Comments (18)
vvbogdanov87
commented on August 17, 2024
10
Kuberntes 1.14 uses SSL health checks for ELBs when backend protocol is SSL/HTTPS
But for the health check pIng target k8s selects first port in the listeners list
https://github.com/2rs2ts/kubernetes/blob/72895a84a9670d6f6f8921681c5bbe4b2745319e/pkg/cloudprovider/providers/aws/aws.go#L3602
Without annotation described above, you MUST set https/SSL port to be first in the spec.ports
I had a service spec:
apiVersion: v1
kind: Service
metadata:
name: myapp
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
spec:
type: LoadBalancer
selector:
app: myapp
ports:
- name: http
protocol: TCP
port: 80
- name: https
protocol: TCP
port: 443After I upgraded to k8s 1.14 I got OutOfService for all instances in AWS LB. I had to change the spec to
ports:
- name: https
protocol: TCP
port: 443
- name: http
protocol: TCP
port: 80from cloud-provider-aws.
steerben
commented on August 17, 2024
8
I think that is indeed a very valuable feature.
Considering subsequent use case:
HTTPS (ELB - ACM SSL termination) -> HTTPS (Worker Self signed SSL termination)
In that case the healthcheck also turns into HTTPS. However most health check endpoints run on separate ports and do not support SSL termination like e.g. the one of the istio ingress gateway which renders the mentioned use case not feasible at the moment.
from cloud-provider-aws.
2rs2ts
commented on August 17, 2024
2
/remove-lifecycle rotten
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from cloud-provider-aws.
nicolasbelanger
commented on August 17, 2024
Got burned by this too today. Consequence: no more ingress, useless cluster. We're using ambassador as the gateway, and the default values for the service is exactly as @vvbogdanov87 described above, http first, https second. SSL ping target was done on the http port, which failed.
from cloud-provider-aws.
2rs2ts
commented on August 17, 2024
Use case 2 in the original post is pretty common at my company, so I'd love to have this. We do not use the standalone provider at my company though so I don't think even if I could find the time to implement this that I would know how to test it.
from cloud-provider-aws.
afnanenayet
commented on August 17, 2024
We ran into this today as well at my company. I believe that in GKE the health check from the deployment propagates to the google cloud ELB, so you don't even need to set annotations if you want parity between the external load balancer and your internal kube service.
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from cloud-provider-aws.
bordeuax
commented on August 17, 2024
/remove-lifecycle stale
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from cloud-provider-aws.
bordeuax
commented on August 17, 2024
/remove-lifecycle stale
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
from cloud-provider-aws.
bordeuax
commented on August 17, 2024
/remove-lifecycle rotten
from cloud-provider-aws.
kishorj
commented on August 17, 2024
Support available for specifying https protocol for NLB instance mode health check via annotatoin service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol kubernetes/kubernetes#92321. Fix will be included in 1.20.
NLB IP mode also supports the annotation, and is available in the AWS Load Balancer controller
from cloud-provider-aws.
fejta-bot
commented on August 17, 2024
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from cloud-provider-aws.
nckturner
commented on August 17, 2024
/close
Ref:
kubernetes/kubernetes#92321
kubernetes/kubernetes#94546
This fix is included in the external cloud controller manager (this repository) as well.
from cloud-provider-aws.
k8s-ci-robot
commented on August 17, 2024
@nckturner: Closing this issue.
In response to this:
/close
Ref:
kubernetes/kubernetes#92321
kubernetes/kubernetes#94546This fix is included in the external cloud controller manager (this repository) as well.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from cloud-provider-aws.
Related Issues (20)
- Newly autoscaled worker-nodes not added to the targets of Network Loadbalancer. HOT 5
- Please ignore (created by mistake) HOT 3
- Fork the tagging controller into generic node customization controller HOT 3
- TalosOSv1.5.5: AWS CCM can't find the instance via the API so it can't configure the nodes in peer region HOT 5
- Website does not have the correct trademark disclaimer HOT 7
- GitHub repository does not link to the project website url HOT 5
- AWS CCM DockerFile build for more than one platform HOT 11
- cloud-provider-aws does not Prefer CLI Arguments for Configuring Kubernetes HOT 7
- Improve documentation HOT 7
- GitHub releases for latest tags missing HOT 5
- NLB does not map to manual EndpointSlice HOT 6
- label nodes with the name of the autoscaling group they belong to (if they belong to one) HOT 13
- Multiple ENIs is confusing cloud-provider-aws controller HOT 5
- Karpenter does not terminate instances in Pending state HOT 5
- DeviceIndex is not respected when processing multiple network interfaces on a node HOT 3
- Service controller doesn't populate TargetGroups HOT 2
- aws cloud controller manager is unable to manage the nodes in cluster HOT 6
- Switch to aws-sdk-go-v2 vendored library HOT 6
- Deprecate and remove AWS cloud-controller-manager Helm Chart HOT 16
- Support Region for DescribeInstance Call HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-provider-aws.