查日志:
kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o 'alb-ingress[a-zA-Z0-9-]+') | grep '<ingress-name>'
移除这个注解 kubernetes.io/ingress.class: 暂时合并。
请检查公有子网是否被标记为 kubernetes.io/role/elb 为 1
如果有多个服务,在hosts下添加多个后端服务
http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: service A
servicePort: <port -A>
- path: /<page>/*
backend:
serviceName: service B
servicePort: <port-B>
推荐阅读
- python-3.x - Python 每次调用 write 都会在屏幕上输出一个数字
- python-3.x - 如何修复 AttributeError:模块 'botocore.vendored.requests' 没有属性 'Post' Traceback
- excel - 如何将单元格格式固定为日期(使用 YYYYMMDD 格式)并且不允许使用文本
- python - 如何优化python中的嵌套循环?
- youtube-api - 合法的 YouTube API 合规审核?
- excel - If(And( arguments + Vlookup 没有返回预期值
- c# - 尽管添加了 application/json 标头,但请求仍为“text/plain”
- kubernetes - Kubernetes 会在重启 Pod 之前发送信号吗?
- c# - C# 中的 AWS DynamoDb 事务
- sql - 日期时间倒退