我有一个运行nginx的容器,它侦听Pod ID的端口443。它本身运行良好;但是,如果指定活动性探针,则该探针将失败并
5m54s Warning Unhealthy Pod Liveness probe failed: Get https://192.168.2.243:443/: EOF
有人可以指出我做错了什么吗?谢谢。
在没有活动探针的情况下运行:
root@ip-192-168-2-243:/etc/nginx# netstat -tupln | grep 443
tcp 0 0 192.168.2.243:1443 0.0.0.0:* LISTEN -
tcp 0 0 192.168.2.243:443 0.0.0.0:* LISTEN 7/nginx: master pro
root@ip-192-168-2-243:/# telnet 192.168.2.243 443
Trying 192.168.2.243...
Connected to 192.168.2.243.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@ip-192-168-2-243:/# curl https://192.168.2.243
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
探针声明:
livenessProbe:
initialDelaySeconds: 10
timeoutSeconds: 4
failureThreshold: 3
httpGet:
scheme: HTTPS
port: 443
Nginx拆分客户端声明:
split_clients "${remote_addr}AAA" $localips {
* 192.168.2.243;
}
dataplane / kubelet.service-ip:
事件:
skwok-mbp:kubernetes skwok$ kubectl get event -w
LAST SEEN TYPE REASON OBJECT MESSAGE
7s Normal SuccessfulDelete statefulset/mnsvr delete Pod mnsvr-0 in StatefulSet mnsvr successful
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Need to kill Pod
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-node0:Need to kill Pod
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-node1:Need to kill Pod
0s Normal SuccessfulCreate statefulset/mnsvr create Pod mnsvr-0 in StatefulSet mnsvr successful
0s Normal Scheduled pod/mnsvr-0 Successfully assigned staging/mnsvr-0 to ip-192-168-2-243.us-west-2.compute.internal
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning BackOff pod/mnsvr-0 Back-off restarting failed container
答案 0 :(得分:0)
Kubernetes有两种单独的方法来跟踪Pod的运行状况,一种是在部署期间,另一种是在部署之后。 LivenessProbe是导致Kubernetes用新的Pod替换失败的Pod的原因,但是在应用程序部署期间绝对没有任何作用。另一方面,Kubernetes使用就绪探针来确定Pod是否成功启动。
因此,在您的容器成功运行的情况下,您必须定义readinessProbe。
有时,应用程序暂时无法提供流量。例如,应用程序可能需要在启动过程中加载大数据或配置文件,或者在启动后依赖于外部服务。在这种情况下,您不想杀死应用程序,但也不想发送请求。 Kubernetes提供了准备就绪探针以检测和缓解这些情况。装有报告其容器尚未就绪的容器的容器无法通过Kubernetes Services接收流量。
描述探测的官方kubernetes文档:kubernetes-probes。
答案 1 :(得分:0)
我认为EOF是TLS握手问题的征兆。我目前看到的是相同的。
某些版本的curl可以产生类似的结果。卷曲的一种解决方法似乎是使用-tls-max 1.2 。
我目前的怀疑是客户端(探针)正尝试与服务器协商TLS 1.3,但失败了(可能是由于密码)。我正在尝试查看是否可以将k8s探针配置为使用TLS 1.2。或者,我们可以在服务器端关闭TLS 1.3。就您而言,这是在nginx上。就我而言,我有一个带有JDK 11.0.6的码头9.4服务器。
另一个选择可能是升级k8s。我们似乎在k8s v1.15集群中看到了这种情况,但在k8s v1.16.2集群中却没有看到。但是我不确定这是由于k8s版本还是底层OS库(在我的情况下为CentOS 7)引起的。