无法直接从浏览器访问启用了Istio的GKE服务，而只能通过curl访问 [英] Not able to access a Istio enabled GKE service directly from browser but only through curl

问题描述

我在云运行选项(启用了Istio的GKE群集)上部署了一个节点应用程序. 我检查了使用'kubectl get services -n istio-system'运行的服务，它显示

NAME                         TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S) 
istio-ingressgateway         LoadBalancer   10.4.15.63    34.80.18.249    15020:30228/TCP,80:31380/TCP,443:31390/TCP
nodeservice1                 ExternalName   <none>        istio-ingressgateway.istio-system.svc.cluster.local                              
nodeservice1-qdvk6           ClusterIP      10.4.12.102   <none>      80/TCP                                                    
nodeservice1-qdvk6-metrics   ClusterIP      10.4.8.162    <none>  9090/TCP                                                           
nodeservice1-qdvk6-priv      ClusterIP      10.4.14.49    <none>   80/TCP  

我能够通过以下方式访问nodeservice1 curl -v -H主机:nodeservice1.istio-system.example.com" 34.80.18.249 但是如果我从浏览器中点击" http://34.80.18.249:8080 "，它将无法正常工作.

如果我不选择云运行平台并设置普通的kubernete集群，那么我可以选择将nodeservice1公开为LoadBalancer类型，并且可以从浏览器访问.

curl命令的输出:curl -v -H主机:nodeservice1.istio-system.example.com" 34.80.18.249/restcall

*   Trying 34.80.18.249:80...
* TCP_NODELAY set
* Connected to 34.80.18.249 (34.80.18.249) port 80 (#0)
> GET //restcall HTTP/1.1
> Host: nodeservice1.istio-system.example.com
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< content-security-policy: default-src 'none'
< content-type: text/html; charset=utf-8
< date: Wed, 25 Sep 2019 09:24:15 GMT
< x-content-type-options: nosniff
< x-powered-by: Express
< x-envoy-upstream-service-time: 5349
< server: istio-envoy
< Accept-Ranges: none
< Content-Length: 148
< Via: HTTP/1.1 forward.http.proxy:3128
< Connection: keep-alive
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET //restcall</pre>
</body>
</html>
* Connection #0 to host 34.80.18.249 left intact

解决方案

很明显，您不拥有example.com.

所以您不能期望访问 http://nodeservice1.istio-system.example.com ，因为您没有为域配置DNS.

当您执行curl -H "Host: foo" http://ip时，它不需要通过DNS(因为您直接提供了ip地址).然后，Istio入口网关使用您提供的Host标头(通常由浏览器提供，从URL推断)，以将流量路由到正确的服务.

假设您使用Knative/Cloud Run，则应考虑更新默认域在example.com上的GKE上运行到您拥有的东西，以便您可以为子域设置DNS记录.

或者，您可以将本地DNS记录添加到/etc/hosts文件中，该记录将该主机名指向istio-ingressgateway的外部IP地址，然后您的浏览器将使用本地hack将该主机名解析为该IP.

I deployed a node app on cloud run option (GKE Cluster with Istio enabled). I checked the services running using 'kubectl get services -n istio-system' and It shows

NAME                         TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S) 
istio-ingressgateway         LoadBalancer   10.4.15.63    34.80.18.249    15020:30228/TCP,80:31380/TCP,443:31390/TCP
nodeservice1                 ExternalName   <none>        istio-ingressgateway.istio-system.svc.cluster.local                              
nodeservice1-qdvk6           ClusterIP      10.4.12.102   <none>      80/TCP                                                    
nodeservice1-qdvk6-metrics   ClusterIP      10.4.8.162    <none>  9090/TCP                                                           
nodeservice1-qdvk6-priv      ClusterIP      10.4.14.49    <none>   80/TCP  

I am able to access nodeservice1 through curl -v -H "Host: nodeservice1.istio-system.example.com" 34.80.18.249 but if I hit 'http://34.80.18.249:8080' from browser, it doesnt work.

If I dont choose cloud run platform and setup a normal kubernete cluster, then I have option to expose nodeservice1 to expose as LoadBalancer type and is accessible from browser.

Output of curl command:curl -v -H "Host: nodeservice1.istio-system.example.com" 34.80.18.249/restcall

*   Trying 34.80.18.249:80...
* TCP_NODELAY set
* Connected to 34.80.18.249 (34.80.18.249) port 80 (#0)
> GET //restcall HTTP/1.1
> Host: nodeservice1.istio-system.example.com
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< content-security-policy: default-src 'none'
< content-type: text/html; charset=utf-8
< date: Wed, 25 Sep 2019 09:24:15 GMT
< x-content-type-options: nosniff
< x-powered-by: Express
< x-envoy-upstream-service-time: 5349
< server: istio-envoy
< Accept-Ranges: none
< Content-Length: 148
< Via: HTTP/1.1 forward.http.proxy:3128
< Connection: keep-alive
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET //restcall</pre>
</body>
</html>
* Connection #0 to host 34.80.18.249 left intact

解决方案

Obviously, you don't own example.com.

So you can't expect visiting http://nodeservice1.istio-system.example.com from your browser to work, because you didn't configure the DNS for domain.

When you do curl -H "Host: foo" http://ip, it doesn't need to go through DNS (because you give ip address directly). The Host header you provided (normally provided by the browser, inferred from the URL) is then used by Istio ingress gateway to route the traffic to the correct service.

Assuming you use Knative/Cloud Run, you should consider updating the default domain on Cloud Run on GKE from example.com to something you own, so that you can set DNS records for your subdomains.

Alternatively, you can add a local DNS record to /etc/hosts file that points that hostname to your istio-ingressgateway's External-IP address, and your browser will use the local hack to resolve that hostname to that IP.

这篇关于无法直接从浏览器访问启用了Istio的GKE服务，而只能通过curl访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！