Question

我有一个托管在Google Cloud上的kubernetes集群，多个部署和服务以及一个入口（gce）。服务，部署和Pod已启动并运行，但是该入口指示几乎所有后端服务（ingress.kubernetes.io/backends）都处于不正常状态：似乎它创建了N + 1个后端服务（N =服务或部署的数量）只有一个人健康。

存在“活动和就绪”探针，它们工作正常（服务指示就绪和健康状态，并且0重新启动）。添加了具有200 OK状态（在/路径上）的root处理程序。服务类型为NodePort。端口和目标端口-443。TLS证书有效并附加到入口。

我希望所有服务都应该健康。

下面是YAML配置示例

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dummy-service
  labels:
    app: dummy-app
spec:
  selector:
    matchLabels:
      app: dummy-app
  template:
    metadata:
      labels:
        app: dummy-app
    spec:
      containers:
      - name: dummy-service
        image: xx.gcr.io/dummy-project/dummy-service:latest
        resources:
          limits:
            memory: "128Mi"
            cpu: "100m"
        ports:
        - containerPort: 443
        livenessProbe:
          httpGet:
            path: /health
            port: 443
          initialDelaySeconds: 90
          periodSeconds: 60
        readinessProbe:
          httpGet:
            path: /health
            port: 443
          initialDelaySeconds: 90
          periodSeconds: 60
        env:
        - name: ASPNETCORE_ENVIRONMENT
          value: Production
        - name: ASPNETCORE_URLS
          value: https://*:443;http://*:80
        - name: ASPNETCORE_Kestrel__Certificates__Default__Password
          value: ""
        - name: ASPNETCORE_Kestrel__Certificates__Default__Path
          value: dummy_tls_certificate.pfx

# There are several deployments with the same configuration
# Only name different

---

apiVersion: v1
kind: Service
metadata:
  name: dummy-service
spec:
  selector:
    app: dummy-app
  ports:
  - port: 443
  type: NodePort

# There are several services with the same configuration
# Only name different

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: www
  annotations:
    external-dns.alpha.kubernetes.io/hostname: "my-dummy-hostname.com"
    ingress.kubernetes.io/add-base-url: "true"
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.global-static-ip-name: "dummy-static-ip-address-name"
spec:
  tls:
  - hosts:
    - my-dummy-hostname.com
    secretName: dummy-tls-secret
  rules:
  - host: my-dummy-hostname.com
    http:
      paths:
      - path: /api/dummy
        backend:
          serviceName: dummy-service
          servicePort: 443
      # Example of other service
      - path: /api/yet_another_dummy
        backend:
          serviceName: yet-another-dummy-service
          servicePort: 443

Answer 1

似乎TLS有点奇怪，后端服务尝试从“本地主机上下文”检查运行状况，并为特定域名签名了证书。另外我还必须将servicePort更改为80以使其正常工作（HTTPS连接仍然存在）。

如何修复不健康的后端服务？

1 个答案: