Sha*_*tty 7 kubernetes google-kubernetes-engine kubernetes-ingress
我正在使用带有 GKE的nosqlclient docker映像。有一个默认的健康检查 URL 可用于/healthcheck 中的图像。但是,当我尝试为应用程序启用身份验证时,它也会为此 URL 启用身份验证。我需要将 GKE Ingress 与应用程序一起使用。GKE Ingress 要求我创建一个可以返回 200 的 HTTP readinessProbe。但是,当我尝试使用此路径进行 readinessCheck 时,就绪性检查无法工作。奇怪的是,当我运行kubectl describe pods <pod_name>. 这是我的部署 yaml 文件的一部分:
...
spec:
containers:
- name: mongoclient
image: mongoclient/mongoclient:2.2.0
resources:
requests:
memory: "32Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 3000
env:
- name: MONGOCLIENT_AUTH
value: "true"
- name: MONGOCLIENT_USERNAME
value: "admin"
- name: MONGOCLIENT_PASSWORD
value: "password"
readinessProbe:
httpGet:
httpHeaders:
- name: "Authorization"
value: "Basic YWRtaW46cGFzc3dvcmQ="
port: 3000
path: /healthcheck
initialDelaySeconds: 60
timeoutSeconds: 5
...
当我尝试使用 pod 授权的 curl 时,它返回 200:
node@mongoclient-deployment-7c6856d6f6-mkxqh:/opt/meteor/dist/bundle$ curl -i http://localhost:3000/healthcheck
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Authorization Required"
Date: Fri, 17 Jan 2020 18:02:20 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Unauthorizednode@mongoclient-deployment-7c6856d6f6-mkxqh:/opt/meteor/dist/bundle$ curl -i http://admin:password@localhost:3000/healthcheck
HTTP/1.1 200 OK
Date: Fri, 17 Jan 2020 18:02:30 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Server is up and running !
node@mongoclient-deployment-86bc77cc5b-9qg67:/opt/meteor/dist/bundle$ curl -i -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" http://localhost:3000/healthcheck
HTTP/1.1 200 OK
Date: Sat, 18 Jan 2020 07:19:49 GMT
Connection: keep-alive
Transfer-Encoding: chunked
一些进一步的信息:
> kubectl get pods -l app=mongoclient-app -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mongoclient-deployment-7c6856d6f6-mkxqh 1/1 Running 0 5m25s 10.28.1.152 ************************************** <none> 0/1
> kubectl describe pods -l app=mongoclient-app
...
Liveness: http-get http://:3000/healthcheck delay=70s timeout=5s period=10s #success=1 #failure=3
Readiness: http-get http://:3000/healthcheck delay=60s timeout=5s period=10s #success=1 #failure=3
...
我找不到有关通过使用后端配置资源通过 Ingress 传递此类自定义标头的任何信息。即使这样的事情有效,我也在其他服务中使用相同的入口,并且在这种情况下干预入口似乎不是一件好事。
我是 GKE 和 Kubernetes 的新手。所以,我不确定是否还有其他地方可以寻找。pod 日志没有提供太多关于访问模式的见解。在这种情况下我该如何继续?
更新 1:因此,我将开发集群升级到 1.15.7-gke.2,因为它支持入口的自定义标头,并添加了以下内容:
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: mongoclient-backendconfig
spec:
timeoutSec: 300
connectionDraining:
drainingTimeoutSec: 400
sessionAffinity:
affinityType: "GENERATED_COOKIE"
affinityCookieTtlSec: 86400
customRequestHeaders:
headers:
- "Authorization: Basic YWRtaW46cGFzc3dvcmQ="
尽管标头出现在负载均衡器后端,但就绪检查超时:
Normal Scheduled 15m default-scheduler Successfully assigned default/mongoclient-deployment-86bc77cc5b-9qg67 to gke-kubernetes-default-pool-50ccdc3e-d608
Normal LoadBalancerNegNotReady 15m (x2 over 15m) neg-readiness-reflector Waiting for pod to become healthy in at least one of the NEG(s): [k8s1-00c7387d-default-mongoclient-mayamd-ai-service-80-292db9f4]
Normal Pulled 15m kubelet, gke-kubernetes-default-pool-50ccdc3e-d608 Container image "mongoclient/mongoclient:2.2.0" already present on machine
Normal Created 15m kubelet, gke-kubernetes-default-pool-50ccdc3e-d608 Created container mongoclient
Normal Started 15m kubelet, gke-kubernetes-default-pool-50ccdc3e-d608 Started container mongoclient
Normal LoadBalancerNegTimeout 5m43s neg-readiness-reflector Timeout waiting for pod to become healthy in at least one of the NEG(s): [k8s1-00c7387d-default-mongoclient-mayamd-ai-service-80-292db9f4]. Marking condition "cloud.google.com/load-balancer-neg-ready" to True.
| 归档时间: |
|
| 查看次数: |
1566 次 |
| 最近记录: |