Container Service for Kubernetes:Troubleshoot ALB Ingress issues

Message

Cause

Solution

listener does not exist in alb, port: 80, protocol: HTTP

In ALB Ingress Controller V2.11.0 and later, listeners for an Ingress are only associated, not automatically created. This error occurs if you use a listener in an Ingress without creating a corresponding listener in the AlbConfig.

If you are using ALB Ingress Controller V2.11.0 or later, create the required listener for the Ingress resource in the AlbConfig.

listener not found for (80/HTTP), with ingresses 1

In ALB Ingress Controller V2.11.0 and later, this error occurs if you remove a listener from an AlbConfig that is still associated with an Ingress. The error message shows the missing listener and the number of associated Ingresses.

To remove a listener, you must first remove all Ingresses associated with it.

no certificate found for host

TLS is enabled and certificate auto-discovery is active, but no matching certificate for this domain could be found in Certificate Management Service.

• Configure certificate auto-discovery: Create a certificate in the Certificate Management Service console. ALB Ingress Controller automatically discovers and matches the certificate based on the domain name configured for TLS in the ALB Ingress.

• Specify a certificate: Specify a certificate using an AlbConfig.

The param Rules.1.RuleConditions.2.PathConfig.Values.1 is illegal

The forwarding rule contains an invalid path parameter.

• If you are using the rewrite annotation in your ALB manifest, set the pathType field to Prefix.

• If you are not using the rewrite annotation, the problem is likely due to invalid characters in the path field.

  Note

  For non-regex path types, the path must start with / and can only contain letters, numbers, and the following special characters: dollar signs ($), plus signs (+), forward slashes (/), ampersands (&), tildes (~), at signs (@), underscores (_), hyphens (-), periods (.), and colons (:). The wildcard characters (*) and question marks (?) are also supported. Check your path value to ensure it conforms to these rules.

The param ServerGroupName is illegal

The name of the ALB backend server group is in an invalid format.

Make sure the server group is named in the correct format.

The server group name is generated in the namespace+ServiceName+port format. The name must be between 2 and 128 characters long and start with a letter, and may contain only numbers, periods (.), underscores (_), and hyphens (-).

The specified resource sgp-vz2fb219vv792flx3u is in use

The ACK-managed ALB backend server group is referenced by another ALB instance.

Log on to the ALB console. In the left navigation pane, choose ALB > Server Groups. On the Server Groups page, find the target backend server group and dissociate the ALB instance as needed.

Message: Invalid parameter. Check the parameter input.

This error often occurs when the certificate ID is incorrectly configured when specifying a certificate in an AlbConfig.

Verify that the certificate ID is a resource ID, not a numeric ID. You must use the certificate ID specified by CertIdentifier.

Message: Failed to create SSL Certificate with name default-https-secret-1-b585e6 ({namespace}-{name}-{identity}). Error: The certificate has expired.

The Secret certificate has expired. The certificate name in the error message consists of three parts: {namespace}-{name}-{identity}

• {namespace}: The namespace where the Secret is located.

  Example: default.

• {name}: The name of the Secret resource.

  Example: https-secret-1.

• {identity}: The hash value of the Secret's content.

  Example: b585e6.

1. Update the expired certificate configured in the secretName field of the Ingress. The new certificate must be valid for at least one day from the current date.

2. Delete the secretName configuration from the Ingress and use certificate auto-discovery.

For more information, see Configure certificates for encrypted communication over HTTPS.

failed to createSSLCertificateWithName: XXX

ErrorCode: NameRepeat

Message: The name is already used. Please enter another name.

The Ingress uses a Secret certificate. After the certificate expires, if you upload a new certificate using an AlbConfig, the name of the expired certificate is reused. This causes the SSL certificate name to be duplicated.

invalid server group Cookie:

• Cookie not configured

  If session persistence is configured to rewrite a cookie (sticky-session-type: "Server"), this error occurs if you do not specify a cookie value. The following code provides an example of an incorrect configuration:

  ...
  alb.ingress.kubernetes.io/sticky-session: "true"
  alb.ingress.kubernetes.io/sticky-session-type: "Server"   
  alb.ingress.kubernetes.io/cookie-timeout: "1800"
  alb.ingress.kubernetes.io/cookie: "" # Cannot be empty

When you use the rewrite cookie method, you must configure a cookie value:

...
alb.ingress.kubernetes.io/cookie: "test" 

For parameter details, see Use annotations to implement session persistence.

• The ALB Ingress Controller version is too old.

  In ALB Ingress Controller versions earlier than V2.15.0-aliyun.1, server group session persistence does not support custom cookies.

Upgrade the ALB Ingress Controller.

The quota of alb_quota_server_added_num is exceeded for resource eni-xxxx, usage 202/200

The alb_quota_server_added_num quota limit for ALB is reached. This is the maximum number of times that a backend server (IP address) can be added to ALB backend server groups.

Go to Quota Center to increase the server group quota.