Kubernetes Ingress (GCE) 不断返回 502 错误 [英] Kubernetes Ingress (GCE) keeps returning 502 error
问题描述
我正在尝试在 GCE Kubernetes 中设置一个入口.但是当我访问Ingress中定义的IP地址和路径组合时,一直报如下502错误:
<小时>这是我运行时得到的:kubectl describe ing --namespace dpl-staging
名称:dpl-identity命名空间:dpl-staging地址:35.186.221.153默认后端:default-http-backend:80 (10.0.8.5:8080)TLS:dpl-identity 终止规则:主机路径后端---- ---- --------*/api/identity/* dpl-identity:4000 ()注释:https-forwarding-rule: k8s-fws-dpl-staging-dpl-identity--5fc40252fadea594https-target-proxy: k8s-tps-dpl-staging-dpl-identity--5fc40252fadea594url-map: k8s-um-dpl-staging-dpl-identity--5fc40252fadea594后端:{"k8s-be-31962--5fc40252fadea594":"健康","k8s-be-32396--5fc40252fadea594":"不健康"}事件:来自 SubObjectPath 类型原因消息的 FirstSeen LastSeen 计数--------- -------- ----- ---- ------------- -------- ------ -------15m 15m 1 {loadbalancer-controller } 正常添加 dpl-staging/dpl-identity15m 15m 1 {loadbalancer-controller } 正常 CREATE ip: 35.186.221.15315m 6m 4 {loadbalancer-controller } 普通服务没有用户指定默认后端,使用系统默认
我认为问题在于 dpl-identity:4000 (
.我不应该看到 dpl-identity
服务的 IP 地址而不是
吗?
这是我的服务描述:kubectl describe svc --namespace dpl-staging
名称:dpl-identity命名空间:dpl-staging标签:app=dpl-identity选择器:app=dpl-identity类型:节点端口IP:10.3.254.194端口:http 4000/TCP节点端口:http 32396/TCP端点:10.0.2.29:8000,10.0.2.30:8000会话亲和力:无没有事件.
另外,这里是执行的结果:kubectl describe ep -n dpl-staging dpl-identity
名称:dpl-identity命名空间:dpl-staging标签:app=dpl-identity子集:地址:10.0.2.29,10.0.2.30NotReadyAddresses: <none>端口:名称端口协议---- ---- --------http 8000 TCP没有事件.
<小时>
这是我的部署.yaml:
apiVersion: v1种类:秘密元数据:命名空间:dpl-staging名称:dpl-身份类型:不透明数据:tls.key:<base64 密钥>tls.crt:<base64 crt>---api版本:v1种类:服务元数据:命名空间:dpl-staging名称:dpl-身份标签:应用程序:dpl-身份规格:类型:节点端口端口:- 端口:4000目标端口:8000协议:TCP名称:http选择器:应用程序:dpl-身份---apiVersion: 扩展/v1beta1种类:入口元数据:命名空间:dpl-staging名称:dpl-身份标签:应用程序:dpl-身份注释:kubernetes.io/ingress.allow-http:假"规格:网址:- 秘密名称:dpl 身份规则:- http:路径:- 路径:/api/身份/*后端:服务名称:dpl 身份服务端口:4000---apiVersion: 扩展/v1beta1种类:部署元数据:命名空间:dpl-staging名称:dpl-身份种类:入口元数据:命名空间:dpl-staging名称:dpl-身份标签:应用程序:dpl-身份注释:kubernetes.io/ingress.allow-http:假"规格:网址:- 秘密名称:dpl 身份规则:- http:路径:- 路径:/api/身份/*后端:服务名称:dpl 身份服务端口:4000---apiVersion: 扩展/v1beta1种类:部署元数据:命名空间:dpl-staging名称:dpl-身份标签:应用程序:dpl-身份规格:复制品:2战略:类型:滚动更新模板:元数据:标签:应用程序:dpl-身份规格:容器:- 图像:gcr.io/munpat-container-engine/dpl/identity:0.4.9名称:dpl-身份端口:- 容器端口:8000名称:http卷挂载:- 名称:dpl-身份挂载路径:/数据卷:- 名称:dpl-身份秘密:秘密名称:dpl-身份
您的后端 k8s-be-32396--5fc40252fadea594
显示为 UNHEALTHY"
.>
如果后端不健康,Ingress 将不会转发流量,这将导致您看到 502 错误.
它将被标记为不健康,因为它没有通过健康检查,您可以检查 k8s-be-32396--5fc40252fadea594 的健康检查设置,看看它们是否适合您的 pod,它可能正在轮询未返回 200 响应的 URI 或端口.您可以在 Compute Engine > Health Checks 下找到这些设置.
如果它们是正确的,那么您的浏览器和容器之间有许多步骤可能会错误地传递流量,您可以尝试 kubectl exec -it PODID -- bash
(如果您使用的是 ashAlpine),然后尝试 curl-ing localhost 以查看容器是否按预期响应,如果是并且健康检查也配置正确,那么这将缩小问题的范围,可能与您的服务有关,然后您可以尝试更改从 NodePort 类型到 LoadBalancer 的服务,看看直接从浏览器访问服务 IP 是否有效.
I am trying to setup an Ingress in GCE Kubernetes. But when I visit the IP address and path combination defined in the Ingress, I keep getting the following 502 error:
Here is what I get when I run: kubectl describe ing --namespace dpl-staging
Name: dpl-identity
Namespace: dpl-staging
Address: 35.186.221.153
Default backend: default-http-backend:80 (10.0.8.5:8080)
TLS:
dpl-identity terminates
Rules:
Host Path Backends
---- ---- --------
*
/api/identity/* dpl-identity:4000 (<none>)
Annotations:
https-forwarding-rule: k8s-fws-dpl-staging-dpl-identity--5fc40252fadea594
https-target-proxy: k8s-tps-dpl-staging-dpl-identity--5fc40252fadea594
url-map: k8s-um-dpl-staging-dpl-identity--5fc40252fadea594
backends: {"k8s-be-31962--5fc40252fadea594":"HEALTHY","k8s-be-32396--5fc40252fadea594":"UNHEALTHY"}
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
15m 15m 1 {loadbalancer-controller } Normal ADD dpl-staging/dpl-identity
15m 15m 1 {loadbalancer-controller } Normal CREATE ip: 35.186.221.153
15m 6m 4 {loadbalancer-controller } Normal Service no user specified default backend, using system default
I think the problem is dpl-identity:4000 (<none>)
. Shouldn't I see the IP address of the dpl-identity
service instead of <none>
?
Here is my service description: kubectl describe svc --namespace dpl-staging
Name: dpl-identity
Namespace: dpl-staging
Labels: app=dpl-identity
Selector: app=dpl-identity
Type: NodePort
IP: 10.3.254.194
Port: http 4000/TCP
NodePort: http 32396/TCP
Endpoints: 10.0.2.29:8000,10.0.2.30:8000
Session Affinity: None
No events.
Also, here is the result of executing: kubectl describe ep -n dpl-staging dpl-identity
Name: dpl-identity
Namespace: dpl-staging
Labels: app=dpl-identity
Subsets:
Addresses: 10.0.2.29,10.0.2.30
NotReadyAddresses: <none>
Ports:
Name Port Protocol
---- ---- --------
http 8000 TCP
No events.
Here is my deployment.yaml:
apiVersion: v1
kind: Secret
metadata:
namespace: dpl-staging
name: dpl-identity
type: Opaque
data:
tls.key: <base64 key>
tls.crt: <base64 crt>
---
apiVersion: v1
kind: Service
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
spec:
type: NodePort
ports:
- port: 4000
targetPort: 8000
protocol: TCP
name: http
selector:
app: dpl-identity
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
annotations:
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: dpl-identity
rules:
- http:
paths:
- path: /api/identity/*
backend:
serviceName: dpl-identity
servicePort: 4000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: dpl-staging
name: dpl-identity
kind: Ingress
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
annotations:
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: dpl-identity
rules:
- http:
paths:
- path: /api/identity/*
backend:
serviceName: dpl-identity
servicePort: 4000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
spec:
replicas: 2
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: dpl-identity
spec:
containers:
- image: gcr.io/munpat-container-engine/dpl/identity:0.4.9
name: dpl-identity
ports:
- containerPort: 8000
name: http
volumeMounts:
- name: dpl-identity
mountPath: /data
volumes:
- name: dpl-identity
secret:
secretName: dpl-identity
Your backend k8s-be-32396--5fc40252fadea594
is showing as "UNHEALTHY"
.
Ingress will not forward traffic if the backend is UNHEALTHY, this will result in the 502 error you are seeing.
It will be being marked as UNHEALTHY becuase it is not passing it's health check, you can check the health check setting for k8s-be-32396--5fc40252fadea594 to see if they are appropriate for your pod, it may be polling an URI or port that is not returning a 200 response. You can find these setting under Compute Engine > Health Checks.
If they are correct then there are many steps between your browser and the container that could be passing traffic incorrectly, you could try kubectl exec -it PODID -- bash
(or ash if you are using Alpine) and then try curl-ing localhost to see if the container is responding as expected, if it is and the health checks are also configured correctly then this would narrow down the issue to likely be with your service, you could then try changing the service from a NodePort type to a LoadBalancer and see if hitting the service IP directly from your browser works.
这篇关于Kubernetes Ingress (GCE) 不断返回 502 错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!