如何在Instio上禁用MTL? [英] How to disable mtls on Instio?

问题描述

我在使用Istio连接Kubernetes上的两个服务时遇到问题. 我的服务向Elasticsearch发出POST请求.

I have a problem with connecting two services on Kubernetes with Istio. My service makes POST requests to the elasticsearch.

2020-11-18T21:51:53.758079131Z org.elasticsearch.client.ResponseException: method [POST], host [http://elasticsearch:9200], URI [/_bulk?timeout=1m], status line [HTTP/1.1 503 Service Unavailable]
2020-11-18T21:51:53.758087238Z upstream connect error or disconnect/reset before headers. reset reason: connection failure

我阅读了有关此问题的一些问题/GitHub，可能的原因之一可能是mtls，那么如何禁用它?

I read some questions/GitHub issues about that and one of the possible reasons could be mtls, so how can I disable it?

我正在尝试:

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: DISABLE

但是使用此PeerAuthentication，我什至无法获得服务. 你有什么建议吗?

But with this PeerAuthentication, I'm not able to reach even my service. Do you have any advice?

推荐答案

禁用mtls

此PeerAuthentication是禁用Mtl的正确方法.

Disable mtls

This PeerAuthentication is the correct way to disable mtls.

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: DISABLE

有关此问题，有istio 文档.

There is istio documentation about that.

根据istio文档:

要在Istio上运行Elasticsearch，需要适当设置两个Elasticsearch配置参数: network.bind_host 和 network.publish_host .默认情况下，这些参数设置为network.host参数.如果将network.host设置为0.0.0.0，Elasticsearch很可能会选择Pod IP作为发布地址，并且不需要进一步的配置.

There are two Elasticsearch configuration parameters that need to be set appropriately to run Elasticsearch with Istio: network.bind_host and network.publish_host. By default, these parameters are set to the network.host parameter. If network.host is set to 0.0.0.0, Elasticsearch will most likely pick up the pod IP as the publishing address and no further configuration will be needed.

如果默认配置不起作用，则可以将network.bind_host设置为0.0.0.0或localhost(127.0.0.1)，将network.publish_host设置为Pod IP.例如:

If the default configuration does not work, you can set the network.bind_host to 0.0.0.0 or localhost (127.0.0.1) and network.publish_host to the pod IP. For example:

...
containers:
- name: elasticsearch
  image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
  env:
    - name: network.bind_host
      value: 127.0.0.1
    - name: network.publish_host
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
   ...

请参阅网络设置Elasticsearch 了解更多信息.

如果这不起作用，则存在两个github问题:

If that won't work there are two github issues:

• https://github.com/istio/istio/issues/14662 #issuecomment-723669123
• https://github.com/elastic/cloud-on-k8s /issues/2770

• https://github.com/istio/istio/issues/14662#issuecomment-723669123
• https://github.com/elastic/cloud-on-k8s/issues/2770

建议使用

annotations:
  traffic.sidecar.istio.io/excludeOutboundPorts: "" 
  traffic.sidecar.istio.io/excludeInboundPorts: ""

有elasticsearch 文档.

There is elasticsearch documentation about that.

这篇关于如何在Instio上禁用MTL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！