在ALB Ingress Controller 2.15.0版本中,我们引入了Webhook校验服务,通过Admission Webhooks在API层面验证配置,提前拦截错误或不合规配置并提供明确的错误提示,从而防止因格式错误导致的调谐失败不能及时发现。本文将为您介绍Webhook校验服务的原理及常见报错示例。
实现原理
动态准入控制器 (Admission Webhooks)
自Kubernetes 1.9版本开始,支持动态准入控制器功能中的Admission Webhooks。您可以通过组件的形式对API Server的请求进行访问控制。API Server在请求通过认证和授权后、对象被持久化之前,会拦截该请求并调用Webhook服务进行准入控制。
Webhook校验的优势
尽早拦截:通过Webhook在API层面早期拦截错误或不合规的配置,减少不必要的资源创建尝试和潜在的集群状态混乱,避免资源调度、网络配置等后续步骤的浪费。
解耦逻辑:将验证逻辑放在Webhook中,使Controller的逻辑更加专注于资源的实际部署和管理,遵循单一职责原则,使系统各部分更加模块化,易于维护和扩展。
增强安全性:将YAML验证逻辑放在独立的Webhook服务中,允许对进入集群的资源请求进行集中管理和控制,减少恶意或错误配置的风险。
错误配置感知:在参数错误时,Webhook校验服务能够早期拦截并为您提供清晰的错误提示,便于快速定位和修正问题。
Webhook主要组件
ValidatingAdmissionWebhook:定义在API Server接收到Ingress资源创建或更新请求时调用的Webhook URL,指定哪些操作和资源会触发Webhook校验。在ALB Ingress Controller部署时一同部署。
TLS证书:确保API Server与Webhook服务之间的通信通过TLS加密。
Webhook Service:解析传入的AdmissionReview请求,对Ingress资源定义进行校验并生成一个
AdmissionResponse。
Webhok拦截提示
Webhook拦截提示示例
以下是一个Ingress YAML错误配置示例。由于
listen-ports注解存在格式错误,Webhook校验服务会识别该错误并返回具体的报错信息,以便您及时修正。控制台报错信息:
黑屏报错信息:
错误信息指出:
请求没有通过准入控制验证。
admission webhook "ingress.alb.validate.k8s.io"拒绝了请求,错误原因是监听端口配置中的数组元素后有不合法字符"]"。
以下是更多AlbConfig和Ingress校验报错提示。
资源类型 | 报错类型 | 报错提示 |
AlbConfig | albconfig unmarsh失败 | webhook validate albconfig alb: Unmarshal error : %v Please check the format of albconfig yaml |
监听端口错误 | webhook validate albconfig alb: listener port number mustbetween [1:65535], or you should set listen port explicitly in listener config. Error listen port : 0 | |
监听协议错误 | webhook validate albconfig alb: listener protocol is invalid : HTTPP, or you should set listen protocol explicitly in listener config. Please set protocol value HTTP or HTTPS or QUIC | |
日志logstore格式校验 | webhook validate albconfig alb: logstore name should start with alb_ | |
tag格式校验 | webhook validate albconfig alb: empty tag key/value is invalid | |
IP地址类型校验 | the value Interne is invalid. Please set the value as one of: [Internet Intranet] | |
IPv6地址类型校验 | the value Interne is invalid. Please set the value as one of: [Internet Intranet] | |
IP地址模式类型校验 | the value Dynamicc is invalid. Please set the value as one of: [Dynamic Fixed] | |
实例规格类型校验 | the value Standardd is invalid. Please set the value as one of: [Basic Standard StandardWithWaf] | |
访问控制 | webhook validate albconfig alb: aclEntry and aclIds cannot use together in listener | |
Ingress | backend-scheduler | the value of alb.ingress.kubernetes.io/backend-scheduler annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [wrr wlc sch uch] |
backend-protocol | the value of alb.ingress.kubernetes.io/backend-protocol annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [HTTP HTTPS gRPC] | |
healthcheck-protocol | the value of alb.ingress.kubernetes.io/healthcheck-protocol annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [HTTP HTTPS TCP gRPC] | |
healthcheck-method | the value of alb.ingress.kubernetes.io/healthcheck-method annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [GET HEAD POST] | |
healthcheck-httpcode | the value of alb.ingress.kubernetes.io/healthcheck-httpcode annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [http_2xx http_3xx http_4xx http_5xx] | |
healthcheck-httpversion | the value of alb.ingress.kubernetes.io/healthcheck-httpversion annotation is invalid : test. the value wlcc is invalid. Please set the value as one of: [HTTP1.1 HTTP1.0] | |
listen-port格式错误 | webhook validate ingress ingress: check ingress listen port invalid | |
path不能包含^ | webhook validate ingress ingress: path is invalid because path contains ^ character | |
自定义转发动作unmarsh失败 | webhook validate ingress test: the value of actions annotation is invalid |