Nginx 入口控制器 - 调用 Webhook 失败 [英] Nginx Ingress Controller - Failed Calling Webhook

问题描述

我在 Ubuntu 虚拟机上使用 kubeadm (v1.18) 设置了一个 k8s 集群.现在我需要添加一个入口控制器.我决定使用 nginx(但我对其他解决方案持开放态度).我根据 docs，裸机"部分安装了它:

I set up a k8s cluster using kubeadm (v1.18) on an Ubuntu virtual machine. Now I need to add an Ingress Controller. I decided for nginx (but I'm open for other solutions). I installed it according to the docs, section "bare-metal":

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.31.1/deploy/static/provider/baremetal/deploy.yaml

我觉得安装没问题:

kubectl get all -n ingress-nginx

NAME                                            READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-b8smg        0/1     Completed   0          8m21s
pod/ingress-nginx-admission-patch-6nbjb         0/1     Completed   1          8m21s
pod/ingress-nginx-controller-78f6c57f64-m89n8   1/1     Running     0          8m31s

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.107.152.204   <none>        80:32367/TCP,443:31480/TCP   8m31s
service/ingress-nginx-controller-admission   ClusterIP   10.110.191.169   <none>        443/TCP                      8m31s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-nginx-controller   1/1     1            1           8m31s

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-nginx-controller-78f6c57f64   1         1         1       8m31s

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           2s         8m31s
job.batch/ingress-nginx-admission-patch    1/1           3s         8m31s

但是，在尝试应用自定义 Ingress 时，出现以下错误:

However, when trying to apply a custom Ingress, I get the following error:

来自服务器的错误(内部错误):创建yaml/xxx/xxx-ingress.yaml"时出错:发生内部错误:调用 webhookvalidate.nginx.ingress.kubernetes.io"失败:发布 https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s:临时重定向

知道哪里出了问题吗?

我怀疑是 DNS，但其他 NodePort 服务按预期工作，并且 DNS 在集群内工作.

I suspected DNS, but other NodePort services are working as expected and DNS works within the cluster.

我唯一能看到的是我没有在 此处的文档.但是，根据此线程，这在我的情况下似乎很正常.

The only thing I can see is that I don't have a default-http-backend which is mentioned in the docs here. However, this seems normal in my case, according to this thread.

最后但并非最不重要的一点，我也尝试了 安装带有清单(从之前的安装中删除 ingress-nginx 命名空间之后)和 通过 Helm 安装图表.结果是一样的.

Last but not least, I tried as well the installation with manifests (after removing ingress-nginx namespace from previous installation) and the installation via Helm chart. It has the same result.

我几乎是 k8s 的初学者，这是我的游乐场集群.所以我也愿意接受替代解决方案，只要我不需要从头开始设置整个集群.

I'm pretty much a beginner on k8s and this is my playground-cluster. So I'm open to alternative solutions as well, as long as I don't need to set up the whole cluster from scratch.

更新:对于应用自定义 Ingress"，我的意思是:kubectl apply -f

Update: With "applying custom Ingress", I mean: kubectl apply -f <myIngress.yaml>

myIngress.yaml 的内容

Content of myIngress.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /someroute/fittingmyneeds
        pathType: Prefix
        backend:
          serviceName: some-service
          servicePort: 5000

推荐答案

我不确定这是否对这么晚有帮助，但可能是因为您的集群落后于代理?因为在这种情况下，您必须正确配置 no_proxy.具体来说，它必须包含 .svc,.cluster.local 否则验证 webhook 请求，例如 https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s 将通过代理服务器路由(注意 URL 中的 .svc).

I am not sure if this helps this late, but might it be, that your cluster was behind proxy? Because in that case you have to have no_proxy configured correctly. Specifically, it has to include .svc,.cluster.local otherwise validation webhook requests such as https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s will be routed via proxy server (note that .svc in the URL).

我遇到了这个问题，将 .svc 添加到 no_proxy 变量中有所帮助.您可以通过修改 /etc/kubernetes/manifests/kube-apiserver.yaml 文件来快速尝试一下，这将自动重新创建您的 kubernetes api 服务器 pod.

I had exactly this issue and adding .svc into no_proxy variable helped. You can try this out quickly by modifying /etc/kubernetes/manifests/kube-apiserver.yaml file which will in turn automatically recreate your kubernetes api server pod.

这不仅适用于入口验证，也适用于其他可能引用集群中以 .svc 或 .namespace.svc.cluster.local 结尾的 URL代码>(即见这个bug)

This is not the case just for ingress validation, but also for other things that might refer URL in your cluster ending with .svc or .namespace.svc.cluster.local (i.e. see this bug)

这篇关于Nginx 入口控制器 - 调用 Webhook 失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！