EKS Fargate pods无法从互联网访问。

huangapple go评论64阅读模式
英文:

EKS Fargate pods unreachable from internet

问题

我正在尝试创建EKS Fargate集群并部署一个具有1个端点的示例Spring Boot应用程序,我成功地使用以下CloudFormation脚本创建了堆栈:

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation template for EKS Fargate managed Kubernetes cluster with exposed endpoints'
# ... (此处省略了一些内容) ...

我运行以下命令来为Fargate打补丁CoreDNS:

kubectl patch deployment coredns \
    -n kube-system \
    --type json \
    -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]'

然后,我使用以下Kubernetes清单从公共ECR部署我的示例应用程序映像:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
# ... (此处省略了一些内容) ...

然后,当我运行:

kubectl get svc

我看到以下结果:

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                                                  PORT(S)        AGE
example-service   LoadBalancer   172.20.228.77   aa0116829ac2647a7bf39a97bffb0183-1208408433.eu-central-1.elb.amazonaws.com   80:31915/TCP   16m
kubernetes        ClusterIP      172.20.0.1      <none>                                                                       443/TCP        29m

但是,当我尝试访问LoadBalancer example-service的EXTERNAL-IP时,我收到空响应,我无法访问我的应用程序仅在Spring Boot应用程序中定义的路径:/api/v1/info

server.port=8080
server.servlet.context-path=/api/v1

我漏掉了什么?

一些信息:

  • 我的Pod成功启动,当我运行kubectl logs pod-name时,我可以看到Spring Boot的日志记录。
  • 我的CoreDNS Pod也正常启动。
  • 我使用busybox来测试我的集群的DNS,似乎一切正常。

你可能需要检查以下几点来解决问题:

  1. 确保LoadBalancer example-service的EXTERNAL-IP已经分配,并且状态正常。
  2. 检查Security Group和Network ACL规则,确保它们允许流量通过LoadBalancer到达Pod。
  3. 确保你的Spring Boot应用程序在端口8080上正在监听,并且路径"/api/v1/info"已正确设置。
  4. 检查CoreDNS是否正确配置,确保DNS解析正常工作。
  5. 如果你有网络策略(Network Policies)或其他Kubernetes网络配置,请确保它们没有阻止流量到达你的应用程序。

希望这些提示对你有所帮助,帮助你解决问题。

英文:

I am trying to create EKS Fargate cluster and deploy example Spring Boot application with 1 endpoint, I successfully create stack with following CloudFormation script:

---
AWSTemplateFormatVersion: &#39;2010-09-09&#39;
Description: &#39;AWS CloudFormation template for EKS Fargate managed Kubernetes cluster with exposed endpoints&#39;

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true

  InternetGateway:
    Type: AWS::EC2::InternetGateway

  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.2.0/24
      MapPublicIpOnLaunch: true
      AvailabilityZone: !Select [ 0, !GetAZs &#39;&#39; ]

  PrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: !Select [ 0, !GetAZs &#39;&#39; ]

  PrivateSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: !Select [ 1, !GetAZs &#39;&#39; ]

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC

  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  SubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable

  EIP:
    Type: AWS::EC2::EIP

  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      SubnetId: !Ref PublicSubnet
      AllocationId: !GetAtt EIP.AllocationId

  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC

  PrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway

  PrivateSubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnetA
      RouteTableId: !Ref PrivateRouteTable

  PrivateSubnetRouteTableAssociationB:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnetB
      RouteTableId: !Ref PrivateRouteTable

  EKSCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: EKSFargateCluster
      Version: &#39;1.26&#39;
      ResourcesVpcConfig:
        SubnetIds:
          - !Ref PrivateSubnetA
          - !Ref PrivateSubnetB
      RoleArn: !GetAtt EKSClusterRole.Arn

  FargateProfile:
    Type: AWS::EKS::FargateProfile
    Properties:
      ClusterName: !Ref EKSCluster
      FargateProfileName: FargateProfile
      PodExecutionRoleArn: !GetAtt FargatePodExecutionRole.Arn
      Selectors:
        - Namespace: default
      Subnets:
        - !Ref PrivateSubnetA
        - !Ref PrivateSubnetB

  FargateProfileCoredns:
    Type: AWS::EKS::FargateProfile
    Properties:
      ClusterName: !Ref EKSCluster
      FargateProfileName: CorednsProfile
      PodExecutionRoleArn: !GetAtt FargatePodExecutionRole.Arn
      Selectors:
        - Namespace: kube-system
          Labels:
            - Key: k8s-app
              Value: kube-dns
      Subnets:
        - !Ref PrivateSubnetA
        - !Ref PrivateSubnetB

  FargatePodExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: &#39;2012-10-17&#39;
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - eks-fargate-pods.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy

  EKSClusterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: &#39;2012-10-17&#39;
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - eks.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
        - arn:aws:iam::aws:policy/AmazonEKSVPCResourceController

I run following command to path the CoreDNS for Fargate:

kubectl patch deployment coredns \
    -n kube-system \
    --type json \
    -p=&#39;[{&quot;op&quot;: &quot;remove&quot;, &quot;path&quot;: &quot;/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type&quot;}]&#39;

Then I deploy my example application image from public ECR with following kubernetes manifest:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: example-app
  template:
    metadata:
      labels:
        app: example-app
    spec:
      containers:
        - name: ventu
          image: public.ecr.aws/not_real_url/public_ecr_name:latest
          ports:
            - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: example-service
spec:
  type: LoadBalancer
  selector:
    app: example-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Then when I run:

kubectl get svc

I see result:

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                                                  PORT(S)        AGE
example-service   LoadBalancer   172.20.228.77   aa0116829ac2647a7bf39a97bffb0183-1208408433.eu-central-1.elb.amazonaws.com   80:31915/TCP   16m
kubernetes        ClusterIP      172.20.0.1      &lt;none&gt;                                                                       443/TCP        29m

However when I try to reach the EXTERNAL-IP on my LoadBalancer example-service, I get empty response, I can't reach my application on only path defined in my Spring Boot application: /api/v1/info

server.port=8080
server.servlet.context-path=/api/v1

What am I missing?

Couple of information:

  • my pods spin up successfully, I can see Spring Boot logging when I run kubectl logs pod-name
  • my coredns pods spin up correctly as well
  • I use busybox to test my cluster's dns, and everything seems to be working too

答案1

得分: 2

I solved my issue, by following this guide

然后,我将生成的堆栈导出到我的CloudFormation脚本中。

然后,为了部署我的应用程序,我更新了我的Kubernetes清单如下:


apiVersion: v1
kind: Namespace
metadata:
name: example

apiVersion: apps/v1
kind: Deployment
metadata:
namespace: example
name: deployment-example-be-app
spec:
selector:
matchLabels:
app.kubernetes.io/name: example-be-app
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: example-be-app
spec:
containers:
- name: example-be-app
image: public.ecr.aws/fake_url/example:latest
imagePullPolicy: Always
ports:
- containerPort: 8080

apiVersion: v1
kind: Service
metadata:
namespace: example
name: service-example-be-app
annotations:
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app.kubernetes.io/name: example-be-app

现在我可以通过浏览器访问我的示例应用程序。

英文:

I solved my issue, by following this guide

I then exported resulting stack into my CloudFormation script.

Then to deploy my application I updated my kubernetes manifest to:

---
apiVersion: v1
kind: Namespace
metadata:
  name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: example
  name: deployment-example-be-app
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: example-be-app
  replicas: 2
  template:
    metadata:
      labels:
        app.kubernetes.io/name: example-be-app
    spec:
      containers:
        - name: example-be-app
          image: public.ecr.aws/fake_url/example:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  namespace: example
  name: service-example-be-app
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  type: LoadBalancer
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  selector:
    app.kubernetes.io/name: example-be-app

Now I access my example application form browser.

huangapple
  • 本文由 发表于 2023年5月6日 18:22:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76188366.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定