kubernetes NGINX背后的Kubectl代理:无效升级响应

euoag5mw  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(2)|浏览(288)

我正在尝试将本地Kubernates集群添加到我的GitLab组中,以进行CI/CD部署。我已经开始运行以下命令:
第一个月
我已经测试了它在同一网络中的另一台机器上执行curl http://localhost:8001/api和运行curl http://192.168.1.2:8001/api。代理在我的本地网络中可用。
下一步是在kubernates.example.com背后的互联网上提供代理。为此,我配置了NGINX如下:

server {
    server_name kubernates.example.com;
    listen 443 ssl;
    listen 80;

    include ssl_standart_conf;

    location / {
        proxy_pass http://192.168.1.2:8001/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

字符串
执行curl https://kubernates.example.com/api时返回以下错误:

invalid upgrade response: status code 200


Kubernates代理日志

E0225 22:33:50.944018 1642369 upgradeaware.go:312] Proxy upgrade error: invalid upgrade response: status code 200
E0225 22:33:50.944060 1642369 proxy_server.go:144] Error while proxying request: invalid upgrade response: status code 200

z9ju0rcb

z9ju0rcb1#

好吧,我已经解决了这个问题。下面的nginx配置做了一个窍门

server {
    server_name kubernates.example.com;
    listen 443 ssl;
    listen 80;

    include ssl_standart_conf;

    location / {
        proxy_pass http://192.168.1.2:8001/;
        proxy_set_header Host $host;
    }
}

字符串

dgtucam1

dgtucam12#

由于WebSocket协议被kubectl用于至少端口转发和交互式shell,所以当客户端想要升级连接时,最好让它工作,而不是使用http/1.0有效地禁用websocket(默认为proxy_pass,而没有显式proxy_http_version 1.1)。
nginx/WebSocket广泛使用的copypaste解决方案的问题是,即使客户端没有请求协议升级,Connection: upgrade头总是被发送到上游。
当kube-api-server发送带有“Connection:升级到内部服务,如metrics server,并获得HTTP 200而不是HTTP 101响应。
这就是如何让WebSocket在nginx中只在请求时才能为kubernetes API代理位置工作。它解决了invalid upgrade response: status code 200问题,避免了中断port-forward和其他依赖WebSocket的有用特性。

# Note: map directive should be declared in http, but not server context
map $http_upgrade $connection_upgrade {
    # $connection_upgrade will have value "upgrade" only if $http_upgrade is not empty
    default "upgrade";
    ""      "";
}
...
server {
...
    location / {
        ...
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        ...
        proxy_pass https://kubernetes_api;
    }
}

字符串

相关问题