添加istio出口网关后，Pod无法卷曲外部网站 [英] Pod cannot curl external website after adding istio egress gateway

问题描述

我正在关注Istio文档( https://istio. io/docs/examples/advanced-egress/egress-gateway/)来设置出口网关.我得到的结果与文档描述的结果不同，我想知道如何解决它.

I'm following the Istio doc (https://istio.io/docs/examples/advanced-egress/egress-gateway/) to set up an egress gateway. The results I got is different from what the doc describes and I wonder how can I fix it.

我有一个简单的docker容器，其中注入了sidecar.在为google.com应用类似于文档提供的网关配置之后:

I have a simply docker container with a sidecar injected. After I applied a gateway config for google.com similar to the one provided by the doc:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - google.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
EOF

我仍然无法从容器中到达它:

I still can't reach it from within the container:

$ kubectl exec -it $SOURCE_POD -c $CONTAINER_NAME -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
location: http://www.google.com/
content-type: text/html; charset=UTF-8
... 

HTTP/1.1 404 Not Found
date: Thu, 18 Oct 2018 22:55:57 GMT
server: envoy
content-length: 0

但是，istio-proxy中的curl有效:

$ kubectl exec -it $SOURCE_POD -c istio-proxy -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
...

HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 22:55:43 GMT
Expires: -1
...

检查网关是否存在:

$ kubectl describe serviceentry/google
Name:         google
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"networking.istio.io/v1alpha3","kind":"ServiceEntry","metadata":{"annotations":{},"name":"google","namespace":"default"},"sp...
API Version:  networking.istio.io/v1alpha3
Kind:         ServiceEntry
Metadata:
  Cluster Name:
  Creation Timestamp:  2018-10-18T22:36:34Z
  Generation:          1
  Resource Version:    2569394
  Self Link:           /apis/networking.istio.io/v1alpha3/namespaces/default/serviceentries/google
  UID:                 4482d584-...
Spec:
  Hosts:
    google.com
  Ports:
    Name:      http-port
    Number:    80
    Protocol:  HTTP
    Name:      https
    Number:    443
    Protocol:  HTTPS
  Resolution:  DNS
Events:        <none>

有什么想法吗?

推荐答案

您的问题是curl请求将301重定向到www.google.com，但是您的ServiceEntry仅公开了google.com.您可以通过将www.google.com作为其他主机添加到ServiceEntry中来修复它，如下所示:

Your problem is that the curl request is getting a 301 redirect to www.google.com, but your ServiceEntry has only exposed google.com. You can fix it by adding www.google.com as another host in your ServiceEntry like this:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - google.com
  - www.google.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
EOF

这篇关于添加istio出口网关后，Pod无法卷曲外部网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！