kubernetes configuration Ingress,ingress_nginx service external IP pending

6/5/2018

I have a virtual machine centos(ver 7.4) on win10 machine, I do not use AWS, Google cloud service, nor Azure. I put master and node in one machine. My original problem domain have 5 components, I configure them as ClusterIP, so they could communicate with each other(eureka, config,api,uaa,zipkin). Now I only need api talk outside. But for short, I make two components for convenience (api and eureka). But now, api needs to receive from outside of cluster. So that I configure ingress. When ingress, I need to configure rbac. I put my yaml file here with error message.

eureka_pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: gearbox-rack-eureka-server
  labels:
    app: gearbox-rack-eureka-server
    purpose: platform_eureka_demo
spec:
  containers:
  - name:  gearbox-rack-eureka-server
    image: 192.168.1.229:5000/gearboxrack/gearbox-rack-eureka-server
    ports:
        - containerPort: 8761

eureka_svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: gearbox-rack-eureka-server
  labels:
    name: gearbox_rack_eureka_server
spec:
  selector:
    app: gearbox-rack-eureka-server
  type: ClusterIP
  ports:
    - port: 8761
      name: tcp

api_pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: gearbox-rack-api-gateway
  labels:
    app: gearbox-rack-api-gateway
    purpose: platform-demo
spec:
  containers:
  - name:  gearbox-rack-api-gateway
    image: 192.168.1.229:5000/gearboxrack/gearbox-rack-api-gateway
    ports:
    - containerPort: 5555
    env:
      - name: EUREKA_SERVER
        value: http://gearbox-rack-eureka-server:8761
      - name: CONFIG_SERVER
        value: http://gearbox-rack-config-server:8888
      - name: CONFIG_PROFILE
        value: docker
      - name: CONFIG_LABEL
        value: master
      - name: ZIPKIN_SERVER
        value: http://gearbox-rack-zipkin-server:9411

api_svc.yaml:

apiVersion: v1
kind: Service
metadata:
  name: gearbox-rack-api-gateway
  labels:
    name: gearbox-rack-api-gateway
spec:
  selector:
    app: gearbox-rack-api-gateway
  type: ClusterIP
  ports:
    - port: 5555
      name: tcp

ingress_nginx_role_rb.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: lb
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-normal
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-minimal
  namespace: kube-system
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - "ingress-controller-leader-dev"
      - "ingress-controller-leader-prod"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-minimal
subjects:
  - kind: ServiceAccount
    name: lb
    namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-normal
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-normal
subjects:
  - kind: ServiceAccount
    name: lb
    namespace: kube-system

nginx_default_backend.yaml:

kind: Service
apiVersion: v1
metadata:
  name: nginx-default-backend
  namespace: kube-system
spec:
  ports:
  - port: 80
    targetPort: http
  selector:
    app: nginx-default-backend
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: nginx-default-backend
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-default-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        image: chenliujin/defaultbackend
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP

ingress_nginx_ctl.yaml:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
spec:
  type: NodePort
  selector:
    app: ingress-nginx
  ports:
  - name: http
    port: 80
    nodePort: 31080
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: ingress-nginx
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: ingress-nginx
    spec:
      terminationGracePeriodSeconds: 60
      serviceAccount: lb
      containers:
      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.15.0
        name: ingress-nginx
        imagePullPolicy: Always
        ports:
          - name: http
            containerPort: 80
            protocol: TCP
          - name: https
            containerPort: 443
            protocol: TCP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/nginx-default-backend

ingress_nginx_res.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
   - host:
     http:
       paths:
       - path: /eureka
         backend:
           serviceName: gearbox-rack-eureka-server
           servicePort: 8761
   - host:
     http:
       paths:
       - path: /
         backend:
           serviceName: gearbox-rack-api-gateway
           servicePort: 5555

when I try 172.16.100.88:31080/uaa/login, (my virtual machine current IP is 172.16.100.88) it says following connection problme:

[centos@master ~]$ sudo curl http://172.16.100.88:31080/uaa/login
curl: (7) Failed connect to 172.16.100.88:31080; Connection refused

I check ingress-nginx pod, it seems request has not yet reached nginx.

[centos@master ~]$ sudo kubectl logs ingress-nginx-5c6d78668c-c78rd -n kube-system
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:    0.15.0
  Build:      git-df61bd7
  Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------
W0606 03:24:39.256706       7 client_config.go:533] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0606 03:24:39.257090       7 main.go:158] Creating API client for https://10.96.0.1:443
I0606 03:24:39.269897       7 main.go:202] Running in Kubernetes Cluster version v1.10 (v1.10.3) - git (clean) commit 2bba0127d85d5a46ab4b778548be28623b32d0b0 - platform linux/amd64
I0606 03:24:39.271426       7 main.go:84] validated kube-system/nginx-default-backend as the default backend
I0606 03:24:39.403474       7 stat_collector.go:77] starting new nginx stats collector for Ingress controller running in namespace  (class nginx)
I0606 03:24:39.403505       7 stat_collector.go:78] collector extracting information from port 18080
I0606 03:24:39.415000       7 nginx.go:278] starting Ingress controller
I0606 03:24:40.518572       7 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"my-ingress", UID:"041fb77f-6939-11e8-971e-fa163e39f742", APIVersion:"extensions", ResourceVersion:"1040", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress default/my-ingress
I0606 03:24:40.615398       7 nginx.go:299] starting NGINX process...
I0606 03:24:40.615582       7 leaderelection.go:175] attempting to acquire leader lease  kube-system/ingress-controller-leader-nginx...
I0606 03:24:40.618811       7 controller.go:168] backend reload required
I0606 03:24:40.618835       7 stat_collector.go:34] changing prometheus collector from  to default
I0606 03:24:40.623350       7 leaderelection.go:184] successfully acquired lease kube-system/ingress-controller-leader-nginx
I0606 03:24:40.623400       7 status.go:196] new leader elected: ingress-nginx-5c6d78668c-c78rd
I0606 03:24:40.744438       7 controller.go:177] ingress backend successfully reloaded...
I0606 03:25:40.635267       7 status.go:361] updating Ingress default/my-ingress status to [{ }]
I0606 03:25:40.640390       7 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"my-ingress", UID:"041fb77f-6939-11e8-971e-fa163e39f742", APIVersion:"extensions", ResourceVersion:"1185", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/my-ingress

When I login in to pod gearbox-rack-api-gateway, I could see clearly it redirects to the page I expected. so there must be some configuration wrong in my yaml files.

[root@master8g ingress]# kubectl exec -it gearbox-rack-api-gateway -- /bin/bash
root@gearbox-rack-api-gateway:/# curl http://localhost:5555/uaa/login
<!DOCTYPE html>
<!--[if IE 8]> <html lang="en" class="ie8 no-js"> <![endif]-->
<!--[if IE 9]> <html lang="en" class="ie9 no-js"> <![endif]-->
<!--[if !IE]><!-->
<html lang="en" class="no-js">
<!--<![endif]-->
<!-- BEGIN HEAD -->
<head>

  ....
</head>
<!-- END HEAD -->

<body>

  <div class="blank"></div>

 ...
  </div>

  <script>
    document.getElementById("username").focus();
  </script>

</body>
</html>

\=================================================================

second edition

In my virtual machine, I type telnet localhost 31080, rejected. but telnet -6 localhost 31080 succeed. And netstat -anp | less find 31080 binding kube-proxy. I put sysctl -q -w net.ipv6.conf.all.disable_ipv6=1 and sysctl -w net.ipv6.conf.default.disable_ipv6=1 in my starting script, but got same result.

tcp6       0      0 :::31080                :::*                    LISTEN      7436/kube-proxy

\==============================================================

Third edition

Yesterday question about Ipv6 is stupid. I misconfigured /etc/hosts. Now I have telnet localhost 31080 work, but when I do curl http://localhost:31080/uaa/login, it hangs there for long time. So pod is listening. When I issue the command curl http://localhost:31080/uaa/login, at the same time, I check several pods' log. Log has shown no error and has no log to say the port 31080 has been sent request. I checked ingress-nginx pod logs: I paste some here.

I0608 07:15:31.436658       5 leaderelection.go:184] successfully acquired lease kube-system/ingress-controller-leader-nginx
I0608 07:15:31.436683       5 status.go:196] new leader elected: ingress-nginx-6ccc799fbc-tl588
I0608 07:15:31.493595       5 controller.go:177] ingress backend successfully reloaded...
I0608 07:16:31.441317       5 status.go:361] updating Ingress default/my-ingress status to [{ }]
I0608 07:16:31.444803       5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"my-ingress", UID:"b96b555d-6aeb-11e8-acff-080027709399", APIVersion:"extensions", ResourceVersion:"1270", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/my-ingress

[root@master8g ingress]# curl http://localhost:31080/uaa/login
^C
[root@master8g ingress]# telnet localhost 31080
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^C^CTerminated

My own wild guess is that ingress nginx pod's namespace is kube-system, nginx service's name space is default, my-ingress's namespace is default. nginx-default-backend's name space is kube-system. Whether cross namespace traffic is forbidden.

enter image description here

Experts what kind of logs do you need?

\=======================================================

Forth Edition

After define all ingress controller, ingress resources as default namespace, now I did get move further. Now nginx redirect my http request to https: request. How to disable this feature will make my ingress working wholly.

[root@master8g ingress]# curl http://172.16.100.88:31080/uaa/login
<html>
<head><title>308 Permanent Redirect</title></head>
<body bgcolor="white">
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.13.12</center>
</body>
</html>

I notice ingress-nginx receive the request, shown as below:

[root@master8g ingress]# kubectl logs ingress-nginx-6ccc799fbc-7clb6
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:16:01 +0000] "GET / HTTP/1.1" 308 188 "-" "curl/7.29.0" 83 0.000 [default-gearbox-rack-api-gateway-5555] - - - - 322eb1a195d940d5aa690d81ba9d0a4b
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:16:15 +0000] "GET /uaa/login HTTP/1.1" 308 188 "-" "curl/7.29.0" 92 0.000 [default-gearbox-rack-api-gateway-5555] - - - - 31dabba6b0e6cbbc899ec1248ffacd92
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:20:39 +0000] "GET / HTTP/1.1" 308 188 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" 383 0.000 [default-gearbox-rack-api-gateway-5555] - - - - a00e1c447b581e46566fbb216134e993
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:20:39 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x1A\xBB\xB6R\xB3Y\xCF;\x95\xBD[B\xC4\x09\x15\xE8\xE35C6\x82\xB0mN\xE9~p\xC4\x87M\x89H O\xCC4\xB6'\xCC\xAA\xA9\xC5\xB6\xDC\xFE" 400 174 "-" "-" 0 0.001 [] - - - - c914c5f584a1cec087e33a5ebd8b1c8d
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:20:39 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xD15\xD8&\x9F\x0E\xBB\xFF\xFE\xF0\xD5x\xD17\xF6\x01\xD1\x91\x0E\x1E\x84\x8C\x94(\xBD\xF81\xA0\x80\xB4\xE7q \xB5\x1D\xEEG9\x09g\xBCi\x85BC\xCB\x9Ag\xD9@'\xB6 \x18\x8F\xC8" 400 174 "-" "-" 0 0.002 [] - - - - 8164c246d67cb97331ec5230679e7e6f
172.16.100.88 - [172.16.100.88] - - [08/Jun/2018:09:20:39 +0000] "\x16\x03\x01\x00\xAE\x01\x00\x00\xAA\x03\x03U\xC5\x22.\x9Eq\xCD\xDFi\xE0\x0B\x11\x93\xD0L\x9C\xCE\xBA\xD1\xA3\xE6\x124y\xA6\xEA\xB8\x88I\x97\x1F\xB8\x00\x00\x1C\x8A\x8A\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 174 "-" "-" 0 0.001 [] - - - - 0556f985d88e3ede2217459ab75ab4f4


ingress_nginx_res.yaml:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
   - host:
     http:
       paths:
       - path: /
         backend:
           serviceName: gearbox-rack-api-gateway
           servicePort: 5555
-- user84592
kubernetes
kubernetes-ingress

1 Answer

6/5/2018
apiVersion: v1
kind: Service
metadata:
  name: gearbox-rack-eureka-server
  labels:
    name: gearbox_rack_eureka_server
spec:
  selector:
    app: gearbox-rack-eureka-server
  type: ClusterIP
  ports:
    - port: 8761
      name: tcp

name: tcp -> protocol: TCP ?

-- Xiaoyu Zhang
Source: StackOverflow