Question

我有一个运行nginx的容器，它侦听Pod ID的端口443。它本身运行良好；但是，如果指定活动性探针，则该探针将失败并

5m54s       Warning   Unhealthy          Pod           Liveness probe failed: Get https://192.168.2.243:443/: EOF

有人可以指出我做错了什么吗？谢谢。

在没有活动探针的情况下运行：

root@ip-192-168-2-243:/etc/nginx# netstat -tupln | grep 443
tcp        0      0 192.168.2.243:1443      0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.2.243:443       0.0.0.0:*               LISTEN      7/nginx: master pro

root@ip-192-168-2-243:/# telnet 192.168.2.243 443
Trying 192.168.2.243...
Connected to 192.168.2.243.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

root@ip-192-168-2-243:/# curl https://192.168.2.243
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

探针声明：

livenessProbe:
  initialDelaySeconds: 10
  timeoutSeconds: 4
  failureThreshold: 3
  httpGet:
    scheme: HTTPS
    port: 443

Nginx拆分客户端声明：

split_clients "${remote_addr}AAA" $localips {
       *                 192.168.2.243;
}

dataplane / kubelet.service-ip：

事件：

skwok-mbp:kubernetes skwok$ kubectl get event -w
LAST SEEN   TYPE     REASON             OBJECT              MESSAGE
7s          Normal   SuccessfulDelete   statefulset/mnsvr   delete Pod mnsvr-0 in StatefulSet mnsvr successful
0s          Normal   Killing            pod/mnsvr-0         Killing container with id docker://mnsvr-proxy:Need to kill Pod
0s          Normal   Killing            pod/mnsvr-0         Killing container with id docker://mnsvr-node0:Need to kill Pod
0s          Normal   Killing            pod/mnsvr-0         Killing container with id docker://mnsvr-node1:Need to kill Pod
0s          Normal   SuccessfulCreate   statefulset/mnsvr   create Pod mnsvr-0 in StatefulSet mnsvr successful
0s          Normal   Scheduled          pod/mnsvr-0         Successfully assigned staging/mnsvr-0 to ip-192-168-2-243.us-west-2.compute.internal
0s          Normal   Pulled             pod/mnsvr-0         Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s          Normal   Created            pod/mnsvr-0         Created container
0s          Normal   Started            pod/mnsvr-0         Started container
0s          Normal   Pulled             pod/mnsvr-0         Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s          Normal   Created            pod/mnsvr-0         Created container
0s          Normal   Started            pod/mnsvr-0         Started container
0s          Normal   Pulled             pod/mnsvr-0         Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s          Normal   Created            pod/mnsvr-0         Created container
0s          Normal   Started            pod/mnsvr-0         Started container
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Normal    Killing            pod/mnsvr-0         Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s          Normal    Pulled             pod/mnsvr-0         Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s          Normal    Created            pod/mnsvr-0         Created container
0s          Normal    Started            pod/mnsvr-0         Started container
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Normal    Killing            pod/mnsvr-0         Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s          Normal    Pulled             pod/mnsvr-0         Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s          Normal    Created            pod/mnsvr-0         Created container
0s          Normal    Started            pod/mnsvr-0         Started container
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   Unhealthy          pod/mnsvr-0         Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s          Warning   BackOff            pod/mnsvr-0         Back-off restarting failed container

host / host.messages-ip-192-168-2-243：

application / mnsvr-proxy：

Answer 1

Kubernetes有两种单独的方法来跟踪Pod的运行状况，一种是在部署期间，另一种是在部署之后。 LivenessProbe是导致Kubernetes用新的Pod替换失败的Pod的原因，但是在应用程序部署期间绝对没有任何作用。另一方面，Kubernetes使用就绪探针来确定Pod是否成功启动。

因此，在您的容器成功运行的情况下，您必须定义readinessProbe。

有时，应用程序暂时无法提供流量。例如，应用程序可能需要在启动过程中加载大数据或配置文件，或者在启动后依赖于外部服务。在这种情况下，您不想杀死应用程序，但也不想发送请求。 Kubernetes提供了准备就绪探针以检测和缓解这些情况。装有报告其容器尚未就绪的容器的容器无法通过Kubernetes Services接收流量。

描述探测的官方kubernetes文档：kubernetes-probes。

以下有用的文章：kubernetes-liveness-and-readiness-probes。

Answer 2

我认为EOF是TLS握手问题的征兆。我目前看到的是相同的。

某些版本的curl可以产生类似的结果。卷曲的一种解决方法似乎是使用-tls-max 1.2 。

我目前的怀疑是客户端（探针）正尝试与服务器协商TLS 1.3，但失败了（可能是由于密码）。我正在尝试查看是否可以将k8s探针配置为使用TLS 1.2。或者，我们可以在服务器端关闭TLS 1.3。就您而言，这是在nginx上。就我而言，我有一个带有JDK 11.0.6的码头9.4服务器。

另一个选择可能是升级k8s。我们似乎在k8s v1.15集群中看到了这种情况，但在k8s v1.16.2集群中却没有看到。但是我不确定这是由于k8s版本还是底层OS库（在我的情况下为CentOS 7）引起的。

livenessprobe因EOF（nginx容器）而失败

2 个答案: