Open tao12345666333 opened 9 months ago
KIC got the 413
response from Gateway.
2024/02/06 07:46:00 [error] 1286#0: *641 client intended to send too large body: 19907571 bytes, client: 10.244.2.2, server: kong_admin, request: "POST /config?check_hash=1&flatten_errors=1 HTTP/2.0", host: "10.244.1.10:8444"
10.244.2.2 - - [06/Feb/2024:07:46:00 +0000] "POST /config?check_hash=1&flatten_errors=1 HTTP/2.0" 413 148 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:07:46:04 +0000] "GET /status HTTP/2.0" 200 1183 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:07:46:07 +0000] "GET /status HTTP/2.0" 200 1183 "-" "Go-http-client/2.0"
2024/02/06 07:46:17 [error] 1286#0: *641 client intended to send too large body: 19907571 bytes, client: 10.244.2.2, server: kong_admin, request: "POST /config?check_hash=1&flatten_errors=1 HTTP/2.0", host: "10.244.1.10:8444"
10.244.2.2 - - [06/Feb/2024:07:46:17 +0000] "POST /config?check_hash=1&flatten_errors=1 HTTP/2.0" 413 148 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:07:46:17 +0000] "GET /status HTTP/2.0" 200 1183 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:07:46:21 +0000] "GET /status HTTP/2.0" 200 1183 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:07:46:27 +0000] "GET /status HTTP/2.0" 200 1183 "-" "Go-http-client/2.0"
2024/02/06 07:46:34 [error] 1286#0: *641 client intended to send too large body: 19907571 bytes, client: 10.244.2.2, server: kong_admin, request: "POST /config?check_hash=1&flatten_errors=1 HTTP/2.0", host: "10.244.1.10:8444"
2024-02-06T06:53:07Z error admission-server Failed to fetch consumer from kong {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9480\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to run validation {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9480\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to run validation {"error": "making HTTP request: Post \"https://10.244.1.5:8444/schemas/plugins/validate\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to fetch consumer from kong {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9481\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to run validation {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9481\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to run validation {"error": "making HTTP request: Post \"https://10.244.1.5:8444/schemas/plugins/validate\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to fetch consumer from kong {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9482\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:07Z error admission-server Failed to run validation {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9482\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to run validation {"error": "making HTTP request: Post \"https://10.244.1.5:8444/schemas/plugins/validate\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to fetch consumer from kong {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9483\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to run validation {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9483\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to run validation {"error": "making HTTP request: Post \"https://10.244.1.5:8444/schemas/plugins/validate\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to fetch consumer from kong {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9484\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z error admission-server Failed to run validation {"error": "making HTTP request: Get \"https://10.244.1.5:8444/consumers/consumer-key-auth-name-9484\": dial tcp 10.244.1.5:8444: connect: connection refused"}
2024-02-06T06:53:08Z info controllers.KongAdminAPIService Reconciling Admin API EndpointSlice {"v": 0, "namespace": "kong", "name": "kong-gateway-admin-648qw"}
2024-02-06T06:53:10Z info controllers.KongAdminAPIService Reconciling Admin API EndpointSlice {"v": 0, "namespace": "kong", "name": "kong-gateway-admin-648qw"}
2024-02-06T06:53:37Z error Exceeded Kong API timeout, consider increasing --proxy-timeout-seconds {"url": "https://10.244.1.5:8444"}
2024-02-06T06:53:52Z info Successfully synced configuration to Kong {"url": "https://10.244.1.7:8444", "update_strategy": "InMemory", "v": 0}
2024-02-06T06:53:52Z error dataplane-synchronizer Could not update kong admin {"error": "performing update for https://10.244.1.5:8444 failed: failed posting new config to /config: making HTTP request: Post \"https://10.244.1.5:8444/config?check_hash=1&flatten_errors=1\": context deadline exceeded"}
This error is caused by the abnormal exit of Kong Gateway and the creation of a new Pod.
KIC will automatically coordinate the endpoints of Kong admin API.
$ kubectl -n kong get pods
NAME READY STATUS RESTARTS AGE
kong-controller-69b6d7865-rqdcx 1/1 Running 0 114m
kong-gateway-f849f9c59-2p4l6 0/1 Completed 0 61m
kong-gateway-f849f9c59-bdwzb 0/1 Completed 0 66m
kong-gateway-f849f9c59-jz5cf 0/1 Completed 0 64m
kong-gateway-f849f9c59-n4mwj 0/1 ContainerStatusUnknown 1 57m
kong-gateway-f849f9c59-sn85g 1/1 Running 0 33m
10.244.2.2 - - [06/Feb/2024:10:47:29 +0000] "POST /schemas/routes/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:30 +0000] "POST /schemas/plugins/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:30 +0000] "GET /consumers/consumer-key-auth-name-52742 HTTP/2.0" 404 23 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:30 +0000] "POST /schemas/routes/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:30 +0000] "POST /schemas/plugins/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
2024/02/06 10:47:30 [warn] 1285#0: *153 [lua] traditional.lua:1521: new(): the 'nginx_http_lua_regex_cache_max_entries' setting is set to 8192 but there are 15112 regex paths configured. This may lead to performance issue due to regex cache trashing. Consider increasing the 'nginx_http_lua_regex_cache_max_entries' to at least 30224, context: ngx.timer
10.244.2.2 - - [06/Feb/2024:10:47:30 +0000] "GET /consumers/consumer-key-auth-name-52743 HTTP/2.0" 404 23 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:31 +0000] "POST /schemas/routes/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
10.244.2.2 - - [06/Feb/2024:10:47:31 +0000] "POST /schemas/plugins/validate HTTP/2.0" 200 42 "-" "Go-http-client/2.0"
2024/02/06 10:47:31 [notice] 1285#0: *153 [lua] init.lua:259: purge(): [DB cache] purging (local) cache, context: ngx.timer
2024/02/06 10:47:31 [notice] 1285#0: *153 [lua] init.lua:259: purge(): [DB cache] purging (local) cache, context: ngx.timer
10.244.2.2 - - [06/Feb/2024:10:47:31 +0000] "GET /status HTTP/2.0" 200 1177 "-" "Go-http-client/2.0"
When there are nearly 120,000 resources in the cluster, query requests take some time. In my testing environment, I found that in this scenario, admission erroneously denied a series of creation requests for kongconsumer, resulting in a series of consumers unable to be created successfully.
ingress.networking.k8s.io/test-ingress-39999 created
kongplugin.configuration.konghq.com/auth-plugin-39999 created
secret/consumer-key-auth-secret-39999 created
Error from server: error when creating "30000.yaml": admission webhook "validations.kong.konghq.com" denied the request: consumer referenced non-existent credentials secret:
Secret "consumer-key-auth-secret-30000" not found
Error from server: error when creating "30000.yaml": admission webhook "validations.kong.konghq.com" denied the request: consumer referenced non-existent credentials secret:
Secret "consumer-key-auth-secret-30001" not found
Error from server: error when creating "30000.yaml": admission webhook "validations.kong.konghq.com" denied the request: consumer referenced non-existent credentials secret:
Secret "consumer-key-auth-secret-30002" not found
In fact, the secret does exist.
$ time kubectl get secret consumer-key-auth-secret-30000
NAME TYPE DATA AGE
consumer-key-auth-secret-30000 Opaque 1 128m
real 2m48.831s
user 0m0.119s
sys 0m0.665s
Is there an existing issue for this?
Problem Statement
During the large-scale performance testing, I have discovered some issues. This issue is used for recording purposes.
I used 100,000 sets of resources for testing, each set containing one Ingress, one consumer, one plugin, and one secret. So in fact, besides the basic environment, I have created an additional 400,000 resources.
Proposed Solution
No response
Additional information
No response
Acceptance Criteria
No response