我正在为 k8s api 服务器设置 haproxy。haproxy 的配置如下:
frontend k8s-https
log /dev/log local0 debug
option tcplog
bind 0.0.0.0:8443
mode tcp
default_backend k8s-https
backend k8s-https
mode tcp
balance roundrobin
server master-1 192.168.59.101:6443 check
server master-2 192.168.59.102:6443 check
server master-3 192.168.59.103:6443 check
当我 curl 端口 6443 时,api 服务器响应:
$ curl -1 -vvv -k https://192.168.59.101:6443/
* About to connect() to 192.168.59.101 port 6443 (#0)
* Trying 192.168.59.101...
* Connected to 192.168.59.101 (192.168.59.101) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=kube-apiserver,OU=Admin,O=Kubernetes,L=Beijing,ST=Bejing,C=CN
* start date: May 21 05:01:00 2019 GMT
* expire date: Apr 27 05:01:00 2119 GMT
* common name: kube-apiserver
* issuer: CN=Kubernetes,OU=CA,O=Kubernetes,L=Beijing,ST=Bejing,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.59.101:6443
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Tue, 21 May 2019 11:05:54 GMT
< Content-Length: 233
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
* Connection #0 to host 192.168.59.101 left intact
}
但是,如果我通过端口 8443(haproxy 正在监听该端口)访问 api,它会给出文件结束错误
$ curl -1 -vvv -k https://192.168.59.101:8443/
* About to connect() to 192.168.59.101 port 8443 (#0)
* Trying 192.168.59.101...
* Connected to 192.168.59.101 (192.168.59.101) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
为什么 haproxy 不工作?
答案1
最后我弄清楚了该问题是由 centos 7 的默认 SELinux 策略引起的,通过临时禁用它sudo setenforce 0,它就解决了。