bind() to 0.0.0.0:8443 failed (98: Address in use) on EKS Fargate

[timblaktu]

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
Release: v1.0.4
Build: 9b78b6c
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.9

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:38:50Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.2-eks-0389ca3", GitCommit:"8a4e27b9d88142bbdd21b997b532eb6d493df6d2", GitTreeState:"clean", BuildDate:"2021-07-31T01:34:46Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration:
  AWS / EKS / Fargate
• OS (e.g. from /etc/os-release):
  (it's unclear what environment you're referring to)
  the host/client I'm running terraform/aws cli/kubectl from is Amazon Linux.
• Kernel (e.g. uname -a):
  (it's unclear what environment you're referring to)
  the host/client I'm running terraform/aws cli/kubectl from is: Linux ip-10-94-189-201.ec2.internal 4.14.248-189.473.amzn2.x86_64 #1 SMP Mon Sep 27 05:52:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Install tools:
  EKS Cluster was created using this fork/branch of the terraform aws/eks module, and the following provider versions:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.63.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.6.1"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.3.0"
    }
  }
}

• Basic cluster related info:
  • kubectl version

Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:38:50Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.2-eks-0389ca3", GitCommit:"8a4e27b9d88142bbdd21b997b532eb6d493df6d2", GitTreeState:"clean", BuildDate:"2021-07-31T01:34:46Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

• kubectl get nodes -o wide

> kubectl get nodes -o wide
NAME                                    STATUS   ROLES    AGE    VERSION               INTERNAL-IP     EXTERNAL-IP   OS-IMAGE         KERNEL-VERSION                  CONTAINER-RUNTIME
fargate-ip-10-94-189-108.ec2.internal   Ready    <none>   2d3h   v1.21.2-eks-06eac09   10.94.189.108   <none>        Amazon Linux 2   4.14.243-185.433.amzn2.x86_64   containerd://1.4.6
fargate-ip-10-94-190-109.ec2.internal   Ready    <none>   13m    v1.21.2-eks-06eac09   10.94.190.109   <none>        Amazon Linux 2   4.14.248-189.473.amzn2.x86_64   containerd://1.4.6
fargate-ip-10-94-190-143.ec2.internal   Ready    <none>   2d3h   v1.21.2-eks-06eac09   10.94.190.143   <none>        Amazon Linux 2   4.14.243-185.433.amzn2.x86_64   containerd://1.4.6

• How was the ingress-nginx-controller installed:

helm install nginx-ingress ingress-nginx/ingress-nginx --namespace ingress --values helm/nginx-values.yaml

where helm/nginx-values.yaml contains:

controller:
  extraArgs:
    http-port: 8080
    https-port: 8443
  containerPort:
    http: 8080
    https: 8443
  service:
    ports:
      http: 80
      https: 443
    targetPorts:
      http: 8080
      https: 8443
  image:
    allowPrivilegeEscalation: false
    # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes
    livenessProbe:
      initialDelaySeconds: 1200  # 60 # 30
    readinessProbe:
      initialDelaySeconds: 1200  # 60 # 0
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"

These port values and allowPrivilegeEscalation: false were set to work around this bug.

• If helm was used then please show output of helm ls -A | grep -i ingress

> helm ls -A | grep -i ingress
nginx-ingress                   ingress         1               2021-11-12 22:26:56.32613815 +0000 UTC  deployed        ingress-nginx-4.0.6                     1.0.4

• If helm was used then please show output of helm -n <ingresscontrollernamepspace> get values <helmreleasename>

> helm -n ingress get values nginx-ingress
USER-SUPPLIED VALUES:
controller:
  containerPort:
    http: 8080
    https: 8443
  extraArgs:
    http-port: 8080
    https-port: 8443
  image:
    allowPrivilegeEscalation: false
    livenessProbe:
      initialDelaySeconds: 1200
    readinessProbe:
      initialDelaySeconds: 1200
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb

• Current State of the controller:
  • kubectl describe ingressclasses

> kubectl describe ingressclasses
Name:         nginx
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=nginx-ingress
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=ingress-nginx
              app.kubernetes.io/version=1.0.4
              helm.sh/chart=ingress-nginx-4.0.6
Annotations:  meta.helm.sh/release-name: nginx-ingress
              meta.helm.sh/release-namespace: ingress
Controller:   k8s.io/ingress-nginx
Events:       <none>

• kubectl -n <ingresscontrollernamespace> get all -A -o wide

> kubectl -n ingress get all -A -o wide
NAMESPACE              NAME                                                          READY   STATUS             RESTARTS   AGE    IP              NODE                                    NOMINATED NODE   READINESS GATES
ingress                pod/nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn   0/1     CrashLoopBackOff   7          18m    10.94.190.109   fargate-ip-10-94-190-109.ec2.internal   <none>           <none>
kube-system            pod/coredns-8dd7f955b-gx95f                                   1/1     Running            0          2d3h   10.94.189.108   fargate-ip-10-94-189-108.ec2.internal   <none>           <none>
kube-system            pod/coredns-8dd7f955b-pk284                                   1/1     Running            0          2d3h   10.94.190.143   fargate-ip-10-94-190-143.ec2.internal   <none>           <none>
kubernetes-dashboard   pod/dashboard-metrics-scraper-856586f554-df45v                0/1     Pending            0          4d2h   <none>          <none>                                  <none>           <none>
kubernetes-dashboard   pod/kubernetes-dashboard-67484c44f6-bdsln                     0/1     Pending            0          4d2h   <none>          <none>                                  <none>           <none>

NAMESPACE              NAME                                                       TYPE           CLUSTER-IP       EXTERNAL-IP                                                                     PORT(S)
         AGE    SELECTOR
default                service/kubernetes                                         ClusterIP      172.20.0.1       <none>                                                                          443/TCP
         7d2h   <none>
ingress                service/nginx-ingress-ingress-nginx-controller             LoadBalancer   172.20.205.152   a983d44b5b9764a4fb00ef6d530a8d9d-14590a3b337afdfa.elb.us-east-1.amazonaws.com   80:31966/TCP,443:32720/TCP   18m    app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
ingress                service/nginx-ingress-ingress-nginx-controller-admission   ClusterIP      172.20.223.205   <none>                                                                          443/TCP
         18m    app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
kube-system            service/kube-dns                                           ClusterIP      172.20.0.10      <none>                                                                          53/UDP,53/TCP                7d2h   k8s-app=kube-dns
kube-system            service/metrics-server                                     ClusterIP      172.20.102.206   <none>                                                                          443/TCP
         2d3h   k8s-app=metrics-server
kubernetes-dashboard   service/dashboard-metrics-scraper                          ClusterIP      172.20.148.41    <none>                                                                          8000/TCP
         4d2h   k8s-app=dashboard-metrics-scraper
kubernetes-dashboard   service/kubernetes-dashboard                               ClusterIP      172.20.52.83     <none>                                                                          443/TCP
         4d2h   k8s-app=kubernetes-dashboard

NAMESPACE     NAME                        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE    CONTAINERS   IMAGES                                                                           SELECTOR
kube-system   daemonset.apps/aws-node     0         0         0       0            0           <none>          7d2h   aws-node     602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon-k8s-cni:v1.7.5-eksbuild.1    k8s-app=aws-node
kube-system   daemonset.apps/kube-proxy   0         0         0       0            0           <none>          7d2h   kube-proxy   602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/kube-proxy:v1.21.2-eksbuild.2   k8s-app=kube-proxy

NAMESPACE              NAME                                                     READY   UP-TO-DATE   AVAILABLE   AGE    CONTAINERS                  IMAGES
                                                   SELECTOR
ingress                deployment.apps/nginx-ingress-ingress-nginx-controller   0/1     1            0           18m    controller                  k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef   app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
kube-system            deployment.apps/coredns                                  2/2     2            2           7d2h   coredns                     602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.8.4-eksbuild.1                                           eks.amazonaws.com/component=coredns,k8s-app=kube-dns
kubernetes-dashboard   deployment.apps/dashboard-metrics-scraper                0/1     1            0           4d2h   dashboard-metrics-scraper   kubernetesui/metrics-scraper:v1.0.6
                                                   k8s-app=dashboard-metrics-scraper
kubernetes-dashboard   deployment.apps/kubernetes-dashboard                     0/1     1            0           4d2h   kubernetes-dashboard        kubernetesui/dashboard:v2.3.1
                                                   k8s-app=kubernetes-dashboard

NAMESPACE              NAME                                                                DESIRED   CURRENT   READY   AGE    CONTAINERS                  IMAGES
                                                         SELECTOR
ingress                replicaset.apps/nginx-ingress-ingress-nginx-controller-74d46b8fd8   1         1         0       18m    controller                  k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef   app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx,pod-template-hash=74d46b8fd8
kube-system            replicaset.apps/coredns-8dd7f955b                                   2         2         2       2d3h   coredns                     602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.8.4-eksbuild.1                                           eks.amazonaws.com/component=coredns,k8s-app=kube-dns,pod-template-hash=8dd7f955b
kubernetes-dashboard   replicaset.apps/dashboard-metrics-scraper-856586f554                1         1         0       4d2h   dashboard-metrics-scraper   kubernetesui/metrics-scraper:v1.0.6
                                                         k8s-app=dashboard-metrics-scraper,pod-template-hash=856586f554
kubernetes-dashboard   replicaset.apps/kubernetes-dashboard-67484c44f6                     1         1         0       4d2h   kubernetes-dashboard        kubernetesui/dashboard:v2.3.1
                                                         k8s-app=kubernetes-dashboard,pod-template-hash=67484c44f6

• kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>

> kubectl describe pods -n ingress
Name:                 nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn
Namespace:            ingress
Priority:             2000001000
Priority Class Name:  system-node-critical
Node:                 fargate-ip-10-94-190-109.ec2.internal/10.94.190.109
Start Time:           Fri, 12 Nov 2021 22:28:45 +0000
Labels:               app.kubernetes.io/component=controller
                      app.kubernetes.io/instance=nginx-ingress
                      app.kubernetes.io/name=ingress-nginx
                      eks.amazonaws.com/fargate-profile=ingress
                      pod-template-hash=74d46b8fd8
Annotations:          CapacityProvisioned: 0.25vCPU 0.5GB
                      Logging: LoggingDisabled: LOGGING_CONFIGMAP_NOT_FOUND
                      kubernetes.io/psp: eks.privileged
Status:               Running
IP:                   10.94.190.109
IPs:
  IP:           10.94.190.109
Controlled By:  ReplicaSet/nginx-ingress-ingress-nginx-controller-74d46b8fd8
Containers:
  controller:
    Container ID:  containerd://4ee6dc138d2196f38f6eee04e5b7c0b39210b4f1eaf835e849aeffa41422b1f2
    Image:         k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
    Image ID:      k8s.gcr.io/ingress-nginx/controller@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
    Ports:         8080/TCP, 8443/TCP, 8443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/ingress-nginx
      --configmap=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
      --validating-webhook=:8443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443
    State:          Running
      Started:      Fri, 12 Nov 2021 22:47:53 +0000
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Fri, 12 Nov 2021 22:41:37 +0000
      Finished:     Fri, 12 Nov 2021 22:42:47 +0000
    Ready:          False
    Restart Count:  8
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn (v1:metadata.name)
      POD_NAMESPACE:  ingress (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-z6vdf (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-ingress-ingress-nginx-admission
    Optional:    false
  kube-api-access-z6vdf:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              kubernetes.io/os=linux
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason           Age                     From                      Message
  ----     ------           ----                    ----                      -------
  Normal   Scheduled        19m                     fargate-scheduler         Successfully assigned ingress/nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn to fargate-ip-10-94-190-109.ec2.internal
  Warning  LoggingDisabled  20m                     fargate-scheduler         Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found
  Normal   Pulling          19m                     kubelet                   Pulling image "k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef"
  Normal   Pulled           18m                     kubelet                   Successfully pulled image "k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef" in 29.217318531s
  Normal   RELOAD           17m (x16 over 18m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Warning  Unhealthy        17m (x5 over 18m)       kubelet                   Liveness probe failed: HTTP probe failed with statuscode: 500
  Normal   Killing          17m                     kubelet                   Container controller failed liveness probe, will be restarted
  Normal   Created          17m (x2 over 18m)       kubelet                   Created container controller
  Normal   Started          17m (x2 over 18m)       kubelet                   Started container controller
  Normal   Pulled           17m                     kubelet                   Container image "k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef" already present on machine
  Warning  Unhealthy        17m                     kubelet                   Readiness probe failed: Get "http://10.94.190.109:10254/healthz": dial tcp 10.94.190.109:10254: connect: connection refused
  Warning  Unhealthy        17m (x2 over 17m)       kubelet                   Readiness probe failed: Get "http://10.94.190.109:10254/healthz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy        16m (x3 over 17m)       kubelet                   Liveness probe failed: Get "http://10.94.190.109:10254/healthz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Normal   RELOAD           16m (x17 over 17m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Normal   RELOAD           15m (x17 over 16m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Normal   RELOAD           14m (x17 over 15m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Warning  Unhealthy        14m (x9 over 18m)       kubelet                   Readiness probe failed: HTTP probe failed with statuscode: 500
  Normal   RELOAD           13m (x17 over 13m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Normal   RELOAD           11m (x17 over 12m)      nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Normal   RELOAD           9m22s (x17 over 10m)    nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Normal   RELOAD           5m23s (x17 over 6m16s)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  Warning  BackOff          4m (x28 over 11m)       kubelet                   Back-off restarting failed container

• kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>

> kubectl describe svc -n ingress
Name:                     nginx-ingress-ingress-nginx-controller
Namespace:                ingress
Labels:                   app.kubernetes.io/component=controller
                          app.kubernetes.io/instance=nginx-ingress
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=ingress-nginx
                          app.kubernetes.io/version=1.0.4
                          helm.sh/chart=ingress-nginx-4.0.6
Annotations:              meta.helm.sh/release-name: nginx-ingress
                          meta.helm.sh/release-namespace: ingress
                          service.beta.kubernetes.io/aws-load-balancer-type: nlb
Selector:                 app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
Type:                     LoadBalancer
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       172.20.205.152
IPs:                      172.20.205.152
LoadBalancer Ingress:     a983d44b5b9764a4fb00ef6d530a8d9d-14590a3b337afdfa.elb.us-east-1.amazonaws.com
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  31966/TCP
Endpoints:
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  32720/TCP
Endpoints:
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type    Reason                Age                From                Message
  ----    ------                ----               ----                -------
  Normal  EnsuringLoadBalancer  21m                service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   21m                service-controller  Ensured load balancer
  Normal  UpdatedLoadBalancer   20m (x3 over 20m)  service-controller  Updated load balancer with new hosts


Name:              nginx-ingress-ingress-nginx-controller-admission
Namespace:         ingress
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-ingress
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.4
                   helm.sh/chart=ingress-nginx-4.0.6
Annotations:       meta.helm.sh/release-name: nginx-ingress
                   meta.helm.sh/release-namespace: ingress
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                172.20.223.205
IPs:               172.20.223.205
Port:              https-webhook  443/TCP
TargetPort:        webhook/TCP
Endpoints:
Session Affinity:  None
Events:            <none>

• Current state of ingress object, if applicable:
  n/A

• Others:
  n/A

What happened:
The Helm-installed ingress-nginx controller pod on fresh new Fargate-only EKS cluster perpetually fails liveness and readiness probes on startup.

What you expected to happen:
I expect the Helm-installed ingress-nginx controller pod to eventually get into a Running state, and then be able to function as an Ingress Controller and Load Balancer..

The pod logs indicate the controller application failed to bind to 0.0.0.0 (INADDR_ANY) port 8443:

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.0.4
  Build:         9b78b6c197b48116243922170875af4aa752ee59
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.9

-------------------------------------------------------------------------------

W1112 22:48:58.016606       8 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1112 22:48:58.016858       8 main.go:221] "Creating API client" host="https://172.20.0.1:443"
I1112 22:48:58.108439       8 main.go:265] "Running in Kubernetes cluster" major="1" minor="21+" git="v1.21.2-eks-0389ca3" state="clean" commit="8a4e27b9d88142bbdd21b997b532eb6d493df6d2" platform="linux/amd64"
I1112 22:48:59.016354       8 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I1112 22:48:59.106518       8 ssl.go:531] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key"
I1112 22:48:59.198226       8 nginx.go:253] "Starting NGINX Ingress controller"
I1112 22:48:59.212576       8 event.go:282] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress", Name:"nginx-ingress-ingress-nginx-controller", UID:"0e395c40-3a7e-4c9e-aef5-89f995d1b546", APIVersion:"v1", ResourceVersion:"1734431", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap ingress/nginx-ingress-ingress-nginx-controller
I1112 22:49:00.500216       8 nginx.go:295] "Starting NGINX process"
I1112 22:49:00.500319       8 leaderelection.go:243] attempting to acquire leader lease ingress/ingress-controller-leader...
I1112 22:49:00.501014       8 nginx.go:315] "Starting validation webhook" address=":8443" certPath="/usr/local/certificates/cert" keyPath="/usr/local/certificates/key"
I1112 22:49:00.501193       8 controller.go:152] "Configuration changes detected, backend reload required"
I1112 22:49:00.514611       8 leaderelection.go:253] successfully acquired lease ingress/ingress-controller-leader
I1112 22:49:00.515140       8 status.go:84] "New leader elected" identity="nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn"
I1112 22:49:00.807052       8 controller.go:169] "Backend successfully reloaded"
I1112 22:49:00.807127       8 controller.go:180] "Initial sync, sleeping for 1 second"
I1112 22:49:00.807331       8 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress", Name:"nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn", UID:"db7c6048-8149-4706-9cb8-5be67011b3d3", APIVersion:"v1", ResourceVersion:"1738538", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to 0.0.0.0:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: bind() to [::]:8443 failed (98: Address in use)
2021/11/12 22:49:00 [emerg] 28#28: still could not bind()
W1112 22:49:03.540824       8 controller.go:198] Dynamic reconfiguration failed: Post "http://127.0.0.1:10246/configuration/backends": read tcp 127.0.0.1:42114->127.0.0.1:10246: read: connection reset by peer
E1112 22:49:03.540863       8 controller.go:202] Unexpected failure reconfiguring NGINX:
Post "http://127.0.0.1:10246/configuration/backends": read tcp 127.0.0.1:42114->127.0.0.1:10246: read: connection reset by peer
E1112 22:49:03.540886       8 queue.go:130] "requeuing" err="Post \"http://127.0.0.1:10246/configuration/backends\": read tcp 127.0.0.1:42114->127.0.0.1:10246: read: connection reset by peer" key="initial-sync"
I1112 22:49:03.835552       8 controller.go:152] "Configuration changes detected, backend reload required"
I1112 22:49:04.006054       8 controller.go:169] "Backend successfully reloaded"
I1112 22:49:04.006306       8 controller.go:180] "Initial sync, sleeping for 1 second"
I1112 22:49:04.006397       8 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress", Name:"nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn", UID:"db7c6048-8149-4706-9cb8-5be67011b3d3", APIVersion:"v1", ResourceVersion:"1738538", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
.
.
.

It is expected that the controller application would be trying this port 8443 because that was specified in the values passed to the helm chart on installation.

I have confirmed that the address/port in question is indeed already bound. I'm able to execute netstat command inside the running container as user www-data to confirm indeed 0:8443 is already bound, but because I haven't yet figured out how to get root access, the PID/name of the processes are not available to me:

> kubectl exec -n ingress --stdin --tty nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn -- netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:10245         0.0.0.0:*               LISTEN      -
tcp        3      0 127.0.0.1:10246         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:10247         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      -
tcp        0      0 :::8443                 :::*                    LISTEN      -
tcp        0      0 :::10254                :::*                    LISTEN      -
tcp        0      0 :::8080                 :::*                    LISTEN      -
tcp        0      0 :::8080                 :::*                    LISTEN      -
tcp        0      0 :::8181                 :::*                    LISTEN      -
tcp        0      0 :::8181                 :::*                    LISTEN      -

> kubectl exec -n ingress --stdin --tty nginx-ingress-ingress-nginx-controller-74d46b8fd8-pzffn -- /bin/bash
bash-5.1$ whoami
www-data
bash-5.1$ ps aux
PID   USER     TIME  COMMAND
    1 www-data  0:00 /usr/bin/dumb-init -- /nginx-ingress-controller --publish-service=ingress/nginx-ingress-ingress-nginx-controller --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx
    8 www-data  0:00 /nginx-ingress-controller --publish-service=ingress/nginx-ingress-ingress-nginx-controller --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --configmap=ingress/n
   28 www-data  0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf
   30 www-data  0:00 nginx: worker process
   45 www-data  0:00 /bin/bash
   56 www-data  0:00 ps aux

How to reproduce it:
Install ingress-nginx pod via helm chart with the above values into EKS cluster with Fargate profiles. After helm install, just watch pod state and logs.

Anything else we need to know:
There are separate, dedicated Fargate profiles for kube-system/coredns and ingress.
The VPC I'm installing the EKS cluster into has 3 public and 3 private subnets, and all 6 are passed to all Fargate profiles.

/kind bug

[k8s-ci-robot]

@timblaktu: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[TBBle]

Answered in more detail in a different ticket. The problem is that port 8443 is the default port for the webhook, so you either need to also change the webhook port, or use a different port than 8443.

[longwuyuan]

/remove-kind bug
Fargate and serverless use would introduce networking that is different from vanilla "x" number of nodes use case

[TBBle]

The issue is unrelated to Fargate, the same configuration would have failed due to the command-line args shown. Note two things trying to listen on port 8443:

    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/ingress-nginx
      --configmap=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
      --validating-webhook=:8443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443

[longwuyuan]

Agreed Thanks, ; Long

…

On Sat, 13 Nov, 2021, 9:21 PM TBBle, ***@***.***> wrote: The issue is unrelated to Fargate, the same configuration would have failed due to the command-line args shown. Note two things trying to listen on port 8443: Args: /nginx-ingress-controller --publish-service=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --configmap=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --http-port=8080 --https-port=8443 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7913 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGZVWVWHYMFWR2BBTFXPG3UL2CPHANCNFSM5H532TYA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[timblaktu]

Thanks so much @TBBle, @longwuyuan - and sorry for the distraction - clearly this was cockpit error on my part, not understanding the innards of the ingress-nginx application and not being able to inspect the running container sufficiently.

I finally have installed ingress-nginx on eks-fargate with the following values:

controller:
  extraArgs:
    http-port: 8080
    # Cannot use 8443 bc nginx ingress webhook already binds to 8443:
    #   https://github.com/kubernetes/ingress-nginx/issues/4888#issuecomment-968059561
    https-port: 8081
  containerPort:
    http: 8080
    https: 8081
  image:
    allowPrivilegeEscalation: false
    # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes
    livenessProbe:
      initialDelaySeconds: 60  # 30
    readinessProbe:
      initialDelaySeconds: 60  # 0
  service:
    annotations:
      # TODO: check if alb type "external" "ip" works, per this comment:
      #       https://github.com/kubernetes/ingress-nginx/issues/4888#issuecomment-964535071
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"