ALB dose not work properly on EKS Managed Node Group with Fargate nodel #1097
Description
I created the latest 1.14 EKS cluster with Managed Node group(in public subnet) in us-east-1, and this cluster is also enabled with Fargate model by default:
managed node group info:
then followed the steps listed here:
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
however, i received two different behaivors when use ip and instance mode:
[instance mode]:
$ cat 2048-ingress-instance.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "2048-ingress-instance"
namespace: "2048-game"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: instance
labels:
app: 2048-ingress
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: "service-2048"
servicePort: 80
ALB was created with no listener:
Target group was created with no target:
After checked the log, we found some info associated with worker node in fargate mode:
kubectl logs -n kube-system -f deployment.apps/alb-ingress-controller
...
E1206 10:37:55.876428 1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed to reconcile targetGroups due to failed to reconcile targetGroup targets due to Unable to DescribeInstanceStatus on fargate-ip-192-168-213-217.ec2.internal: InvalidInstanceID.Malformed: Invalid id: "fargate-ip-192-168-213-217.ec2.internal"\n\tstatus code: 400, request id: 2aba56f2-3f9d-4510-89dd-7af8e48ca19a" "controller"="alb-ingress-controller" "request"={"Namespace":"2048-game","Name":"2048-ingress"}
...
We could find that "fargate-ip-192-168-213-217.ec2.internal" with:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
fargate-ip-192-168-156-158.ec2.internal Ready 17h v1.14.8-eks
fargate-ip-192-168-192-211.ec2.internal Ready 2d21h v1.14.8-eks
fargate-ip-192-168-213-217.ec2.internal Ready 2d21h v1.14.8-eks
ip-192-168-108-148.ec2.internal Ready 2d21h v1.14.7-eks-1861c5
ip-192-168-12-85.ec2.internal Ready 2d21h v1.14.7-eks-1861c5
[ip mode]:
$ cat 2048-ingress-ip.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "2048-ingress-ip"
namespace: "2048-game"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
labels:
app: 2048-ingress
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: "service-2048"
servicePort: 80
We found that all is good; we can see ip was registered in the target group and also alb has the right listener configured as below:
PLS NOTE: initially the status of the ip target is in the unheathy and after the deep check, we found that the security group of ALB was not trusted in the security group of worker node in the Managed Node group. After we manually configured the SG in Managed Node group, then all the ip target came back to healthy:
Last, in both ip and instance mode, the ip address of the two ingress resource is both empty:
$ kubectl get ingress -n 2048-game
NAME HOSTS ADDRESS PORTS AGE
2048-ingress-instance * 80 15h
2048-ingress-ip * 80 15h