允许从带有 Istio CNI 插件的初始化容器向 Kubernetes API 发出请求
Allow requests to Kubernetes API from an init container with Istio CNI plugin
我配置了 istio,但没有启用 CNI 插件。
那时候,我有一个带有服务帐户的初始化容器,它会调用 Kubernetes API 来验证一些事情(通过 kubectl)。
由于我启用了 CNI 插件,此初始化容器失败并显示以下消息:
The connection to the server 10.23.64.1:443 was refused - did you specify the right host or port?
我尝试删除所有网络策略以查看是否是问题所在,但结果相同。
我还给了这个 pods 使用 cluster-admin 角色的服务帐户,但它没有成功。
我测试了 Istio 的 1.6 和 1.7 分支。
这里有什么问题?没有此 init 容器的其他 pods 工作正常。
为了启用 istio cni 的初始容器网络连接,请按照 istio documentation:
的解决方法指南进行操作
Compatibility with application init containers
The Istio CNI plugin may cause networking connectivity problems for any application initContainers. When using Istio CNI, kubelet starts an injected pod with the following steps:
- The Istio CNI plugin sets up traffic redirection to the Istio sidecar proxy within the pod.
- All init containers execute and complete successfully.
- The Istio sidecar proxy starts in the pod along with the pod’s other containers.
Init containers execute before the sidecar proxy starts, which can result in traffic loss during their execution. Avoid this traffic loss with one or both of the following settings:
- Set the
traffic.sidecar.istio.io/excludeOutboundIPRanges annotation to disable redirecting traffic to any CIDRs the init containers communicate with.
- Set the
traffic.sidecar.istio.io/excludeOutboundPorts annotation to disable redirecting traffic to the specific outbound ports the init containers use.
我配置了 istio,但没有启用 CNI 插件。
那时候,我有一个带有服务帐户的初始化容器,它会调用 Kubernetes API 来验证一些事情(通过 kubectl)。
由于我启用了 CNI 插件,此初始化容器失败并显示以下消息:
The connection to the server 10.23.64.1:443 was refused - did you specify the right host or port?
我尝试删除所有网络策略以查看是否是问题所在,但结果相同。 我还给了这个 pods 使用 cluster-admin 角色的服务帐户,但它没有成功。
我测试了 Istio 的 1.6 和 1.7 分支。
这里有什么问题?没有此 init 容器的其他 pods 工作正常。
为了启用 istio cni 的初始容器网络连接,请按照 istio documentation:
的解决方法指南进行操作Compatibility with application init containers
The Istio CNI plugin may cause networking connectivity problems for any application
initContainers. When using Istio CNI,kubeletstarts an injected pod with the following steps:
- The Istio CNI plugin sets up traffic redirection to the Istio sidecar proxy within the pod.
- All init containers execute and complete successfully.
- The Istio sidecar proxy starts in the pod along with the pod’s other containers.
Init containers execute before the sidecar proxy starts, which can result in traffic loss during their execution. Avoid this traffic loss with one or both of the following settings:
- Set the
traffic.sidecar.istio.io/excludeOutboundIPRangesannotation to disable redirecting traffic to any CIDRs the init containers communicate with.- Set the
traffic.sidecar.istio.io/excludeOutboundPortsannotation to disable redirecting traffic to the specific outbound ports the init containers use.