我创建了一个存储在 Azure 容器注册表中的 ASP.NET CORE 2.x 应用程序 Kestrel 镜像,证书存储在 Azure 存储中,并带有证书密码的 secret 。我已确认该镜像使用自签名证书在本地运行。我已将图像推送到 ACR,它已成功拉入 AKS。当我远程进入 pods 时,我能够 curl 并看到红隼做出响应。
我相信我在 AKS 群集中创建的外部负载均衡器没有转发到我的 POD。当我调用提供的外部 IP 端点时,我得到一个超时,我不知道为什么。
我在这里遵循了 k8s 调试服务指南,但是,我仍然不明白我做错了什么:
https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service/
这是我的 DockerFile:
FROM microsoft/dotnet:2.2-sdk AS build
WORKDIR /app
# set up node
ENV NODE_VERSION 10.15.1
ENV NODE_DOWNLOAD_SHA ca1dfa9790876409c8d9ecab7b4cdb93e3276cedfc64d56ef1a4ff1778a40214
RUN curl -SL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz" --output nodejs.tar.gz \
&& echo "$NODE_DOWNLOAD_SHA nodejs.tar.gz" | sha256sum -c - \
&& tar -xzf "nodejs.tar.gz" -C /usr/local --strip-components=1 \
&& rm nodejs.tar.gz \
&& ln -s /usr/local/bin/node /usr/local/bin/nodejs
# copy and build projects
COPY . .
RUN dotnet restore
RUN dotnet publish -c Release -o out
WORKDIR /app/MyApp
FROM microsoft/dotnet:2.2-aspnetcore-runtime AS runtime
WORKDIR /app
COPY --from=build /app/MyApp/out ./
ENV ASPNETCORE_URLS https://+:443
ENV ASPNETCORE_Kestrel__Certificates__Default__Path /mnt/certs/MyApp.pfx
ENTRYPOINT ["dotnet", "MyApp.dll"]
这是我的部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-website
labels:
app: myapp-website
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: myapp-website
template:
metadata:
labels:
app: myapp-website
spec:
nodeSelector:
"beta.kubernetes.io/os": linux
containers:
- name: myapp-website
image: myappdev.azurecr.io/myapp:v1
ports:
- containerPort: 443
env:
- name: ASPNETCORE_ENVIRONMENT
value: dev
- name: ASPNETCORE_Kestrel__Certificates__Default__Password
valueFrom:
secretKeyRef:
name: myapp-secrets
key: cert-pass
volumeMounts:
- name: certs
mountPath: /mnt/certs
readOnly: true
imagePullSecrets:
- name: docker-reg-credential
volumes:
- name: certs
azureFile:
secretName: myapp-secrets
shareName: myapp/certs
readOnly: true
---
kind: Service
apiVersion: v1
metadata:
name: myapp-website
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- name:
port: 443
targetPort: 443
selector:
app: myapp-website
Kubectl 描述服务:
# kubectl describe services
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.0.0.1
Port: https 443/TCP
TargetPort: 443/TCP
Endpoints: 172.31.3.237:443
Session Affinity: None
Events: <none>
Name: myapp-website
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Serv
ice","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-internal":"true"},"name":"
myapp-website",...
service.beta.kubernetes.io/azure-load-balancer-internal=true
Selector: app=myapp-website
Type: LoadBalancer
IP: 10.0.194.20
LoadBalancer Ingress: 10.240.0.7
Port: <unset> 443/TCP
TargetPort: 443/TCP
NodePort: <unset> 30872/TCP
Endpoints: 10.244.1.53:443
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
kubectl 描述 pod:
# kubectl describe pods
Name: myapp-website-9d89dd8b-plvs8
Namespace: default
Priority: 0
PriorityClassName: <none>
Node: aks-agentpool-20448790-1/10.240.0.5
Start Time: Thu, 04 Jul 2019 23:36:11 -0700
Labels: app=myapp-website
pod-template-hash=9d89dd8b
Annotations: <none>
Status: Running
IP: 10.244.1.43
Controlled By: ReplicaSet/myapp-website-9d89dd8b
Containers:
myapp-website:
Container ID: docker://fb3c91fe13f74b8e970f786e3cb70e1875c3e2d1d2198ac2e761120dc4655134
Image: myappdev.azurecr.io/transimyappapp:v1
Image ID: docker-pullable://myappdev.azurecr.io/transimyappapp@sha256:1bb5cb2cae935866e538f231c08ff33188ac4bed94a662a86a3c859da3bb28db
Port: 443/TCP
Host Port: 0/TCP
State: Running
Started: Thu, 04 Jul 2019 23:36:12 -0700
Ready: True
Restart Count: 0
Environment:
ASPNETCORE_ENVIRONMENT: dev
ASPNETCORE_Kestrel__Certificates__Default__Password: <set to the key 'cert-pass' in secret 'myapp-secrets'> Optional: false
KUBERNETES_PORT_443_TCP_ADDR: aks-tso-dev-dns-1b650af7.hcp.canadacentral.azmk8s.io
KUBERNETES_PORT: tcp://aks-tso-dev-dns-1b650af7.hcp.canadacentral.azmk8s.io:443
KUBERNETES_PORT_443_TCP: tcp://aks-tso-dev-dns-1b650af7.hcp.canadacentral.azmk8s.io:443
KUBERNETES_SERVICE_HOST: aks-tso-dev-dns-1b650af7.hcp.canadacentral.azmk8s.io
Mounts:
/mnt/certs from certs (ro)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-fs8sn (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
certs:
Type: AzureFile (an Azure File Service mount on the host and bind mount to the pod)
SecretName: myapp-secrets
ShareName: myapp/certs
ReadOnly: true
default-token-fs8sn:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-fs8sn
Optional: false
QoS Class: BestEffort
Node-Selectors: beta.kubernetes.io/os=linux
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
获取端点:
# kubectl get endpoints myapp-website
NAME ENDPOINTS AGE
myapp-website 10.244.1.43:443 12h
远程进入 pod 以确保服务响应。
root@myapp-website-9d89dd8b-plvs8:/app# nslookup myapp-website
Server: 10.0.0.10
Address: 10.0.0.10#53
Name: myapp-website.default.svc.cluster.local
Address: 10.0.194.20
curl -k https://10.0.194.20
# kubectl exec -it myapp-website-9d89dd8b-plvs8 /bin/bash
root@myapp-website-9d89dd8b-plvs8:/app# curl
curl: try 'curl --help' or 'curl --manual' for more information
root@myapp-website-9d89dd8b-plvs8:/app# curl -k https://10.0.194.20
<!DOCTYPE html>
<html>... continues
这可能很简单,但是,我似乎无法弄清楚。即将进行 1.5 周的尝试来完成这项工作。请提供帮助,并在此先感谢您的任何帮助。
最佳答案
你有这个注释:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
这基本上说在 kubernetes 内部网络中公开此服务,而不是在外部。删除此注释,它应该可以工作(其他一切似乎都已正确配置)。
关于docker - AKS 外部负载均衡器未与 PODS 通信,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56908417/