添加istio出口网关后,Pod无法卷曲外部网站 [英] Pod cannot curl external website after adding istio egress gateway
问题描述
我正在关注Istio文档( https://istio. io/docs/examples/advanced-egress/egress-gateway/)来设置出口网关.我得到的结果与文档描述的结果不同,我想知道如何解决它.
I'm following the Istio doc (https://istio.io/docs/examples/advanced-egress/egress-gateway/) to set up an egress gateway. The results I got is different from what the doc describes and I wonder how can I fix it.
我有一个简单的docker容器,其中注入了sidecar.在为google.com
应用类似于文档提供的网关配置之后:
I have a simply docker container with a sidecar injected. After I applied a gateway config for google.com
similar to the one provided by the doc:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
我仍然无法从容器中到达它:
I still can't reach it from within the container:
$ kubectl exec -it $SOURCE_POD -c $CONTAINER_NAME -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
location: http://www.google.com/
content-type: text/html; charset=UTF-8
...
HTTP/1.1 404 Not Found
date: Thu, 18 Oct 2018 22:55:57 GMT
server: envoy
content-length: 0
但是,istio-proxy
中的curl
有效:
$ kubectl exec -it $SOURCE_POD -c istio-proxy -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
...
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 22:55:43 GMT
Expires: -1
...
检查网关是否存在:
$ kubectl describe serviceentry/google
Name: google
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"ServiceEntry","metadata":{"annotations":{},"name":"google","namespace":"default"},"sp...
API Version: networking.istio.io/v1alpha3
Kind: ServiceEntry
Metadata:
Cluster Name:
Creation Timestamp: 2018-10-18T22:36:34Z
Generation: 1
Resource Version: 2569394
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/default/serviceentries/google
UID: 4482d584-...
Spec:
Hosts:
google.com
Ports:
Name: http-port
Number: 80
Protocol: HTTP
Name: https
Number: 443
Protocol: HTTPS
Resolution: DNS
Events: <none>
有什么想法吗?
推荐答案
您的问题是curl请求将301重定向到www.google.com
,但是您的ServiceEntry仅公开了google.com
.您可以通过将www.google.com
作为其他主机添加到ServiceEntry中来修复它,如下所示:
Your problem is that the curl request is getting a 301 redirect to www.google.com
, but your ServiceEntry has only exposed google.com
. You can fix it by adding www.google.com
as another host in your ServiceEntry like this:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
- www.google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
这篇关于添加istio出口网关后,Pod无法卷曲外部网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!