amazon-web-services - 在 AWS 上使用 Kops 的 Kubernetes 集群 - NodePort 服务不可用

Question

我在访问 Kubernetes 集群上的 NodePort 服务时遇到困难。

目标

设置 ALB 入口控制器，以便我可以使用 websockets 和 http/2

根据该控制器的要求设置 NodePort 服务

采取的步骤

以前在 AWS eu-west-1 上创建了一个 Kops（版本 1.6.2）集群。添加了用于 nginx 入口的 kops 插件以及 Kube-lego。ELB 入口工作正常。

使用该项目指定的 IAM 配置文件使用自定义 AWS 密钥设置 ALB 入口控制器。

使用 kubectl replace --force 将服务类型从 LoadBalancer 更改为 NodePort

> kubectl describe svc my-nodeport-service
Name:                   my-node-port-service
Namespace:              default
Labels:                 <none>
Selector:               service=my-selector
Type:                   NodePort
IP:                     100.71.211.249
Port:                   <unset> 80/TCP
NodePort:               <unset> 30176/TCP
Endpoints:              100.96.2.11:3000
Session Affinity:       None
Events:                 <none>

> kubectl describe pods my-nodeport-pod
Name:           my-nodeport-pod
Node:           <ip>.eu-west-1.compute.internal/<ip>
Labels:         service=my-selector
Status:         Running
IP:             100.96.2.11
Containers:
  update-center:
    Port:               3000/TCP
    Ready:              True
    Restart Count:      0

(ssh into node)
$ sudo netstat -nap | grep 30176
tcp6       0      0 :::30176                :::*                    LISTEN      2093/kube-proxy

结果

来自 ALB 的卷曲挂起

卷曲从<public ip address of all nodes>:<node port for service>挂起

预期的

从 ALB 和直接到节点的卷曲：节点端口应返回 200“Ok”（服务对根的 http 响应）

Update: Issues created on github referencing above with some further details in some cases:

• https://github.com/kubernetes/kubernetes/issues/50261
• https://github.com/coreos/alb-ingress-controller/issues/169
• https://github.com/kubernetes/kops/issues/3146

Answer 1

By default Kops does not configure the EC2 instances to allows NodePort traffic from outside.

In order for traffic outside of the cluster to reach the NodePort you must edit the configuration for your EC2 instances that are your Kubernetes nodes in the EC2 Console on AWS.

Once in the EC2 console click "Security groups." Kops should have annotated the original Security groups that it made for your cluster as nodes.<your cluster name> and master.<your cluster name>

We need to modify these Security Groups to forward traffic from the default port range for NodePorts to the instances.

Click on the security group, click on rules and add the following rule.

Port range to open on the nodes and master: 30000-32767

This will allow anyone on the internet to access a NodePort on your cluster, so make sure you want these exposed.

Alternatively instead of allowing it from any origin you can allow it only from the security group created by for the ALB by the alb-ingress-controller. However, since these can be re-created it will likely be necessary to modify the rule on modifications to the kubernetes service. I suggest specifying the NodePort explicitly to it is a predetermined known NodePort rather than a randomly assigned one.

Answer 2

The SG of master is not needed to open the nodeport range in order to make : working.

So only the Worker's SG needs to open the port range.