tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Kubernetes Engine
    Documentation
    Download PDF

    Common Service & Ingress Errors and Solutions

    Last updated: 2024-08-09 10:23:41
    Download PDF
      Kubernetes manages resources declaratively. Declarative APIs only require declaring a desired state, to make the system adjust itself to suit the state. However, declarative APIs also introduce new problems: inability to perceive the current state information of resources and insufficient understanding of task processes.
      To ensure the consistency of CLB instance configuration information, the entire Service/Ingress is synchronized as a whole resource. If there is any listener-level configuration error in a CLB-type Service/Ingress, it will cause the entire CLB synchronization to fail, and the problem will be reported as an Event for the user to handle. When Resource synchronization is correct, there will also be an Event update indicating the resource has been successfully synchronized.
      As the Service/Ingress resource offers services directly to users, any exception can lead to service unavailability, affecting service quality. This document describes the common causes of Service/Ingress errors and solutions.

      How to View the Error Messages of Service/Ingress Events?

      Through the Console
      Through the Command Line
      1. Log in to the Tencent Kubernetes Engine console, and select Cluster in the left sidebar.
      2. On the Cluster Management page, select the cluster ID for which you need to update the YAML to go to the page of basic cluster information.
      3. Select Service and Routing > Service or Ingress to go to the Service or Ingress information page.
      4. Click a specific Service or Ingress name.
      5. On the Event tab, you can view the event information of the current Service or Ingress. As shown below, you can view the Event error code of the current Service/Ingress.
      
      Note:
      Only resource events that occurred within the last 1 hour are saved. Check them as soon as possible.
      Obtain the Ingress resource exception list and error message:
      kubectl get event | grep ingress
      Obtain the Service resource exception list and error message:
      kubectl get event | grep service

      Causes of Service Event Errors and Solutions

      Error Code
      Description
      Solutions
      Potential Risk if not Corrected
      E4001
      TKE_QCSRoles authorization
      Log in to the CAM console, check TKE service account authorization, and re-add authorization. For details, see the description of role permissions related to service authorization.
      In the cluster dimension, components cannot operate properly.
      E4004
      The number of CLBs exceeds the upper limit.
      Submit a ticket to apply for a CLB quota.
      New resources have no traffic access.
      E4005
      There is an error in created CLB parameters.
      Check the created parameters: service.kubernetes.io/service.extensiveParameters. For details, see the description of service annotation.
      New resources have no traffic access.
      E4008
      Insufficient subnet IPs
      Three solutions:
      1. Replace the subnet with another subnet with enough IPs and create a subnet.
      2. Update the Service annotation and use a new subnet ID.
      3. Use the public network type CLB instead.
      New resources have no traffic access.
      E4009
      Overdue payment
      You need to top up your account.
      New resources have no traffic access.
      E4011
      An existing CLB does not exist.
      Log in to the CLB console, find the CLB instance under the same VPC as the current cluster, confirm the CLB ID, and use a real and valid CLB ID. For details, see the use of an existing CLB in a Service.
      New resources have no traffic access.
      E4012
      An existing CLB is a resource managed by another TKE.
      An existing CLB must have been created by the user on the CLB console. For details, see the use of an existing CLB in a Service.
      New resources have no traffic access.
      E4013
      An existing CLB is a resource used by another cluster.
      The cross-cluster use of a CLB is not supported. Use another CLB or delete this resource. For details, see the sharing of a CLB by multiple Services.
      New resources have no traffic access.
      E4014
      An existing CLB has a port conflict.
      Multiple Service declarations use the same port. Modify the port declaration of the Service with an error, and use another port to avoid the conflict. For details, see the use of an existing CLB in a Service.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4016
      The user has not enabled the sharing feature.
      Apply to enable Services' sharing capability. For details, see the sharing of a CLB by multiple Services.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4026
      The external configuration fails to be found.
      The user configuration is not blocked. For details, see the Service CLB configuration. There are two solutions:
      1. Delete the external configuration feature in the Service.
      2. Add a TkeServiceConfig resource with the corresponding name to the annotation.
      N/A
      E4033
      Direct connection is enabled, but no workload backend supports direct access.
      Use the ENI network mode for the workload, and disable HostNetwork. Delete the direct connection annotation, and use NodePort for access. For instructions on using direct Service connection, see the use of LoadBalancer to directly connect a Service in Pod mode.
      Backend updates may fail, causing possible interruption during the user's rolling updates.
      E4036
      Backend quadruplet conflict
      The quadruplet, including CLB VIP, listener protocol, backend IP and backend port, must remain unique. With CLB restrictions, the user needs to listen to multiple ports on the Pod and bind them separately to solve this problem.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4037
      The subnet does not exist.
      Three solutions:
      1. Replace the subnet with another subnet with enough IPs and create a subnet.
      2. Update the Service annotation and use a new subnet ID.
      3. Use the public network type CLB instead.
      New resources have no traffic access.
      E4062
      The certificate has expired.
      Add a new certificate to the certificate service and update the Secret resource content declared in the extension protocol annotation. Fill in the certificate ID according to the document format. For details, see the Service extension protocol.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4075
      In the cross-regional feature, the region ID is incorrect.
      Check the cross-regional annotation in the Service. For the region ID, see the regions and availability zones.
      New resources have no traffic access.

      Causes of Ingress Event Errors and Solutions

      Error Code
      Description
      Solutions
      Potential Risk if not Corrected
      E4003
      The number of CLBs has reached the upper limit.
      Submit a ticket to apply for a CLB quota.
      New resources have no traffic access.
      E4005
      The number of forwarding rules has reached the upper limit.
      Submit a ticket to apply for a CLB quota.
      New resources have no traffic access.
      E4008
      The TKE_QCSRole authorization has been deleted
      Log in to the CAM console, check TKE service account authorization, and re-add authorization. For details, see the description of role permissions related to service authorization.
      In the cluster dimension, components cannot operate properly.
      E4009
      The Secret name is not configured in the TLS field.
      If you need the forwarding rules of the HTTPS protocol, modify the TLS field in the Ingress and configure the certificate required for the HTTPS listener. For details, see the Ingress certificate configuration. If you do not need the forwarding rules of the HTTPS protocol, delete the TLS field and use the HTTP protocol for service exposure.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4010
      The Secret configured in the TLS field cannot be found.
      Create the Secret resource declared in the Ingress, and fill in the certificate ID according to the document format. For details, see the Ingress certificate configuration.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4011
      The Secret content configured in the TLS field is erroneous, with no certificate ID.
      Update the Secret resource content declared in the TLS, and fill in the certificate ID according to the document format. For details, see the Ingress certificate configuration.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4012
      Abnormal certificate status
      Add a new certificate to the certificate service and update the Secret resource content declared in TLS. Fill in the certificate ID according to the document format. For details, see the Ingress certificate configuration.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4018
      The specified existing CLB does not exist.
      Go to the CLB console to find the CLB instance under the same VPC as the current cluster, confirm the CLB ID, and use a real and valid CLB ID. For details, see the use of an existing CLB in an Ingress.
      New resources have no traffic access.
      E4019
      The specified existing CLB has been created by TKE.
      The existing CLB must have been created by the user on the CLB Console. For details, see the use of an existing CLB in an Ingress.
      New resources have no traffic access.
      E4020
      The specified existing CLB is used by another Ingress
      The existing CLB must have been created by the user on the CLB Console. For details, see the use of an existing CLB in an Ingress.
      New resources have no traffic access.
      E4021
      The specified existing CLB listener has not been emptied.
      Log in to the CLB console, and remove all listeners of this CLB.
      New resources have no traffic access.
      E4022
      The annotation format of kubernetes.io/ingress.http-rules is incorrect.
      Refer to the description of Ingress annotations to confirm if the annotation content is valid. It is recommended to use the console to update the resources.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4023
      The annotation format of kubernetes.io/ingress.https-rules is incorrect.
      Refer to the description of Ingress annotations to confirm if the annotation content is valid. It is recommended to use the console to update the resources.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4027
      Overdue payment for account
      You need to top up your account.
      New resources have no traffic access.
      E4031
      Forwarding rules contain invalid characters.
      Modify the Rule field of forwarding rules. The CLB forwarding path does not support regular expressions.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4034
      The Host field of the IPv6 CLB is not declared. (Host is not required for IPv4, and it is VIP by default, which is not supported by IPv6)
      Complete all Host fields in the Ingress, with no blank left.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4035
      Incorrect certificate ID format
      Update the Secret resource content declared in TLS, and fill in the certificate ID according to the document format. For details, see the Ingress certificate configuration.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4039
      The certificate has expired.
      Add a new certificate to the certificate service and update the Secret resource content declared in TLS. Fill in the certificate ID according to the document format. For details, see the renewal of a TKE Ingress certificate.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4040
      The Ingress contains a domain name with the corresponding certificate not declared.
      Modify the TLS field and configure the certificate required for the HTTPS listener. For details, see the Ingress certificate configuration.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4041
      The Service specified by forwarding rules in the Ingress does not exist.
      If your Service indeed does not exist, you need to delete the forwarding rules in the Ingress that use the Service. If you need to use the Service, create a Service resource with the same name in the namespace as the Ingress.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4042
      The Service specified by forwarding rules in the Ingress does not have a corresponding forwarding port.
      If your Service does not have such a port, you need to delete the forwarding rules in the Ingress that use the Service. If the problem involves port configuration, a port update is required.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4043
      The TkeServiceConfig resource specified in the Ingress does not exist.
      Does not block user configuration. For details, see the use of TKEServiceConfig to configure CLBs in an Ingress. There are two solutions: delete the external configuration feature annotation in the Service, and add the TKEServiceConfig resource with the corresponding name.
      N/A
      E4044
      Invalid kubernetes.io/ingress.rule-mix value
      Change it to true or false. For details, see the mixed use of HTTP and HTTPS protocols in an Ingress.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4046
      Resource bandwidth annotation configuration error, format error or bandwidth range error
      Valid bandwidth values: 1-2048
      New resources have no traffic access.
      E4047
      In the Ingress, the Service specified by forwarding rules is of the ClusterIP type and has no forwarding port access.
      Modify the Service with an error to the NodePort type.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4048
      The Ingress contains a domain name with multiple default certificates declared.
      Multiple Secrets with no Host configuration are declared in the TLS field. Delete them until only one remains.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4049
      The Ingress contains a fixed domain name with multiple certificates declared.
      Multiple Secrets are declared for a domain in the TLS field. Delete them until only one remains.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4051
      The configuration generated automatically by the system is specified for the user's manual external configuration.
      For details, see the use of TKEServiceConfig to configure CLBs in an Ingress. Use a resource with a different name instead.
      N/A
      E4052
      The domain name specified by forwarding rules in the Ingress does not meet the regular expression requirements.
      Check and correct the erroneous domain name. Common errors include domain names without a ''.'', such as Host: test, and domain names with any uppercase letter, such as Host: Test.com. Regular expression: (\\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)+
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4053
      Unable to create a CLB due to the exhaustion of subnet IPs
      Three solutions:
      1. Replace the subnet with another subnet with enough IPs and create a subnet.
      2. Update the Service annotation and use a new subnet ID.
      3. Use the public network type CLB instead.
      New resources have no traffic access.
      E4054
      The number of backends has reached the upper limit.
      Submit a ticket to apply for a CLB backend quota.
      Backend updates may fail, causing possible interruption during the user's rolling updates.
      E4055
      Unable to create a CLB due to the absence of the subnet or a format error
      Three solutions:
      1. Replace the subnet with another subnet with enough IPs and create a subnet.
      2. Update the Service annotation and use a new subnet ID.
      3. Use the public network type CLB instead.
      New resources have no traffic access.
      E4060
      Unable to enable the SNAT Pro feature for the user due to no granting of allowlist authorization to the account
      Submit a ticket to apply for the granting of allowlist authorization to enable the SNAT Pro capability for the CLB.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4066
      The cluster initialization failed, and CRD cannot be created.
      There is a problem with the user cluster. It is necessary to submit a ticket.
      In the cluster dimension, components cannot operate properly.
      E4068
      The automatic redirection rules conflict with other user-declared rules.
      When the automatic redirection feature is used, it is recommended not to declare other forwarding rules. For details, see the Ingress redirection.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4071
      Cross-regional configuration error: the CLB's VPC and the current cluster's VPC are not in the same CCN.
      Use the CCN to associate two VPCs and replace VPCs in other CCNs. For details, see the cross-regional binding for an Ingress.
      New resources have no traffic access.
      E4074
      Overdue payment for a node may cause backend binding failure.
      The CLB's backend binding problem may be due to node blockage.
      Backend updates may fail, causing possible interruption during the user's rolling updates.
      E4081
      The annotation format of kubernetes.io/ingress.https-rules is incorrect (configuration conflict).
      It is recommended to modify the configuration through the console. For details, see the description of Ingress annotations.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4082
      The NoSelector Service does not support binding. In direct connection scenarios, the Ingress declares the use of similar resources.
      The backend of the NoSelector Service does not support direct access, so NodePort needs to be used instead.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4084
      Under cross-regional binding solution 1.0, the SNAT Pro feature cannot be used.
      The technical solution needs to be adjusted due to system limitations.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      E4098
      The CLB ID format of the specified existing CLB is incorrect.
      Log in to the CLB console, find the CLB instance under the same VPC as the current cluster, confirm the CLB ID, and use a real and valid CLB ID. For details, see the use of an existing CLB in an Ingress.
      New resources have no traffic access.
      E4101
      The listener of the specified existing CLB has a conflict.
      Check if port 80/443 is already occupied by other resources.
      Resource synchronization is blocked. The user's update may cause the CLB backend to fail to be updated properly.
      
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy