haproxy for k8s api server returns PR_END_OF_FILE_ERROR

Question

I'm setting up haproxy for k8s api servers. The configuration for haproxy is:

frontend k8s-https
    log /dev/log local0 debug
    option tcplog
    bind 0.0.0.0:8443
    mode tcp
    default_backend k8s-https

backend k8s-https
    mode tcp
    balance roundrobin
    server master-1 192.168.59.101:6443 check
    server master-2 192.168.59.102:6443 check
    server master-3 192.168.59.103:6443 check

When I curl port 6443, the api server response:

$ curl -1 -vvv -k https://192.168.59.101:6443/
* About to connect() to 192.168.59.101 port 6443 (#0)
*   Trying 192.168.59.101...
* Connected to 192.168.59.101 (192.168.59.101) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=kube-apiserver,OU=Admin,O=Kubernetes,L=Beijing,ST=Bejing,C=CN
*   start date: May 21 05:01:00 2019 GMT
*   expire date: Apr 27 05:01:00 2119 GMT
*   common name: kube-apiserver
*   issuer: CN=Kubernetes,OU=CA,O=Kubernetes,L=Beijing,ST=Bejing,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.59.101:6443
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Tue, 21 May 2019 11:05:54 GMT
< Content-Length: 233
< 
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
* Connection #0 to host 192.168.59.101 left intact
}

However, If I access the api through port 8443 (which the haproxy is listening on), it gives end of file error

$ curl -1 -vvv -k https://192.168.59.101:8443/
* About to connect() to 192.168.59.101 port 8443 (#0)
*   Trying 192.168.59.101...
* Connected to 192.168.59.101 (192.168.59.101) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

Why the haproxy does not work?

score 0 · Answer 1 · answered May 21 '19 at 11:21

0

Finally I figure out that the issue is caused by centos 7's default SELinux policy, by temporary disable it with sudo setenforce 0, it works.

answered May 21 '19 at 11:21

cgcgbcbc

469
1
4
9

haproxy for k8s api server returns PR_END_OF_FILE_ERROR

1 Answers1