Let's walk through why your browser can't access the app over 443 even though the load balancer shows it's listening, and fix it up step by step.

First off, I notice you're using both a LoadBalancer Service and an ALB Ingress—this creates two separate AWS load balancers, which is almost certainly where the confusion and issue are coming from. Let's break down the problems and fix them with two clear approaches.

Option 1: Use ALB Ingress (Recommended for Flexibility) #

Ingress is the better choice here because it gives you more control over routing, SSL management, and traffic rules. Here's what to adjust:

Step 1: Update the Service to ClusterIP #

Your LoadBalancer Service is spinning up an extra ELB we don't need. Switch it to ClusterIP so it only handles internal traffic within EKS:

apiVersion: v1
kind: Service
metadata:
  name: hello-kubernetes
  # Remove the AWS LB SSL annotations—we'll handle SSL via Ingress
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    app: hello-kubernetes

Step 2: Fix the Ingress Configuration #

Your current Ingress enables port 443 but doesn't attach an SSL certificate—this is why browsers throw errors when trying to connect. Add your ACM certificate ARN, and optionally enable HTTP-to-HTTPS redirects for a better user experience:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-ingress
  annotations:
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/success-codes: "200,404"
    alb.ingress.kubernetes.io/scheme: "internet-facing"
    alb.ingress.kubernetes.io/listen-ports: '[{\"HTTP\":80} , {\"HTTPS\": 443}]'
    # Attach your ACM certificate here
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-west-2:1234567890:certificate/12345c409-ec32-41a8-8542-712345678"
    # Optional: Redirect all HTTP traffic to HTTPS
    alb.ingress.kubernetes.io/ssl-redirect: "443"
spec:
  rules:
    - http:
        paths:
          - path: /
            backend:
              serviceName: hello-kubernetes
              servicePort: 80

Step 3: Apply Changes and Verify #

Run these commands to update your Kubernetes resources:

kubectl apply -f service.yaml
kubectl apply -f ingress.yaml

Then get the Ingress's ALB hostname and test it in your browser:

kubectl get ingress hello-ingress

Visit https://<your-alb-hostname>—it should load your app without issues now.

Option 2: Stick with LoadBalancer Service (Less Flexible) #

If you prefer using the Service's ELB instead of Ingress, here's what to check and fix:

• Check Security Groups: Ensure the ELB's security group allows inbound HTTPS (443) traffic from your browser's IP (or 0.0.0.0/0 for public access).
• Add Health Check Annotations: The ELB might not recognize your pods as healthy. Add these annotations to your Service to fix that:

  metadata:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:1234567890:certificate/12345c409-ec32-41a8-8542-712345678
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      # Add health check config
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/"
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "80"
  

• Confirm the Right LB Address: Make sure you're accessing the ELB hostname from the LoadBalancer Service, not the Ingress's ALB. Get it with:

  kubectl get service hello-kubernetes
  

Critical Note #

Never use both a LoadBalancer Service and ALB Ingress together—it wastes AWS resources and creates confusion about which load balancer you should be accessing. Pick one approach and stick with it.

内容的提问来源于stack exchange，提问作者user17970