(公共)网关和服务之间的Istio 503:s [英] Istio 503:s between (Public) Gateway and Service
问题描述
我一直在研究Istio群集配置,最终陷入无法调试的状态.
I've been playing around with my Istio cluster configuration and I've ended up in a state I can't debug my way out of.
我有配置了公共IP的SDS + Gateway.我已经在端口5000上部署了Istio HelloWorld应用程序.我可以:
I have the SDS+Gateway with a public IP configured. I have deployed the Istio HelloWorld app on port 5000. I can:
- exec进入
helloworld-[rnd]
窗格和curl localhost:5000/hello
上的istio-proxy
-可以正常工作 - 从 https://istio中使用
istioctl proxy-config cluster
(等等)进行检查. io/docs/ops/troubleshooting/network-issues/和>: //istio.io/docs/ops/troubleshooting/proxy-cmd/ -对SYNC:ed之类的所有内容均报告正常 - 我可以先执行
kubectl exec istio-ingressgateway-[rnd] /bin/bash
然后成功执行curl helloworld.mynamespace:5000/hello
(它返回Hello version: v2 ...
- exec into
istio-proxy
on thehelloworld-[rnd]
pod andcurl localhost:5000/hello
- this works fine - check with
istioctl proxy-config cluster
(and such) from https://istio.io/docs/ops/troubleshooting/network-issues/ and https://istio.io/docs/ops/troubleshooting/proxy-cmd/ — all report OK to everything, SYNC:ed and such - I can do
kubectl exec istio-ingressgateway-[rnd] /bin/bash
and thencurl helloworld.mynamespace:5000/hello
successfully (it returnsHello version: v2 ...
但是当查询其公共绑定的IP时,我无法使Ingressgateway实际上返回除503以外的任何内容.如果我查询的时候没有/hello
路径,它会返回404
,因此显然是在尝试路由到helloworld
服务/部署并失败.
But I can't make the ingressgateway actually return anything but 503 when querying its publicly bound IP. If I query without the /hello
path, it returns 404
instead, so it's obviously trying to route to the helloworld
service/deployment and failing.
因此,当我问网关本身curl localhost/hello -i
或从我们网络的外部curl -i http://35.x.y.z/hello
时,我实际上可以从Istio Ingress网关联系我的helloworld
服务,我总是得到503 Service Unavailable Back
So I'm in the state where I can actually contact my helloworld
service from the Istio Ingress Gateway, when asking the gateway itself curl localhost/hello -i
, or from ourside the network curl -i http://35.x.y.z/hello
I always get 503 Service Unavailable Back
我没有适用于helloworld
的DestinationRule或政策,并且我的Istio具有严格的mTLS.
I don't have any DestinationRule nor Policy applying to helloworld
, and I have Istio in strict mTLS.
我以前可以今天通过入口网关访问(其他)服务,但是后来我开始清理工作(直到我只拥有helloworld服务VirtualService + Gateway而没有其他服务),现在它不起作用.应该可以进行调试.
I could previously today access (other) services via the ingress gateway, but then I started cleaning things up (to the point when I only have the helloworld service VirtualService+Gateway and no others), and now it doesn't work. It should be possible to debug.
怎么了?
不相关(据我所知):
- Kubernetes Istio入口网关始终以503响应(我没有clusterIP:无)
- 访问启用mTLS时,使用istio ingress的服务会产生503错误(在
k exec -c istio-proxy helloworld-[rnd] -- curl http://localhost:15000/logging?level=true
之后,istio-proxy
特使根本没有收到任何来自istio-ingressgateway
的呼叫;流量从不离开入口Pod,与这个问题不同) - 我已启用CNI + GKE网络策略(但将其关闭无济于事),并且允许全部加油"的规则也无济于事,所以它不应该是这样.而且,我可以从Ingressgateway卷曲,所以有连通性
- https://github.com/istio/istio/tree/master /samples/helloworld —配置
- Kubernetes Istio ingress gateway responds with 503 always (I don't have clusterIP: None)
- Accessing service using istio ingress gives 503 error when mTLS is enabled (after
k exec -c istio-proxy helloworld-[rnd] -- curl http://localhost:15000/logging?level=true
, theistio-proxy
envoy doesn't receive any calls fromistio-ingressgateway
at all; the traffic never leaves the ingress pod, unlike this question) - I have CNI + GKE Network Policy enabled (but turning it off didn't help) and a Calico-allow-all rule didn't help, so it should not be this; also, I can curl from ingressgateway, so there's connectivity
- https://github.com/istio/istio/tree/master/samples/helloworld — config
推荐答案
First of all to use curl with SDS gateway You need to use it as described in Istio documentation.
$ curl -v -HHost:httpbin.example.com \
--resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST \
--cacert httpbin.new.example.com/2_intermediate/certs/ca-chain.cert.pem \
https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418
...
HTTP/2 418
...
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
其次,根据 Istio 文档,使用严格的mTLS(相互TLS)身份验证策略要求两个服务都运行TLS通信.在您的情况下,您正在尝试使用使用TLS的Istio访问纯文本(HTTP)服务.这会导致相互TLS配置冲突.
Secondly according to Istio documentation using strict mTLS (mutual TLS) authentication policy requires both services to be running TLS communication. In Your case You are trying to access plain text (HTTP) service with Istio that is using TLS. This causes mutual TLS configuration conflict.
您可以在文档的此部分中使用istioctl
命令进行验证:
You can verify that with istioctl
command in this section of documentation:
istioctl
命令为此提供了一个选项.您可以这样做:
The
istioctl
command provides an option for this purpose. You can do:
$ istioctl authn tls-check $CLIENT_POD httpbin.default.svc.cluster.local
HOST:PORT STATUS SERVER CLIENT AUTHN POLICY DESTINATION RULE
httpbin.default.svc.cluster.local:8000 OK mTLS mTLS default/ default/istio-system
$CLIENT_POD
是客户端服务之一的pod的ID.
Where $CLIENT_POD
is the ID of one of the client service’s pods.
请参考验证相互TLS配置有关更多信息.
要解决此问题,必须为此服务关闭mTLS,以便Istio接受从纯文本到TLS服务的连接.请遵循此指南创建允许针对以下情况的非TLS通信的目标规则指定的服务
To resolve this issue mTLS has to be turned off for this service so that Istio accepts connection from plain text to TLS services. Follow this guide to create destination rule that allows non TLS communication for specified service
要确认这是导致此问题的原因,您可以暂时启用允许模式.
To confirm that this is causing this issue You can temporarily enable Permissive mode.
在您上一个部署文件helloworld.yaml
中提供的链接中,没有targetPort
,这就是nginx无法访问的原因.
From the link you provided in the last deployment file helloworld.yaml
there is no targetPort
and this is why nginx is unreachable.
这是它的外观:
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 5000
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-v1
labels:
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
version: v1
template:
metadata:
labels:
app: helloworld
version: v1
spec:
terminationGracePeriodSeconds: 0
containers:
- name: helloworld
image: docker.io/istio/examples-helloworld-v1
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 5000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-v2
labels:
version: v2
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
version: v2
template:
metadata:
labels:
app: helloworld
version: v2
spec:
terminationGracePeriodSeconds: 0
containers:
- name: helloworld
image: docker.io/istio/examples-helloworld-v2
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 5000
这篇关于(公共)网关和服务之间的Istio 503:s的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!