EKS / AWS NLB Ingress does not work with a proxy

Issue

During the cluster installation, I am not able to get access to the Operations Center in my EKS cluster.

Following the setup instructions shown here, reviewing the Load Balancer (LB) settings using AWS console, I found that the certificate provided in the values file was not showing in the LB.

Additionally, when reviewing the logs for the load balancer pod, there were errors like the one shown below:

[error] 91#91: *353 broken header: g9��Z��%�_���9��8��y�;v�D�C��<�n�/�+�0�,��'g�(k�$��
����jih9876�2�.�*�&���=" while reading PROXY protocol, client:

Environment

Resolution

Review our ingress controller installation guide and ensure that you are using a CLB load balancer.

The problem is most likely related to the fact that instead of using a CLB L4 load balancer, we have configured an NLB L4 load balancer, and this has consequences in the product behavior because:

  • The Proxy Protocol cannot be configured from k8s at the moment for NLB using the annotations service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*":

  • https://github.com/kubernetes/kubernetes/issues/57250

  • NLB TLS support arrived later on in AWS and has been added to version 1.15.x of k8s. At the moment of writing this article EKS 1.15.x is not GA, it is therefore not possible to use the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with NLB.

Tested product/plugin versions

Have more questions?

0 Comments

Please sign in to leave a comment.