TLS不适用于Kubernetes中的LoadBalancer支持的服务 [英] TLS doesn't work with LoadBalancer backed Service in Kubernetes

问题描述

我试图通过将服务类型创建为负载平衡器来公开群集中的应用程序.这样做的原因是我希望该应用具有单独的通信渠道.我有一个KOPS集群.我想使用AWS的网络负载平衡器，以便获得静态IP.当我使用端口80映射到该应用程序正在运行的端口来创建服务时，一切正常，但是当我尝试添加端口443时，它就超时了.

I am trying to expose an application in my cluster by creating a service type as load balancer. The reason for this is that I want this app to have a separate channel for communication. I have a KOPS cluster. I want to use AWS's network load balancer so that it gets a static IP. When I create the Service with port 80 mapped to the port that the app is running on everything works but when I try to add port 443 it just times out.

这是有效的配置-

apiVersion: v1
metadata:
  name: abc
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
  labels:
    app: abc
spec:
  externalTrafficPolicy: Local
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 9050
  selector:
    app: abc
  type: LoadBalancer

一旦我在配置文件中添加了TLS支持并进行部署.与负载均衡器的连接超时.如何为负载均衡器添加TLS支持? 我想通过服务而不是通过入口做到这一点. 此配置不适用于我，当我将链接粘贴到浏览器中时，它会超时.

As soon as I add TLS support in the config file and deploy it. The connection to the load balancer times out. How do I add TLS support to the load balancer? I want to do it through the service and not through an ingress. This is the configuration that doesn't work for me and when I paste the link in the browser, it times out.

kind: Service
apiVersion: v1
metadata:
  name: abc
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: xxxxx
  labels:
    app: abc
spec:
  externalTrafficPolicy: Local
  ports:
  - name: http
    port: 443
    protocol: TCP
    targetPort: 9050
  selector:
    app: abc
  type: LoadBalancer

推荐答案

您可以使用tls& ssl终止

You can use the tls & ssl termination

   apiVersion: v1
    kind: Service
    metadata:
      name: test-service
      annotations:
        # Note that the backend talks over HTTP.
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
        # TODO: Fill in with the ARN of your certificate.
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
        # Only run SSL on the port named "https" below.
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    spec:
      selector:
        app: test-pod
      ports:
      - name: http
        port: 80
        targetPort: 8080
      - name: https
        port: 443
        targetPort: 8080
      type: LoadBalancer

您可以在aws证书管理器中添加tls证书，并将证书的arn地址用于kubernetes服务.

You can add the tls certficate in aws certificate manager and use the arn address of certificate to kubernetes service.

就像您可以终止https连接并仅使用HTTP一样.

it's like in becked you can terminate the https connection and use the HTTP only.

您还可以查看以下内容: https ://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/

you can also check this out : https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/

https://github.com/kubernetes/kubernetes/issues/73297

1

service.beta.kubernetes.io/aws-load-balancer-type: nlb

如果不起作用，请尝试根据您的负载均衡器类型添加此注释.

if not work please try adding this annotation as per your loadbalancer type.

这篇关于TLS不适用于Kubernetes中的LoadBalancer支持的服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！