(公共)网关和服务之间的Istio 503:s [英] Istio 503:s between (Public) Gateway and Service

问题描述

我一直在研究Istio群集配置，最终陷入无法调试的状态.

I've been playing around with my Istio cluster configuration and I've ended up in a state I can't debug my way out of.

我有配置了公共IP的SDS + Gateway.我已经在端口5000上部署了Istio HelloWorld应用程序.我可以:

I have the SDS+Gateway with a public IP configured. I have deployed the Istio HelloWorld app on port 5000. I can:

• exec进入helloworld-[rnd]窗格和curl localhost:5000/hello上的istio-proxy-可以正常工作
• 从 https://istio中使用istioctl proxy-config cluster(等等)进行检查. io/docs/ops/troubleshooting/network-issues/和>: //istio.io/docs/ops/troubleshooting/proxy-cmd/ －对SYNC:ed之类的所有内容均报告正常
• 我可以先执行kubectl exec istio-ingressgateway-[rnd] /bin/bash然后成功执行curl helloworld.mynamespace:5000/hello(它返回Hello version: v2 ...

• exec into istio-proxy on the helloworld-[rnd] pod and curl localhost:5000/hello - this works fine
• check with istioctl proxy-config cluster (and such) from https://istio.io/docs/ops/troubleshooting/network-issues/ and https://istio.io/docs/ops/troubleshooting/proxy-cmd/ — all report OK to everything, SYNC:ed and such
• I can do kubectl exec istio-ingressgateway-[rnd] /bin/bash and then curl helloworld.mynamespace:5000/hello successfully (it returns Hello version: v2 ...

但是当查询其公共绑定的IP时，我无法使Ingressgateway实际上返回除503以外的任何内容.如果我查询的时候没有/hello路径，它会返回404，因此显然是在尝试路由到helloworld服务/部署并失败.

But I can't make the ingressgateway actually return anything but 503 when querying its publicly bound IP. If I query without the /hello path, it returns 404 instead, so it's obviously trying to route to the helloworld service/deployment and failing.

因此，当我问网关本身curl localhost/hello -i或从我们网络的外部curl -i http://35.x.y.z/hello时，我实际上可以从Istio Ingress网关联系我的helloworld服务，我总是得到503 Service Unavailable Back

So I'm in the state where I can actually contact my helloworld service from the Istio Ingress Gateway, when asking the gateway itself curl localhost/hello -i, or from ourside the network curl -i http://35.x.y.z/hello I always get 503 Service Unavailable Back

我没有适用于helloworld的DestinationRule或政策，并且我的Istio具有严格的mTLS.

I don't have any DestinationRule nor Policy applying to helloworld, and I have Istio in strict mTLS.

我以前可以今天通过入口网关访问(其他)服务，但是后来我开始清理工作(直到我只拥有helloworld服务VirtualService + Gateway而没有其他服务)，现在它不起作用.应该可以进行调试.

I could previously today access (other) services via the ingress gateway, but then I started cleaning things up (to the point when I only have the helloworld service VirtualService+Gateway and no others), and now it doesn't work. It should be possible to debug.

怎么了?

不相关(据我所知):

• Kubernetes Istio入口网关始终以503响应(我没有clusterIP:无)
• 访问启用mTLS时，使用istio ingress的服务会产生503错误(在k exec -c istio-proxy helloworld-[rnd] -- curl http://localhost:15000/logging?level=true之后，istio-proxy特使根本没有收到任何来自istio-ingressgateway的呼叫；流量从不离开入口Pod，与这个问题不同)
• 我已启用CNI + GKE网络策略(但将其关闭无济于事)，并且允许全部加油"的规则也无济于事，所以它不应该是这样.而且，我可以从Ingressgateway卷曲，所以有连通性
• https://github.com/istio/istio/tree/master /samples/helloworld —配置

• Kubernetes Istio ingress gateway responds with 503 always (I don't have clusterIP: None)
• Accessing service using istio ingress gives 503 error when mTLS is enabled (after k exec -c istio-proxy helloworld-[rnd] -- curl http://localhost:15000/logging?level=true, the istio-proxy envoy doesn't receive any calls from istio-ingressgateway at all; the traffic never leaves the ingress pod, unlike this question)
• I have CNI + GKE Network Policy enabled (but turning it off didn't help) and a Calico-allow-all rule didn't help, so it should not be this; also, I can curl from ingressgateway, so there's connectivity
• https://github.com/istio/istio/tree/master/samples/helloworld — config

推荐答案

首先将curl与SDS网关一起使用您需要按照Istio

First of all to use curl with SDS gateway You need to use it as described in Istio documentation.

$ curl -v -HHost:httpbin.example.com \
--resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST \
--cacert httpbin.new.example.com/2_intermediate/certs/ca-chain.cert.pem \
https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418

...
HTTP/2 418
...
-=[ teapot ]=-

   _...._
 .'  _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
  |       ;/
  \_     _/
    `"""`

---

其次，根据 Istio 文档，使用严格的mTLS(相互TLS)身份验证策略要求两个服务都运行TLS通信.在您的情况下，您正在尝试使用使用TLS的Istio访问纯文本(HTTP)服务.这会导致相互TLS配置冲突.

---

Secondly according to Istio documentation using strict mTLS (mutual TLS) authentication policy requires both services to be running TLS communication. In Your case You are trying to access plain text (HTTP) service with Istio that is using TLS. This causes mutual TLS configuration conflict.

您可以在文档的此部分中使用istioctl命令进行验证:

You can verify that with istioctl command in this section of documentation:

istioctl 命令为此提供了一个选项.您可以这样做:

The istioctl command provides an option for this purpose. You can do:

$ istioctl authn tls-check $CLIENT_POD httpbin.default.svc.cluster.local

HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY        DESTINATION RULE
httpbin.default.svc.cluster.local:8000     OK         mTLS       mTLS       default/            default/istio-system

$CLIENT_POD是客户端服务之一的pod的ID.

Where $CLIENT_POD is the ID of one of the client service’s pods.

请参考验证相互TLS配置有关更多信息.

要解决此问题，必须为此服务关闭mTLS，以便Istio接受从纯文本到TLS服务的连接.请遵循此指南创建允许针对以下情况的非TLS通信的目标规则指定的服务

To resolve this issue mTLS has to be turned off for this service so that Istio accepts connection from plain text to TLS services. Follow this guide to create destination rule that allows non TLS communication for specified service

要确认这是导致此问题的原因，您可以暂时启用允许模式.

To confirm that this is causing this issue You can temporarily enable Permissive mode.

在您上一个部署文件helloworld.yaml中提供的链接中，没有targetPort，这就是nginx无法访问的原因.

From the link you provided in the last deployment file helloworld.yaml there is no targetPort and this is why nginx is unreachable.

这是它的外观:

apiVersion: v1
kind: Service
metadata:
  name: helloworld
  labels:
    app: helloworld
spec:
  ports:
  - port: 5000
    name: http
    targetPort: 80
  selector:
    app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld-v1
  labels:
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
      version: v1
  template:
    metadata:
      labels:
        app: helloworld
        version: v1
    spec:
      terminationGracePeriodSeconds: 0
      containers:
      - name: helloworld
        image: docker.io/istio/examples-helloworld-v1
        resources:
          requests:
            cpu: "100m"
        imagePullPolicy: IfNotPresent #Always
        ports:
        - containerPort: 5000
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld-v2
  labels:
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
      version: v2
  template:
    metadata:
      labels:
        app: helloworld
        version: v2
    spec:
      terminationGracePeriodSeconds: 0
      containers:
      - name: helloworld
        image: docker.io/istio/examples-helloworld-v2
        resources:
          requests:
            cpu: "100m"
        imagePullPolicy: IfNotPresent #Always
        ports:
        - containerPort: 5000

这篇关于(公共)网关和服务之间的Istio 503:s的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！