添加 istio 出口网关后 Pod 无法卷曲外部网站
Pod cannot curl external website after adding istio egress gateway
我正在按照 Istio 文档 (https://istio.io/docs/examples/advanced-egress/egress-gateway/) 设置出口网关。我得到的结果与文档描述的不同,我想知道如何解决它。
我有一个简单的 docker 容器,其中注入了 sidecar。在我为 google.com 应用类似于文档提供的网关配置后:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
我仍然无法从容器中访问它:
$ kubectl exec -it $SOURCE_POD -c $CONTAINER_NAME -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
location: http://www.google.com/
content-type: text/html; charset=UTF-8
...
HTTP/1.1 404 Not Found
date: Thu, 18 Oct 2018 22:55:57 GMT
server: envoy
content-length: 0
然而,istio-proxy 中的 curl 有效:
$ kubectl exec -it $SOURCE_POD -c istio-proxy -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
...
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 22:55:43 GMT
Expires: -1
...
检查网关是否存在:
$ kubectl describe serviceentry/google
Name: google
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"ServiceEntry","metadata":{"annotations":{},"name":"google","namespace":"default"},"sp...
API Version: networking.istio.io/v1alpha3
Kind: ServiceEntry
Metadata:
Cluster Name:
Creation Timestamp: 2018-10-18T22:36:34Z
Generation: 1
Resource Version: 2569394
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/default/serviceentries/google
UID: 4482d584-...
Spec:
Hosts:
google.com
Ports:
Name: http-port
Number: 80
Protocol: HTTP
Name: https
Number: 443
Protocol: HTTPS
Resolution: DNS
Events: <none>
有什么想法吗?
您的问题是 curl 请求正在获取到 www.google.com 的 301 重定向,但您的 ServiceEntry 只公开了 google.com。您可以通过在您的 ServiceEntry 中添加 www.google.com 作为另一个主机来修复它,如下所示:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
- www.google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
如果你不想处理这个,你可以添加一个通配符。使用 HTTP 它可以工作。
您可以尝试类似 *.google.com 的操作,现在您可以使用 google 的所有服务,而不会在将来被阻止。
我正在按照 Istio 文档 (https://istio.io/docs/examples/advanced-egress/egress-gateway/) 设置出口网关。我得到的结果与文档描述的不同,我想知道如何解决它。
我有一个简单的 docker 容器,其中注入了 sidecar。在我为 google.com 应用类似于文档提供的网关配置后:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
我仍然无法从容器中访问它:
$ kubectl exec -it $SOURCE_POD -c $CONTAINER_NAME -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
location: http://www.google.com/
content-type: text/html; charset=UTF-8
...
HTTP/1.1 404 Not Found
date: Thu, 18 Oct 2018 22:55:57 GMT
server: envoy
content-length: 0
然而,istio-proxy 中的 curl 有效:
$ kubectl exec -it $SOURCE_POD -c istio-proxy -- curl -sL -o /dev/null -D - http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
...
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 22:55:43 GMT
Expires: -1
...
检查网关是否存在:
$ kubectl describe serviceentry/google
Name: google
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"ServiceEntry","metadata":{"annotations":{},"name":"google","namespace":"default"},"sp...
API Version: networking.istio.io/v1alpha3
Kind: ServiceEntry
Metadata:
Cluster Name:
Creation Timestamp: 2018-10-18T22:36:34Z
Generation: 1
Resource Version: 2569394
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/default/serviceentries/google
UID: 4482d584-...
Spec:
Hosts:
google.com
Ports:
Name: http-port
Number: 80
Protocol: HTTP
Name: https
Number: 443
Protocol: HTTPS
Resolution: DNS
Events: <none>
有什么想法吗?
您的问题是 curl 请求正在获取到 www.google.com 的 301 重定向,但您的 ServiceEntry 只公开了 google.com。您可以通过在您的 ServiceEntry 中添加 www.google.com 作为另一个主机来修复它,如下所示:
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- google.com
- www.google.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
EOF
如果你不想处理这个,你可以添加一个通配符。使用 HTTP 它可以工作。 您可以尝试类似 *.google.com 的操作,现在您可以使用 google 的所有服务,而不会在将来被阻止。