无法访问 GKE 上的 Kubernetes Ingress (Istio)
Cannot access to Kubernetes Ingress (Istio) on GKE
我在 GKE 上设置了 Istio(Kubernetes Ingress 模式,不是 Istio Gateway)。但是,我无法使用 curl
从外部访问
kubectl get svc -n istio-system | grep ingressgateway
istio-ingressgateway LoadBalancer 10.48.11.240 35.222.111.100
15020:30115/TCP,80:31420/TCP,443:32019/TCP,31400:31267/TCP,15029:30180/TCP,15030:31055/TCP,15031:32226/TCP,15032:30437/TCP,15443:31792/TCP
41h
curl 35.222.111.100
curl: (7) Failed to connect to 35.222.111.100 port 80: Connection
refused
这是 Ingress 的配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio
name: ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: in-keycloak
port:
number: 8080
这是服务的配置:
apiVersion: v1
kind: Service
metadata:
name: in-keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: ClusterIP
如果我在本地计算机 (MacOS) 上为 Docker 桌面使用相同的配置,它工作正常。
GKE 必须满足两点才能在私有集群上与 istio 一起工作。
1.To 让 istio 在 GKE 上工作你应该按照这些 instructions 为 Istio 准备一个 GKE 集群。它还包括打开一个 15017 端口,以便 istio 可以工作。
For private GKE clusters
An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.
To review this firewall rule for master access:
$ gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"
To replace the existing rule and allow master access:
$ gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017
2.Comparing 到 istio 文档我会说你的入口配置不正确,你可以在下面找到来自 documentation 的入口资源,你可能会尝试使用:
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: istio
spec:
controller: istio.io/ingress-controller
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
ingressClassName: istio
rules:
- host: httpbin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: httpbin
servicePort: 8000
我在 GKE 上设置了 Istio(Kubernetes Ingress 模式,不是 Istio Gateway)。但是,我无法使用 curl
从外部访问kubectl get svc -n istio-system | grep ingressgateway
istio-ingressgateway LoadBalancer 10.48.11.240 35.222.111.100 15020:30115/TCP,80:31420/TCP,443:32019/TCP,31400:31267/TCP,15029:30180/TCP,15030:31055/TCP,15031:32226/TCP,15032:30437/TCP,15443:31792/TCP 41h
curl 35.222.111.100
curl: (7) Failed to connect to 35.222.111.100 port 80: Connection refused
这是 Ingress 的配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio
name: ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: in-keycloak
port:
number: 8080
这是服务的配置:
apiVersion: v1
kind: Service
metadata:
name: in-keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: ClusterIP
如果我在本地计算机 (MacOS) 上为 Docker 桌面使用相同的配置,它工作正常。
GKE 必须满足两点才能在私有集群上与 istio 一起工作。
1.To 让 istio 在 GKE 上工作你应该按照这些 instructions 为 Istio 准备一个 GKE 集群。它还包括打开一个 15017 端口,以便 istio 可以工作。
For private GKE clusters
An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.
To review this firewall rule for master access:
$ gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"
To replace the existing rule and allow master access:
$ gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017
2.Comparing 到 istio 文档我会说你的入口配置不正确,你可以在下面找到来自 documentation 的入口资源,你可能会尝试使用:
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: istio
spec:
controller: istio.io/ingress-controller
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
ingressClassName: istio
rules:
- host: httpbin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: httpbin
servicePort: 8000