如何在 Instio 上禁用 mtls?
How to disable mtls on Instio?
我在使用 Istio 连接 Kubernetes 上的两个服务时遇到问题。
我的服务向 elasticsearch 发出 POST 个请求。
2020-11-18T21:51:53.758079131Z org.elasticsearch.client.ResponseException: method [POST], host [http://elasticsearch:9200], URI [/_bulk?timeout=1m], status line [HTTP/1.1 503 Service Unavailable]
2020-11-18T21:51:53.758087238Z upstream connect error or disconnect/reset before headers. reset reason: connection failure
我阅读了一些关于此的 questions/GitHub 问题,可能的原因之一可能是 mtls,那么如何禁用它?
我正在尝试这样做:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
但是有了这个 PeerAuthentication,我什至无法接通我的服务。
你有什么建议吗?
禁用 mtls
PeerAuthentication 是禁用 mtls 的正确方法。
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
关于那个有 istio documentation。
Elasticsearch 问题
根据 istio 文档:
There are two Elasticsearch configuration parameters that need to be set appropriately to run Elasticsearch with Istio: network.bind_host and network.publish_host. By default, these parameters are set to the network.host parameter. If network.host is set to 0.0.0.0, Elasticsearch will most likely pick up the pod IP as the publishing address and no further configuration will be needed.
If the default configuration does not work, you can set the network.bind_host to 0.0.0.0 or localhost (127.0.0.1) and network.publish_host to the pod IP. For example:
...
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
env:
- name: network.bind_host
value: 127.0.0.1
- name: network.publish_host
valueFrom:
fieldRef:
fieldPath: status.podIP
...
Refer to Network Settings for Elasticsearch for more information.
如果那行不通,有两个 github 问题:
- https://github.com/istio/istio/issues/14662#issuecomment-723669123
- https://github.com/elastic/cloud-on-k8s/issues/2770
建议使用
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: ""
traffic.sidecar.istio.io/excludeInboundPorts: ""
有 elasticsearch documentation 关于那个。
我在使用 Istio 连接 Kubernetes 上的两个服务时遇到问题。 我的服务向 elasticsearch 发出 POST 个请求。
2020-11-18T21:51:53.758079131Z org.elasticsearch.client.ResponseException: method [POST], host [http://elasticsearch:9200], URI [/_bulk?timeout=1m], status line [HTTP/1.1 503 Service Unavailable]
2020-11-18T21:51:53.758087238Z upstream connect error or disconnect/reset before headers. reset reason: connection failure
我阅读了一些关于此的 questions/GitHub 问题,可能的原因之一可能是 mtls,那么如何禁用它?
我正在尝试这样做:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
但是有了这个 PeerAuthentication,我什至无法接通我的服务。
你有什么建议吗?
禁用 mtls
PeerAuthentication 是禁用 mtls 的正确方法。
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
关于那个有 istio documentation。
Elasticsearch 问题
根据 istio 文档:
There are two Elasticsearch configuration parameters that need to be set appropriately to run Elasticsearch with Istio: network.bind_host and network.publish_host. By default, these parameters are set to the network.host parameter. If network.host is set to 0.0.0.0, Elasticsearch will most likely pick up the pod IP as the publishing address and no further configuration will be needed.
If the default configuration does not work, you can set the network.bind_host to 0.0.0.0 or localhost (127.0.0.1) and network.publish_host to the pod IP. For example:
...
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
env:
- name: network.bind_host
value: 127.0.0.1
- name: network.publish_host
valueFrom:
fieldRef:
fieldPath: status.podIP
...
Refer to Network Settings for Elasticsearch for more information.
如果那行不通,有两个 github 问题:
- https://github.com/istio/istio/issues/14662#issuecomment-723669123
- https://github.com/elastic/cloud-on-k8s/issues/2770
建议使用
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: ""
traffic.sidecar.istio.io/excludeInboundPorts: ""
有 elasticsearch documentation 关于那个。