在启用了https负载均衡器和IAP /安全策略的情况下使用GKE入口

时间:2018-09-10 20:41:31

标签: kubernetes google-kubernetes-engine

我有一个使用GKE Ingress(主版本1.10.6-gke.2)作为负载平衡器的应用程序。最近,GKE开始支持通过BackendConfig声明IAP支持。我遵循[1]和[2]的文档。但是,现在,GKE在创建我的Ingress时似乎挂起了。

下面是我的服务,入口和backendconfig的Yaml。

kubectl -n randall-test-1 get svc,ing,backendconfig -o yaml 

apiVersion: v1
items:
- apiVersion: v1
  kind: Service
  metadata:
    annotations:
      beta.cloud.google.com/backend-config: '{"default": "airflow-backend-config"}'
      service.alpha.kubernetes.io/app-protocols: '{"web":"HTTPS"}'
    creationTimestamp: 2018-09-10T19:23:13Z
    name: airflow
    namespace: randall-test-1
    resourceVersion: "2155724"
    selfLink: /api/v1/namespaces/randall-test-1/services/airflow
    uid: X-X-X-X-X
  spec:
    clusterIP: X.X.X.X
    externalTrafficPolicy: Cluster
    ports:
    - name: web
      nodePort: 30099
      port: 8080
      protocol: TCP
      targetPort: web
    selector:
      app: airflow
    sessionAffinity: None
    type: NodePort
  status:
    loadBalancer: {}
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.allow-http: "false"
    creationTimestamp: 2018-09-10T19:23:13Z
    generation: 1
    name: airflow
    namespace: randall-test-1
    resourceVersion: "2155721"
    selfLink: /apis/extensions/v1beta1/namespaces/randall-test-1/ingresses/airflow
    uid: X-X-X-X-X
  spec:
    backend:
      serviceName: airflow
      servicePort: 8080
    tls:
    - secretName: tls
  status:
    loadBalancer: {}
- apiVersion: cloud.google.com/v1beta1
  kind: BackendConfig
  metadata:
    clusterName: ""
    creationTimestamp: 2018-09-10T19:23:13Z
    generation: 1
    name: airflow-backend-config
    namespace: randall-test-1
    resourceVersion: "2155728"
    selfLink: /apis/cloud.google.com/v1beta1/namespaces/randall-test-1/backendconfigs/airflow-backend-config
    uid: X-X-X-X-X
  spec:
    iap:
      enabled: true
      oauthclientCredentials:
        secretName: oauth2
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

这种悬而未决的见解。

cluster@master0:~/kube-config$ kubectl -n randall-test-1 describe ing
Name:             airflow
Namespace:        randall-test-1
Address:
Default backend:  airflow:8080 (X.X.X.X:8080)
TLS:
  tls terminates
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     *     airflow:8080 (X.X.X.X:8080)
Annotations:
Events:
  Type    Reason  Age   From                     Message
  ----    ------  ----  ----                     -------
  Normal  ADD     6m    loadbalancer-controller  randall-test-1/airflow

但是,在GKE控制台中,我得到Creating ingress作为状态达20分钟以上,没有任何分辨率。我还在控制台中检查了Load Balancers,什么也没看到。

有什么想法吗?还有什么我可以检查的?

我还尝试仅使用securityPolicy来执行此操作,该操作应该将负载均衡器与Cloud Armor策略相关联。与此类似的挂起也不起作用。

[1] https://cloud.google.com/iap/docs/enabling-kubernetes-howto

[2] https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig

注意:交叉发布于https://github.com/kubernetes/ingress-gce/issues/469

1 个答案:

答案 0 :(得分:0)

过去几天,我们收到了一些类似的案例。默认GKE服务帐户的权限似乎有问题。

您可以尝试向其中添加以下permissions吗?

  • clientauthconfig.clients.update
  • clientauthconfig.clients.get
相关问题
最新问题