带有ALB入口控制器的Terraform AWS库伯内特斯EKS资源不会创建负载均衡器
我一直在尝试使用Terraform在AWS上创建一个具有自管理节点的EKS集群,但我无法让我的库伯内特斯入口创建负载均衡器。没有错误,但没有创建负载均衡器,它只是超时。
我确实首先在我的帐户中手动创建了一个负载均衡器,并验证了负载均衡器角色是否存在。当我的Terraform代码运行时,将访问策略AWSElasticLoadBalancingServiceRolePolicy。
我非常依赖本教程
TFVAR:
aws_region = "ap-southeast-1"
domain = "*.mydomain.com"
cluster_name = "my-tf-eks-cluster"
vpc_id = "vpc-0d7700e26db6b3e21"
app_subnet_ids = "subnet-03c1e8c57110c92e0, subnet-0413e8bf24cb32595, subnet-047dcce0b810f0fbd"
// gateway subnet IDs
地形代码:
terraform {
}
provider "aws" {
region = var.aws_region
version = "~> 2.8"
}
data "aws_acm_certificate" "default" {
domain = var.domain
statuses = ["ISSUED"]
}
resource "kubernetes_service_account" "alb-ingress" {
metadata {
name = "alb-ingress-controller"
namespace = "kube-system"
labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role" "alb-ingress" {
metadata {
name = "alb-ingress-controller"
labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
}
rule {
api_groups = ["", "extensions"]
resources = ["configmaps", "endpoints", "events", "ingresses", "ingresses/status", "services"]
verbs = ["create", "get", "list", "update", "watch", "patch"]
}
rule {
api_groups = ["", "extensions"]
resources = ["nodes", "pods", "secrets", "services", "namespaces"]
verbs = ["get", "list", "watch"]
}
}
resource "kubernetes_cluster_role_binding" "alb-ingress" {
metadata {
name = "alb-ingress-controller"
labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "alb-ingress-controller"
}
subject {
kind = "ServiceAccount"
name = "alb-ingress-controller"
namespace = "kube-system"
}
}
resource "kubernetes_deployment" "alb-ingress" {
metadata {
name = "alb-ingress-controller"
labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
namespace = "kube-system"
}
spec {
selector {
match_labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
}
template {
metadata {
labels = {
"app.kubernetes.io/name" = "alb-ingress-controller"
}
}
spec {
volume {
name = kubernetes_service_account.alb-ingress.default_secret_name
secret {
secret_name = kubernetes_service_account.alb-ingress.default_secret_name
}
}
container {
# This is where you change the version when Amazon comes out with a new version of the ingress controller
image = "docker.io/amazon/aws-alb-ingress-controller:v1.1.8"
name = "alb-ingress-controller"
args = [
"--ingress-class=alb",
"--cluster-name=${var.cluster_name}",
"--aws-vpc-id=${var.vpc_id}",
"--aws-region=${var.aws_region}"
]
volume_mount {
name = kubernetes_service_account.alb-ingress.default_secret_name
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
read_only = true
}
}
service_account_name = "alb-ingress-controller"
}
}
}
}
resource "kubernetes_ingress" "main" {
metadata {
name = "main-ingress"
annotations = {
"alb.ingress.kubernetes.io/scheme" = "internet-facing"
"kubernetes.io/ingress.class" = "alb"
"alb.ingress.kubernetes.io/subnets" = "${var.app_subnet_ids}"
"alb.ingress.kubernetes.io/certificate-arn" = "${data.aws_acm_certificate.default.arn}"
"alb.ingress.kubernetes.io/listen-ports" = <<JSON
[
{"HTTP": 80},
{"HTTPS": 443}
]
JSON
"alb.ingress.kubernetes.io/actions.ssl-redirect" = <<JSON
{
"Type": "redirect",
"RedirectConfig": {
"Protocol": "HTTPS",
"Port": "443",
"StatusCode": "HTTP_301"
}
}
JSON
}
}
spec {
rule {
host = "app.xactpos.com"
http {
path {
backend {
service_name = "ssl-redirect"
service_port = "use-annotation"
}
path = "/*"
}
path {
backend {
service_name = "app-service1"
service_port = 80
}
path = "/service1"
}
path {
backend {
service_name = "app-service2"
service_port = 80
}
path = "/service2"
}
}
}
rule {
host = "api.xactpos.com"
http {
path {
backend {
service_name = "ssl-redirect"
service_port = "use-annotation"
}
path = "/*"
}
path {
backend {
service_name = "api-service1"
service_port = 80
}
path = "/service3"
}
path {
backend {
service_name = "api-service2"
service_port = 80
}
path = "/service4"
}
}
}
}
wait_for_load_balancer = true
}
共有2个答案
我让kubernetes入口指向应用程序子网而不是网关子网。我认为这就是问题所在。
我决不是K8s专家,但我浏览了Terraform代码,我认为唯一可能帮助您调试的选项是kubernetes\u ingress资源中的wait\u for\u load\u balancer。从文档中:
Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created.
在这种情况下,输出可能会更清楚(如果创建由于某种原因失败),或者您可能会发现它为什么不创建LB。
-
我在amazon ews上有一个kubernetes集群,我打算在其上运行多个应用程序。 我有多个服务组成一个这样的应用程序,我想使用amazon负载均衡器(elb)将它们公开到Internet。我想使用ELB,因为我不想直接使用端口80,因为许多应用程序共享这个端口,我希望它们中的每一个都独立于其他应用程序定义它们的入口资源。 我读到了库伯内特斯入口资源公司的信息,认为这正是我要寻找的。然而,我
-
我在Azure中使用ACS引擎创建了Kubernetes群集,并安装了入口控制器。 我部署了一个服务: 在运行curl:/myservice命令的集群内,给出预期的响应 我使用NGinx创建了一个VM,以便获得外部访问,并使用VM的外部IP,这样就存在对服务的外部访问。 我的目标: 用Azure IAAS Loadbalancer替换VM 我使用UI做的步骤: > 单击创建资源- 单击创建资源-
-
在使用Google容器引擎时,人们会推荐GCP的本机负载平衡器还是Kubernetes服务type=负载平衡器选项? 人们推荐哪一种?
-
我正在为2个服务一起创建一个ALB,带有注释:merged。这行不通。我在日志中也看不到太多操作。我做错了什么?工作节点具有AWS文档中提到的ALB入口策略(还添加了以下策略)。Kubernetes并没有抱怨,但ingress服务并没有得到地址,也并没有创建ALB或目标组。 ALB控制器: ALB入口服务: IAM政策: 如您所见,没有可用的地址。
-
新来的。我想知道是否有人可以帮助我区分我可以用来识别入口控制器和通过YAML和服务识别入口的特征。我有一个预先存在的集群,我认为入口控制器可能是通过helm安装的,但我不确定。有没有办法了解helm在安装nginx ingress控制器时使用的yaml?
-
我正在为多云开发一个新的“Kubernetes即服务”平台(如GKE等)。 问题是:K8S服务类型“LoadBalancer”与云负载平衡器(Kubernetes外部)配合使用。吉凯恩 我想在我的新“Kubernetes As a Service”平台上提供类似的功能,用户可以在该平台上选择云提供商,创建Kubernetes集群 在Kubernetes集群创建之前,我能够自动执行流程,但在“K8S