Search code examples
kubernetestraefik

Kubernetes Traefik 404 only for a specific service

On a Kubernetes Cluster I've tow different services exposed on HTTP port:

group-svc    ClusterIP   10.47.151.73    <none>        80/TCP    18m   app=group
tea-svc      ClusterIP   10.32.115.90    <none>        80/TCP    57m   app=tea

When I'm inside my Kubernetes cluster, I can request both services:

curl http://10.32.115.90/v1/app_update
> Server address: 100.64.0.190:8080
curl http://10.47.151.73/v1/app_update
> {"need_update":false}

After adding an Ingress using Traefik:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: group-ingress
spec:
  rules:
    - host: test.0ef12182-3a17-44c6-9c63-6a7fb1a188a2.nodes.k8s.fr-par.scw.cloud
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /group
            pathType: Prefix
            backend:
              service:
                name: group-svc
                port:
                  number: 80

When I'm requesting public endpoint:

curl http://test.0ef12182-3a17-44c6-9c63-6a7fb1a188a2.nodes.k8s.fr-par.scw.cloud/tea/v1/app_update
> Server address: 100.64.0.190:8080
curl http://test.0ef12182-3a17-44c6-9c63-6a7fb1a188a2.nodes.k8s.fr-par.scw.cloud/group/v1/app_update
> 404 Not Found

Why tea-svc service is correctly exposed but group-svc service still unreachable from public? I don't get the difference between this two services.

They have similar configurations:

apiVersion: v1
kind: Service
metadata:
  annotations:
    filter.by.port.name: "true"
    prometheus.io/scrape: "true"
  creationTimestamp: "2023-03-26T17:03:03Z"
  name: group-svc
  namespace: default
  resourceVersion: "27288648902"
  uid: 7a008c7a-de64-46ae-8897-40658c11741a
spec:
  clusterIP: 10.47.151.73
  clusterIPs:
  - 10.47.151.73
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: group
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

And

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2023-03-26T16:24:28Z"
  name: tea-svc
  namespace: default
  resourceVersion: "27288196141"
  uid: 6b5c382c-cde0-4f26-89ff-fc3b6317c47d
spec:
  clusterIP: 10.32.115.90
  clusterIPs:
  - 10.32.115.90
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: tea
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
Solution

  • It's solved. It was a misunderstanding of how path is working. Using this configuration is fine:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: group-ingress
spec:
  rules:
    - host: test.0ef12182-3a17-44c6-9c63-6a7fb1a188a2.nodes.k8s.fr-par.scw.cloud
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: group-svc
                port:
                  number: 80

    Thought the path was the path of the host but this is the path of the service. tea-svc responding for any path, so it was working for this service. But group-svc responding only for specific path, so exposing his /group path targets a unexposed endpoint.