我正在使用免费的xpack基本身份验证在GKE上配置安全的ELK集群。
我已经构建了一个x8-security-enabled为true的k8s StatefullSet elastcisearch清单。我的kibana部署有一个readinessProbes,指向“ / api / status”,带有一个Authorization标头,其中包含正确的base64 user:password编码。
这是我的kibana部署以及相关的Ingress:
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
namespace: kube-logging
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
containers:
- name: kibana
image: docker.elastic.co/kibana/kibana:7.1.1
livenessProbe:
httpGet:
path: /api/status
port: 5601
httpHeaders:
- name: Authorization
value: Basic blabla==
initialDelaySeconds: 40
timeoutSeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/status
port: 5601
httpHeaders:
- name: Authorization
value: Basic blabla==
initialDelaySeconds: 40
failureThreshold: 3
timeoutSeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
env:
- name: ELASTICSEARCH_URL
value: http://elasticsearch:9200
- name: ELASTICSEARCH_USERNAME
value: kibana
- name: ELASTICSEARCH_PASSWORD
value: blabla
ports:
- name: kibana
containerPort: 5601
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kibana
namespace: kube-logging
spec:
backend:
serviceName: kibana
servicePort: 5601
当我应用入口时,GCP会自动在路径“ /”上为负载均衡器创建HTTP运行状况检查,并期望200代码状态。但是kibana希望Authorization标头能够响应200。
如果我手动将HTTP负载平衡器运行状况检查更新为TCP,一切都很好,但是GCP会自动还原我的更改,并且我的kibana部署再次无法访问