2023年5月6日 18:22:58go评论87阅读模式

英文:

EKS Fargate pods unreachable from internet

问题

我正在尝试创建EKS Fargate集群并部署一个具有1个端点的示例Spring Boot应用程序，我成功地使用以下CloudFormation脚本创建了堆栈：

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation template for EKS Fargate managed Kubernetes cluster with exposed endpoints'
# ... (此处省略了一些内容) ...

我运行以下命令来为Fargate打补丁CoreDNS：

kubectl patch deployment coredns \
    -n kube-system \
    --type json \
    -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]'

然后，我使用以下Kubernetes清单从公共ECR部署我的示例应用程序映像：

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
# ... (此处省略了一些内容) ...

然后，当我运行：

kubectl get svc

我看到以下结果：

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                                                  PORT(S)        AGE
example-service   LoadBalancer   172.20.228.77   aa0116829ac2647a7bf39a97bffb0183-1208408433.eu-central-1.elb.amazonaws.com   80:31915/TCP   16m
kubernetes        ClusterIP      172.20.0.1      <none>                                                                       443/TCP        29m

但是，当我尝试访问LoadBalancer example-service的EXTERNAL-IP时，我收到空响应，我无法访问我的应用程序仅在Spring Boot应用程序中定义的路径：/api/v1/info

server.port=8080
server.servlet.context-path=/api/v1

我漏掉了什么？

一些信息：

我的Pod成功启动，当我运行kubectl logs pod-name时，我可以看到Spring Boot的日志记录。
我的CoreDNS Pod也正常启动。
我使用busybox来测试我的集群的DNS，似乎一切正常。

你可能需要检查以下几点来解决问题：

确保LoadBalancer example-service的EXTERNAL-IP已经分配，并且状态正常。
检查Security Group和Network ACL规则，确保它们允许流量通过LoadBalancer到达Pod。
确保你的Spring Boot应用程序在端口8080上正在监听，并且路径"/api/v1/info"已正确设置。
检查CoreDNS是否正确配置，确保DNS解析正常工作。
如果你有网络策略(Network Policies)或其他Kubernetes网络配置，请确保它们没有阻止流量到达你的应用程序。

希望这些提示对你有所帮助，帮助你解决问题。

英文:

I am trying to create EKS Fargate cluster and deploy example Spring Boot application with 1 endpoint, I successfully create stack with following CloudFormation script:

---
AWSTemplateFormatVersion: &#39;2010-09-09&#39;
Description: &#39;AWS CloudFormation template for EKS Fargate managed Kubernetes cluster with exposed endpoints&#39;
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.2.0/24
      MapPublicIpOnLaunch: true
      AvailabilityZone: !Select [ 0, !GetAZs &#39;&#39; ]
  PrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: !Select [ 0, !GetAZs &#39;&#39; ]
  PrivateSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: !Select [ 1, !GetAZs &#39;&#39; ]
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  SubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
  EIP:
    Type: AWS::EC2::EIP
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      SubnetId: !Ref PublicSubnet
      AllocationId: !GetAtt EIP.AllocationId
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  PrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  PrivateSubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnetA
      RouteTableId: !Ref PrivateRouteTable
  PrivateSubnetRouteTableAssociationB:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnetB
      RouteTableId: !Ref PrivateRouteTable
  EKSCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: EKSFargateCluster
      Version: &#39;1.26&#39;
      ResourcesVpcConfig:
        SubnetIds:
          - !Ref PrivateSubnetA
          - !Ref PrivateSubnetB
      RoleArn: !GetAtt EKSClusterRole.Arn
  FargateProfile:
    Type: AWS::EKS::FargateProfile
    Properties:
      ClusterName: !Ref EKSCluster
      FargateProfileName: FargateProfile
      PodExecutionRoleArn: !GetAtt FargatePodExecutionRole.Arn
      Selectors:
        - Namespace: default
      Subnets:
        - !Ref PrivateSubnetA
        - !Ref PrivateSubnetB
  FargateProfileCoredns:
    Type: AWS::EKS::FargateProfile
    Properties:
      ClusterName: !Ref EKSCluster
      FargateProfileName: CorednsProfile
      PodExecutionRoleArn: !GetAtt FargatePodExecutionRole.Arn
      Selectors:
        - Namespace: kube-system
          Labels:
            - Key: k8s-app
              Value: kube-dns
      Subnets:
        - !Ref PrivateSubnetA
        - !Ref PrivateSubnetB
  FargatePodExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: &#39;2012-10-17&#39;
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - eks-fargate-pods.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
  EKSClusterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: &#39;2012-10-17&#39;
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - eks.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
        - arn:aws:iam::aws:policy/AmazonEKSVPCResourceController

I run following command to path the CoreDNS for Fargate:

kubectl patch deployment coredns \
    -n kube-system \
    --type json \
    -p=&#39;[{&quot;op&quot;: &quot;remove&quot;, &quot;path&quot;: &quot;/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type&quot;}]&#39;

Then I deploy my example application image from public ECR with following kubernetes manifest:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: example-app
  template:
    metadata:
      labels:
        app: example-app
    spec:
      containers:
        - name: ventu
          image: public.ecr.aws/not_real_url/public_ecr_name:latest
          ports:
            - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: example-service
spec:
  type: LoadBalancer
  selector:
    app: example-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Then when I run:

kubectl get svc

I see result:

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                                                  PORT(S)        AGE
example-service   LoadBalancer   172.20.228.77   aa0116829ac2647a7bf39a97bffb0183-1208408433.eu-central-1.elb.amazonaws.com   80:31915/TCP   16m
kubernetes        ClusterIP      172.20.0.1      &lt;none&gt;                                                                       443/TCP        29m

However when I try to reach the EXTERNAL-IP on my LoadBalancer example-service, I get empty response, I can't reach my application on only path defined in my Spring Boot application: /api/v1/info

server.port=8080
server.servlet.context-path=/api/v1

What am I missing?

Couple of information:

my pods spin up successfully, I can see Spring Boot logging when I run kubectl logs pod-name
my coredns pods spin up correctly as well
I use busybox to test my cluster's dns, and everything seems to be working too

答案1

得分: 2

I solved my issue, by following this guide

然后，我将生成的堆栈导出到我的CloudFormation脚本中。

然后，为了部署我的应用程序，我更新了我的Kubernetes清单如下：

apiVersion: v1
kind: Namespace
metadata:
name: example

apiVersion: apps/v1
kind: Deployment
metadata:
namespace: example
name: deployment-example-be-app
spec:
selector:
matchLabels:
app.kubernetes.io/name: example-be-app
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: example-be-app
spec:
containers:
- name: example-be-app
image: public.ecr.aws/fake_url/example:latest
imagePullPolicy: Always
ports:
- containerPort: 8080

apiVersion: v1
kind: Service
metadata:
namespace: example
name: service-example-be-app
annotations:
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app.kubernetes.io/name: example-be-app

现在我可以通过浏览器访问我的示例应用程序。

英文:

I solved my issue, by following this guide

I then exported resulting stack into my CloudFormation script.

Then to deploy my application I updated my kubernetes manifest to:

---
apiVersion: v1
kind: Namespace
metadata:
  name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: example
  name: deployment-example-be-app
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: example-be-app
  replicas: 2
  template:
    metadata:
      labels:
        app.kubernetes.io/name: example-be-app
    spec:
      containers:
        - name: example-be-app
          image: public.ecr.aws/fake_url/example:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  namespace: example
  name: service-example-be-app
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  type: LoadBalancer
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  selector:
    app.kubernetes.io/name: example-be-app

Now I access my example application form browser.

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

EKS Fargate pods无法从互联网访问。

问题

答案1

apiVersion: v1
kind: Namespace
metadata:
name: example

“Unable to import module ‘lambda_function’: No module named ‘parameter_store_extension'”

如何在Athena上设置“打开端口444”。

Cron表达式以在每月的第一个星期二运行，星期二后面应该是一个星期一。

一个用于在Kubernetes表格中求和数字的Bash命令？

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

发表评论

问题

答案1

apiVersion: v1 kind: Namespace metadata: name: example

发表评论

apiVersion: v1
kind: Namespace
metadata:
name: example