我有一个应用程序使用GKE Ingress(主版本1.10.6-gke.2)作为负载均衡器。最近,GKE开始支持通过BackendConfig声明IAP支持。我按照[1]和[2]的文档进行操作。但是,现在,GKE似乎在创建我的Ingress时挂起。
下面是我的服务,ingress和backendconfig的yaml。
kubectl -n randall-test-1 get svc,ing,backendconfig -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Service
metadata:
annotations:
beta.cloud.google.com/backend-config: '{"default": "airflow-backend-config"}'
service.alpha.kubernetes.io/app-protocols: '{"web":"HTTPS"}'
creationTimestamp: 2018-09-10T19:23:13Z
name: airflow
namespace: randall-test-1
resourceVersion: "2155724"
selfLink: /api/v1/namespaces/randall-test-1/services/airflow
uid: X-X-X-X-X
spec:
clusterIP: X.X.X.X
externalTrafficPolicy: Cluster
ports:
- name: web
nodePort: 30099
port: 8080
protocol: TCP
targetPort: web
selector:
app: airflow
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
creationTimestamp: 2018-09-10T19:23:13Z
generation: 1
name: airflow
namespace: randall-test-1
resourceVersion: "2155721"
selfLink: /apis/extensions/v1beta1/namespaces/randall-test-1/ingresses/airflow
uid: X-X-X-X-X
spec:
backend:
serviceName: airflow
servicePort: 8080
tls:
- secretName: tls
status:
loadBalancer: {}
- apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
clusterName: ""
creationTimestamp: 2018-09-10T19:23:13Z
generation: 1
name: airflow-backend-config
namespace: randall-test-1
resourceVersion: "2155728"
selfLink: /apis/cloud.google.com/v1beta1/namespaces/randall-test-1/backendconfigs/airflow-backend-config
uid: X-X-X-X-X
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: oauth2
kind: List
metadata:
resourceVersion: ""
selfLink: ""
挂起让我没有洞察力。
cluster@master0:~/kube-config$ kubectl -n randall-test-1 describe ing
Name: airflow
Namespace: randall-test-1
Address:
Default backend: airflow:8080 (X.X.X.X:8080)
TLS:
tls terminates
Rules:
Host Path Backends
---- ---- --------
* * airflow:8080 (X.X.X.X:8080)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ADD 6m loadbalancer-controller randall-test-1/airflow
但是,在GKE控制台中,我只是将Creating ingress作为状态超过20分钟而没有分辨率。我也在控制台检查我的Load Balancers,什么也看不见。
任何想法发生了什么或我还能检查什么?
我也尝试用securityPolicy做这个,它应该将Load Balancer与Cloud Armor策略联系起来。这也不适用于类似的挂起。
[1] https://cloud.google.com/iap/docs/enabling-kubernetes-howto
[2] https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig
注意:交叉发布在https://github.com/kubernetes/ingress-gce/issues/469
过去几天我们收到了一些相似的案件。默认GKE服务帐户的权限似乎有问题。
你能尝试添加以下permissions: