node icon indicating copy to clipboard operation
node copied to clipboard
verified publisher icon akash-network

Communication between Ingress and Deployment's service doesn't work due to missing label

Open remeq opened this issue 3 years ago • 6 comments

Communication between Ingress and Deployment's service doesn't work due to missing label in ingress-nginx namespace.

Label missing is "app.kubernetes.io/name: ingress-nginx" in namespace "ingress-nginx". Without this label Network policy in deployment's namespace prevents nginx ingress controller to reach deployments service. See Network policy definition which requires the missing label:

$ kubectl get networkpolicy -n g5vkut532l4bgh37cucvkrneisob5u9g27i1n27t9hi12 -o yaml
apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    creationTimestamp: "2022-03-14T15:51:58Z"
    generation: 1
    labels:
      akash.network: "true"
      akash.network/namespace: g5vkut532l4bgh37cucvkrneisob5u9g27i1n27t9hi12
    name: akash-deployment-restrictions
    namespace: g5vkut532l4bgh37cucvkrneisob5u9g27i1n27t9hi12
    resourceVersion: "10378340"
    uid: 50942c18-de1c-4d62-9464-1362c682d050
  spec:
    egress:
    - to:
      - namespaceSelector:
          matchLabels:
            akash.network/namespace: g5vkut532l4bgh37cucvkrneisob5u9g27i1n27t9hi12
    - ports:
      - port: 53
        protocol: UDP
      - port: 53
        protocol: TCP
      to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 10.0.0.0/8
          - 192.168.0.0/16
          - 172.16.0.0/12
    ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            akash.network/namespace: g5vkut532l4bgh37cucvkrneisob5u9g27i1n27t9hi12
    - from:
      - namespaceSelector:
          matchLabels:
            app.kubernetes.io/name: ingress-nginx
        podSelector:
          matchLabels:
            app.kubernetes.io/name: ingress-nginx
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

remeq avatar Mar 14 '22 16:03 remeq

Hi @remeq how did you create the namespaces?

In the doc they have the proper labels https://github.com/ovrclk/helm-charts/#create-namespace

arno01 avatar Mar 14 '22 20:03 arno01

Hi @remeq how did you create the namespaces?

In the doc they have the proper labels https://github.com/ovrclk/helm-charts/#create-namespace

You are right that in the doc this is properly described. I installed it via script provided by Akash Docs here: https://docs.akash.network/operations/provider

So apparently the script in the docs should be fixed.

remeq avatar Mar 14 '22 22:03 remeq

@remeq the doc's got the correct labels there for a long time (at least 14 months from today)

Doc https://docs.akash.network/operations/provider/kubernetes-cluster#step-10-ingress-controller

wget https://raw.githubusercontent.com/ovrclk/akash/mainnet/main/_run/ingress-nginx.yaml
kubectl apply -f ./ingress-nginx.yaml

https://github.com/ovrclk/akash/blob/3e9eead7f/_run/ingress-nginx.yaml#L7-L8

It could be that you have created ingress-nginx namespace without the labels before applying that mainifest file?

Or, were you following an other doc than I'm looking at?

arno01 avatar Mar 15 '22 09:03 arno01

@arno01 please check Quick start guide. Click "Already have a Kubernetes cluster? Start here!" link. That script doesn't have it

remeq avatar Mar 15 '22 10:03 remeq

@arno01 please check Quick start guide. Click "Already have a Kubernetes cluster? Start here!" link. That script doesn't have it

Good catch! I've informed Scott, he'll update that doc soon.

arno01 avatar Mar 15 '22 18:03 arno01

@arno01 is this resolved now?

hydrogen18 avatar May 03 '22 15:05 hydrogen18