K
Q

Can not link a HTTP Load Balancer to a backend (502 Bad Gateway)

6/27/2016

I have on the backend a Kubernetes node running on port 32656 (Kubernetes Service of type NodePort). If I create a firewall rule for the <node_ip>:32656 to allow traffic, I can open the backend in the browser on this address: http://<node_ip>:32656.

What I try to achieve now is creating an HTTP Load Balancer and link it to the above backend. I use the following script to create the infrastructure required:

#!/bin/bash

GROUP_NAME="gke-service-cluster-61155cae-group"
HEALTH_CHECK_NAME="test-health-check"
BACKEND_SERVICE_NAME="test-backend-service"
URL_MAP_NAME="test-url-map"
TARGET_PROXY_NAME="test-target-proxy"
GLOBAL_FORWARDING_RULE_NAME="test-global-rule"
NODE_PORT="32656"
PORT_NAME="http"

# instance group named ports
gcloud compute instance-groups set-named-ports "$GROUP_NAME" --named-ports "$PORT_NAME:$NODE_PORT"

# health check
gcloud compute http-health-checks create --format none "$HEALTH_CHECK_NAME" --check-interval "5m" --healthy-threshold "1" --timeout "5m" --unhealthy-threshold "10"

# backend service
gcloud compute backend-services create "$BACKEND_SERVICE_NAME" --http-health-check "$HEALTH_CHECK_NAME" --port-name "$PORT_NAME" --timeout "30"
gcloud compute backend-services add-backend "$BACKEND_SERVICE_NAME" --instance-group "$GROUP_NAME" --balancing-mode "UTILIZATION" --capacity-scaler "1" --max-utilization "1"

# URL map
gcloud compute url-maps create "$URL_MAP_NAME" --default-service "$BACKEND_SERVICE_NAME"            

# target proxy
gcloud compute target-http-proxies create "$TARGET_PROXY_NAME" --url-map "$URL_MAP_NAME"

# global forwarding rule
gcloud compute forwarding-rules create "$GLOBAL_FORWARDING_RULE_NAME" --global --ip-protocol "TCP" --ports "80" --target-http-proxy "$TARGET_PROXY_NAME"

But I get the following response from the Load Balancer accessed through the public IP in the Frontend configuration:

Error: Server Error

The server encountered a temporary error and could not complete your request. Please try again in 30 seconds.

The health check is left with default values: (/ and 80) and the backend service responds quickly with a status 200.

I have also created the firewall rule to accept any source and all ports (tcp) and no target specified (i.e. all targets).

Considering that regardless of the port I choose (in the instance group), and that I get the same result (Server Error), the problem should be somewhere in the configuration of the HTTP Load Balancer. (something with the health checks maybe?)

What am I missing from completing the linking between the frontend and the backend?

-- Gabriel Petrovay
gcloud
google-cloud-platform
google-kubernetes-engine
kubernetes
load-balancing

Similar Questions

minikube : not able to connect a locally deployed nginx service
Kubernetes: Cannot deploy flask web app with apache and https
Kubernetes/GCE Ingress controller fails
Kubernetes Ingress controllers for wildcard url mapping

3 Answers

5/14/2020

There can be a few things wrong that are mentioned:

  • firewall rules need to be set to all hosts, are they need to have the same network label as the machines in the instance group have

  • by default, the node should return 200 at / - readiness and liveness probes to configure otherwise did not work for me

It seems you try to do things that are all automated, so I can really recommend: https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress

This shows the steps that do the firewall and portforwarding for you, which also may show you what you are missing.

I noticed myself when using an app on 8080, exposed on 80 (like one of the deployments in the example) that the load balancer staid unhealthy untill I had / returning 200 (and /healthz I added to). So basically that container now exposes a webserver on port 8080, returning that and the other config wires that up to port 80.

When it comes to firewall rules, make sure they are set to all machines or make the network label match, or they won't work. The 502 error is usually from the loadbalancer that will not pass your request if the health check does not pass.

-- Vincent Gerris
Source: StackOverflow
6/29/2016

I assume you actually have instances in the instance group, and the firewall rule is not specific to a source range. Can you check your logs for a google health check? (UA will have google in it).

What version of kubernetes are you running? Fyi there's a resource in 1.2 that hooks this up for you automatically: http://kubernetes.io/docs/user-guide/ingress/, just make sure you do these: https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md.

More specifically: in 1.2 you need to create a firewall rule, service of type=nodeport (both of which you already seem to have), and a health check on that service at "/" (which you don't have, this requirement is alleviated in 1.3 but 1.3 is not out yet).

Also note that you can't put the same instance into 2 loadbalanced IGs, so to use the Ingress mentioned above you will have to cleanup your existing loadbalancer (or at least, remove the instances from the IG, and free up enough quota so the Ingress controller can do its thing).

-- Prashanth B
Source: StackOverflow
6/27/2016

Could you make your service type LoadBalancer (http://kubernetes.io/docs/user-guide/services/#type-loadbalancer) which would setup this all up automatically? This assumes you have the flag set for google cloud.

After you deploy, then describe the service name and should give you the endpoint which is assigned.

-- Steve Sloka
Source: StackOverflow