ISTIO - 出口网关 returns - 命令以退出代码 35 终止?
ISTIO - Egress Gateway returns - command terminated with exit code 35?
我已经使用以下配置安装了 ISTIO
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
meshConfig:
accessLogFile: /dev/stdout
outboundTrafficPolicy:
mode: REGISTRY_ONLY
EOF
并已配置出口网关、目标规则和虚拟服务,如下所示
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: akv2k8s-test
labels:
istio-injection: enabled
azure-key-vault-env-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
tls:
- match:
- port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
尝试访问它时会引发错误
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/sleep/sleep.yaml -n akv2k8s-test
export SOURCE_POD=$(kubectl get pod -l app=sleep -n akv2k8s-test -o jsonpath={.items..metadata.name})
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
我该如何解决这个问题?
更新: 我也试过下面的,还是一样的结果
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- google.com
tls:
mode: PASSTHROUGH
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- google.com
route:
- destination:
host: google.com
port:
number: 443
weight: 100
EOF
我不确定第一个示例有什么问题,因为没有所有依赖项,关于更新,您的 DestinationRule
应该是
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
而不是
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
和hosts/sniHosts
应该是
www.google.com
而不是
google.com
有 https://www.google.com 的工作示例。
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- www.google.com
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: www.google.com
port:
number: 443
weight: 100
还有注册表模式、curl 和出口日志。
kubectl get istiooperator istio-control-plane -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://www.google.com
HTTP/2 200
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
[2020-10-27T14:16:37.735Z] "- - -" 0 - "-" "-" 844 17705 45 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:59814 xx.xx.xx.xx:8443 1xx.xx.xx.xx:33112 www.google.com -
[2020-10-27T14:18:45.896Z] "- - -" 0 - "-" "-" 883 17647 38 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:56834 xx.xx.xx.xx:8443 xx.xx.xx.xx:33964 www.google.com -
请参考这个documentation。
我已经使用以下配置安装了 ISTIO
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
meshConfig:
accessLogFile: /dev/stdout
outboundTrafficPolicy:
mode: REGISTRY_ONLY
EOF
并已配置出口网关、目标规则和虚拟服务,如下所示
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: akv2k8s-test
labels:
istio-injection: enabled
azure-key-vault-env-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
tls:
- match:
- port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
尝试访问它时会引发错误
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/sleep/sleep.yaml -n akv2k8s-test
export SOURCE_POD=$(kubectl get pod -l app=sleep -n akv2k8s-test -o jsonpath={.items..metadata.name})
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
我该如何解决这个问题?
更新: 我也试过下面的,还是一样的结果
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- google.com
tls:
mode: PASSTHROUGH
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- google.com
route:
- destination:
host: google.com
port:
number: 443
weight: 100
EOF
我不确定第一个示例有什么问题,因为没有所有依赖项,关于更新,您的 DestinationRule
应该是
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
而不是
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
和hosts/sniHosts
应该是
www.google.com
而不是
google.com
有 https://www.google.com 的工作示例。
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- www.google.com
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: www.google.com
port:
number: 443
weight: 100
还有注册表模式、curl 和出口日志。
kubectl get istiooperator istio-control-plane -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://www.google.com
HTTP/2 200
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
[2020-10-27T14:16:37.735Z] "- - -" 0 - "-" "-" 844 17705 45 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:59814 xx.xx.xx.xx:8443 1xx.xx.xx.xx:33112 www.google.com -
[2020-10-27T14:18:45.896Z] "- - -" 0 - "-" "-" 883 17647 38 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:56834 xx.xx.xx.xx:8443 xx.xx.xx.xx:33964 www.google.com -
请参考这个documentation。