AWS EKS Ingress Timeout On Any Non-Root Path

DragonBobZ

10/23/22, 9:46 PM

We have configured an Ingress resource on our EKS cluster with rewrites from /.* on the load balancer to the matching URI upstream. If we visit staging.my-domain.com/, we see a successful health-check response as expected. However, any other url, e.g. /api/, results in a timeout from the load balancer. Below is the configuration. (SSL is disabled for now while we get it figured out). Any help would be appreciated!

# Ingress Controller: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/installation/
# YAML: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/alb-ingress.md
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    external-dns.alpha.kubernetes.io/hostname: staging.my-domain.com
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: nlx-api
spec:
  rules:
  - host: staging.my-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: our-api
            port:
              number: 80
---

apiVersion: v1
kind: Service
metadata:
  name: our-api
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  type: LoadBalancer
  selector:
    app: our-api

503

1 + 0

amazon-web-services

kubernetes

amazon-alb

amazon-eks

Score:0

Server

Mikołaj Głodziak

10/24/22, 11:17 AM

It looks like your Rewrite Target is wrong. Look at this general example from documentation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: rewrite
  namespace: default
spec:
  rules:
  - host: rewrite.bar.com
    http:
      paths:
      - backend:
          serviceName: http-svc
          servicePort: 80
        path: /something(/|$)(.*)

In this ingress definition, any characters captured by (.*) will be assigned to the placeholder $2, which is then used as a parameter in the rewrite-target annotation. For example, the ingress definition above will result in the following rewrites:

rewrite.bar.com/something rewrites to rewrite.bar.com/

rewrite.bar.com/something/ rewrites to rewrite.bar.com/

rewrite.bar.com/something/new rewrites to rewrite.bar.com/new

In your situation, if you try to access staging.my-domain.com/, you are rewrited to the same address. Everything is fine. But you can rewrite only this address. You should change your manifest like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    external-dns.alpha.kubernetes.io/hostname: staging.my-domain.com
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
  name: nlx-api
spec:
  rules:
  - host: staging.my-domain.com
    http:
      paths:
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: our-api
            port:
              number: 80

In this situation any characters captured by (.*) will be assigned to the placeholder $1(this is first capture group), which is then used as a parameter in the rewrite-target annotation.

0 + 2

DragonBobZ

10/24/22, 2:13 PM

Hm, I have actually used this configuration as part of the troubleshooting before and just tried it again. It says: `Failed build model due to ingress: our-namespace/our-api: prefix path shouldn't contain wildcards: /(.*)`

Mikołaj Głodziak

10/25/22, 7:08 AM

Try to add annotation `nginx.ingress.kubernetes.io/use-regex: "true"`. You can read more [here](https://kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/#regular-expression-support). You can also see a description of [this bug](https://github.com/kubernetes/kubernetes/issues/41881). It looks like it still hasn't been fixed.

Score:0

Server

DragonBobZ

6/30/24, 6:50 PM

This is the configuration that ended up working:

# Ingress Controller: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/installation/
# YAML: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/alb-ingress.md
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
    external-dns.alpha.kubernetes.io/hostname: example.com
    nginx.ingress.kubernetes.io/rewrite-target: /$1 # this is where the problem was
  name: nlx-api
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: / # this was correct
        pathType: Prefix
        backend:
          service:
            name: nlx-api
            port:
              number: 80

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS EKS Ingress Timeout On Any Non-Root Path

TH: AWS EKS Ingress Timeout บนเส้นทางที่ไม่ใช่รูท

RO: AWS EKS Ingress Timeout pe orice cale non-root

RU: Тайм-аут входящего трафика AWS EKS на любом некорневом пути

VI: Hết thời gian chờ xâm nhập AWS EKS trên bất kỳ đường dẫn không root nào

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.