-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ELB SSL handshake broken in us-east-2 #6181
Comments
Likely related to 2accc73 Although honestly we should do a better health check anyway.... |
(by better health check I mean one that actually checks the health of apiserver & etcd, not just whether or not apiserver is listening - this predates 2accc73) |
Strange, we run all our clusters in us-east-1 and eu-west-1 with API ELBs configured with Ping Target | SSL:443 and never experienced any issues. |
Maybe its caused by We had similar issues in the past with misconfigured security groups or route tables on one-side of the connection, which allowed to open a connection, but they stalled as responses never arrived. |
The us-east-1 vs us-east-2 contrast can be seen by using:
and changing just the zones and the AMI (have to pick the AMI for the right zone). us-east-1 works, us-east-2 does not. kops 1.10.0 (and kubernetes 1.10.11) |
Yes, what's weird is that I think sometimes us-east-2 works. I thought it was a kubernetes 1.10 vs 1.11 thing, but now I'm leaning towards it being random. I've captured some packets, and it looks like the ELB health check is behaving more like a TCP health check - opening the connection and then closing it again. No TLS handshake being initiated. The SSL code has been in kops for a few releases now, so I am leaning towards it being a problem with ELB in us-east-2. But nothing on the AWS status and nobody else reporting it, which is odd. |
The same issue for our infrastructure. We have clusters provisioned with the same codebase in us-east-1 and us-east-2. Us-east-2 has ssl checks failed while the east-1 works well. Trying to investigate with AWS Support now. |
I've just got a confirmation from AWS Support team that there was an issue with CLB update at us-east-2 region. The problem was fixed and CLB works great again at my env. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
At least in us-east-2, with
--topology=private
, ELB reports master instances as being out of service when the health check is configured for SSL. Manually changing to TCP fixes things immediately.apiserver is logging
http: TLS handshake error from 172.20.1.222:38426: EOF
during the failed health checks. It logs it with the TCP health-checks as well though!Reported here: #6172 (comment)
I was able to reproduce in us-east-2
The text was updated successfully, but these errors were encountered: