Kubernetes Ingress(GCE)不断返回502错误 [英] Kubernetes Ingress (GCE) keeps returning 502 error
问题描述
下面是我运行时得到的结果: kubectl describe ing --namespace dpl-staging < code $
$ b $ pre code $名称dpl-identity
命名空间:dpl-staging
地址:35.186 .221.153
默认后端:default-http-backend:80(10.0.8.5:8080)
TLS:
dpl-identity终止
规则:
主机路径后端
---- ---- --------
*
/ api / identity / * dpl-identity:4000(<无>)
注释:
https-forwarding-rule:k8s-fws-dpl-staging-dpl-identity - 5fc40252fadea594
https-target-proxy:k8s-tps-dpl-staging-dpl-identity - 5fc40252fadea594
url-map:k8s-um-dpl-sta ging-dpl-identity - 5fc40252fadea594
backends:{k8s-be-31962--5fc40252fadea594:HEALTHY,k8s-be-32396--5fc40252fadea594:UNHEALTHY}
活动:
来自SubObjectPath类型的FirstSeen LastSeen计数原因消息
--------- -------- ----- ---- ------- ------ ------ ------ -------
15m 15m 1 {loadbalancer-controller}正常ADD dpl-staging / dpl-identity
15m 15m 1 {loadbalancer-controller}正常CREATE ip:35.186.221.153
15m 6m 4 {loadbalancer-controller}正常服务没有用户指定的默认后端,使用系统默认值
我认为问题是 dpl-identity:4000(< none>)
。我不应该看到 dpl-identity
服务的IP地址,而不是< none>
?
以下是我的服务描述: kubectl describe svc --namespace dpl-staging
名称:dpl-identity
命名空间:dpl-staging
标签:app = dpl-identity
选择器:app = dpl-identity
类型:NodePort
IP:10.3.254.194
端口:http 4000 / TCP
NodePort:http 32396 / TCP
端点:10.0.2.29:8000,10.0。 2.30:8000
会话亲和性:无
没有事件。
另外,这里是执行的结果: kubectl describe ep -n dpl -staging dpl-identity
名称:dpl-identity
命名空间:dpl-staging
标签:app = dpl-identity
子集:
地址:10.0.2.29,10.0.2.30
NotReadyAddresses:< none>
端口:
名称端口协议
---- ---- --------
http 8000 TCP
无事件。
这是我的deployment.yaml:
apiVersion:v1
kind:秘密
元数据:
命名空间:dpl-staging
名称:dpl-identity
类型:不透明
数据:
tls.key:< base64 key>
tls.crt:< base64 crt>
---
apiVersion:v1
kind:Service
metadata:
命名空间:dpl-staging
名称:dpl-identity
标签:
app:dpl-identity
spec:
类型:NodePort
端口:
- 端口:4000
目标端口:8000
协议: TCP
名称:http
选择器:
app:dpl-identity
---
apiVersion:extensions / v1beta1
类型:Ingress
元数据:
名称空间:dpl-staging
名称:dpl-identity
标签:
app:dpl-identity
注释:
kubernetes.io/ingress .allow-http:false
spec:
tls:
- secretName:dpl-identity
规则:
- http:
paths:
- path:/ api / identity / *
后端:
服务名称:dpl-identity
servicePort:4000
---
apiVersion:extensions / v1beta1
kind:部署
元数据:
名称空间:dpl-staging
名称:dpl-identity
类型:Ingress
元数据:
名称空间:dpl-staging
名称:dpl-identity
标签:
app:dpl-identity
注释:
kubernetes.io/ ingress.allow-http:false
spec:
tls:
- secretName:dpl-identity
规则:
- http:
路径:
- path:/ api / identity / *
backend:
serviceName:dpl-identity
servicePort:4000
---
apiVersion:extensions / v1beta1
kind:部署
元数据:
名称空间:dpl-staging
名称:dpl-identity
标签:
app:dpl-identity
规格:
副本:2
策略:
类型:滚动更新
模板:
元数据:
标签:
应用:dpl身份
spec:
containers:
- image:gcr.io/munpat-container-engine/dpl/identity:0.4.9
名称:dpl-identity
端口:
- containerPort:8000
名称:http
volumeMounts:
- name:dpl-identity
mountPath:/ data
volumes:
- name:dpl-identity
秘密:
秘密名称:dpl-身份
您的后端 k8s- be-32396--5fc40252fadea594
显示为UNHEALTHY
。
Ingress将如果后端不健康,不转发流量,这将导致你看到的502错误。
它将被标记为不健康,因为它没有通过它的健康检查,您可以检查k8s-be-32396--5fc40252fadea594的运行状况检查设置,以查看它们是否适合您的容器,它可能正在轮询未返回200响应的URI或端口。您可以在计算引擎>运行状况检查下找到这些设置。
如果它们是正确的,那么浏览器和容器之间会有很多步骤可能会错误地传递流量,可以尝试> kubectl exec -it PODID - bash
(或者如果您使用的是Alpine,则为灰),然后尝试curl-localhost以查看容器是否按预期响应,如果它是健康检查也配置正确,然后这将缩小问题可能与您的服务,您可以尝试将服务从NodePort类型更改为LoadBalancer,并查看是否直接从您的浏览器中击中服务IP 。
I am trying to setup an Ingress in GCE Kubernetes. But when I visit the IP address and path combination defined in the Ingress, I keep getting the following 502 error:
Here is what I get when I run: kubectl describe ing --namespace dpl-staging
Name: dpl-identity
Namespace: dpl-staging
Address: 35.186.221.153
Default backend: default-http-backend:80 (10.0.8.5:8080)
TLS:
dpl-identity terminates
Rules:
Host Path Backends
---- ---- --------
*
/api/identity/* dpl-identity:4000 (<none>)
Annotations:
https-forwarding-rule: k8s-fws-dpl-staging-dpl-identity--5fc40252fadea594
https-target-proxy: k8s-tps-dpl-staging-dpl-identity--5fc40252fadea594
url-map: k8s-um-dpl-staging-dpl-identity--5fc40252fadea594
backends: {"k8s-be-31962--5fc40252fadea594":"HEALTHY","k8s-be-32396--5fc40252fadea594":"UNHEALTHY"}
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
15m 15m 1 {loadbalancer-controller } Normal ADD dpl-staging/dpl-identity
15m 15m 1 {loadbalancer-controller } Normal CREATE ip: 35.186.221.153
15m 6m 4 {loadbalancer-controller } Normal Service no user specified default backend, using system default
I think the problem is dpl-identity:4000 (<none>)
. Shouldn't I see the IP address of the dpl-identity
service instead of <none>
?
Here is my service description: kubectl describe svc --namespace dpl-staging
Name: dpl-identity
Namespace: dpl-staging
Labels: app=dpl-identity
Selector: app=dpl-identity
Type: NodePort
IP: 10.3.254.194
Port: http 4000/TCP
NodePort: http 32396/TCP
Endpoints: 10.0.2.29:8000,10.0.2.30:8000
Session Affinity: None
No events.
Also, here is the result of executing: kubectl describe ep -n dpl-staging dpl-identity
Name: dpl-identity
Namespace: dpl-staging
Labels: app=dpl-identity
Subsets:
Addresses: 10.0.2.29,10.0.2.30
NotReadyAddresses: <none>
Ports:
Name Port Protocol
---- ---- --------
http 8000 TCP
No events.
Here is my deployment.yaml:
apiVersion: v1
kind: Secret
metadata:
namespace: dpl-staging
name: dpl-identity
type: Opaque
data:
tls.key: <base64 key>
tls.crt: <base64 crt>
---
apiVersion: v1
kind: Service
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
spec:
type: NodePort
ports:
- port: 4000
targetPort: 8000
protocol: TCP
name: http
selector:
app: dpl-identity
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
annotations:
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: dpl-identity
rules:
- http:
paths:
- path: /api/identity/*
backend:
serviceName: dpl-identity
servicePort: 4000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: dpl-staging
name: dpl-identity
kind: Ingress
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
annotations:
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: dpl-identity
rules:
- http:
paths:
- path: /api/identity/*
backend:
serviceName: dpl-identity
servicePort: 4000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: dpl-staging
name: dpl-identity
labels:
app: dpl-identity
spec:
replicas: 2
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: dpl-identity
spec:
containers:
- image: gcr.io/munpat-container-engine/dpl/identity:0.4.9
name: dpl-identity
ports:
- containerPort: 8000
name: http
volumeMounts:
- name: dpl-identity
mountPath: /data
volumes:
- name: dpl-identity
secret:
secretName: dpl-identity
Your backend k8s-be-32396--5fc40252fadea594
is showing as "UNHEALTHY"
.
Ingress will not forward traffic if the backend is UNHEALTHY, this will result in the 502 error you are seeing.
It will be being marked as UNHEALTHY becuase it is not passing it's health check, you can check the health check setting for k8s-be-32396--5fc40252fadea594 to see if they are appropriate for your pod, it may be polling an URI or port that is not returning a 200 response. You can find these setting under Compute Engine > Health Checks.
If they are correct then there are many steps between your browser and the container that could be passing traffic incorrectly, you could try kubectl exec -it PODID -- bash
(or ash if you are using Alpine) and then try curl-ing localhost to see if the container is responding as expected, if it is and the health checks are also configured correctly then this would narrow down the issue to likely be with your service, you could then try changing the service from a NodePort type to a LoadBalancer and see if hitting the service IP directly from your browser works.
这篇关于Kubernetes Ingress(GCE)不断返回502错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!