英文:
mTLS from Istio Gateway to upstream workload not working
问题
我无法让 Istio Gateway 和我的网格内工作负载之间的 mTLS 正常工作。当从 Istio Gateway 调用目标服务时,我收到以下错误:
curl http://target-service.default
curl: (56) Recv failure: Connection reset by peer
我在 istio-system 命名空间中安装了 Istio Gateway。我还在 default 命名空间中安装了一个工作负载。流量流向如下:
入站流量 => Istio Gateway(istio-system 命名空间) => 目标服务(default 命名空间)
我在 default 命名空间中应用了 PeerAuthentication 来启用 mTLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
我能够从其他 Pod 使用 mTLS 访问目标工作负载,只有 Istio Gateway 无法做到这一点。我已经为 Istio Gateway 启用了自动注入,并且它似乎正常工作。istio-system 命名空间内的其他工作负载可以访问目标服务,只有 Istio Gateway 无法做到。
我想确保从 Gateway 到目标服务的流量是加密的。任何意见都将不胜感激。
英文:
I am unable to get mTLS working between an Istio Gateway and a workload within my mesh. I get the following error when calling from the Istio Gateway to the target service:
curl http://target-service.default
curl: (56) Recv failure: Connection reset by peer
I have an Istio Gateway installed in the istio-system namespace. I also have a workload installed in the default namespace. The traffic flow looks like this:
Inbound traffic => Istio Gateway (istio-system ns) => Target Service (default ns)
I have applied PeerAuthentication in the default namespace for mtls
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
I am able to access the target workload using mTLS from other pods, it is only the Istio Gateway that is unable to do so. I have auto-injection turned on for the Istio Gateway and it appears to be working fine. Other workloads within the istio-system namespace can access the target service, only the Istio Gateway cannot.
I want to make sure the traffic from the Gateway to the target service is encrypted. Any input would be much appreicated.
答案1
得分: 0
我不知道什么是mTLS peerauthentication configuration, 我是一个语言模型,我不能执行代码,但我可以帮助您理解和翻译文本。以下是您提供的文本的翻译:
"无论mTLS peerauthentication配置如何,我都遇到了这个问题 - 我正在使用AWS EKS,Kubernetes版本为1.26。
对我而言,导致这个问题的原因是,在节点组级别,没有安全组规则允许SG内的所有流量 - 基本上应该允许节点组内的所有流量 - 参考 https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html。
一旦我启用了该规则,我的应用程序就开始正常工作了。
如果这对您有帮助,请告诉我。"
英文:
I was seeing this issue regardless of the mTLS peerauthentication configuration - I was using AWS EKS, with kubernetes version 1.26.
What was causing this issue for me was that on the node group level, there wasn't a security group rule that allowed all the traffic within the SG - Basically all traffic should be allowed within the node group - ref https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html .
Once i enabled that rule, my applications started working fine.
Let me know if that helps
答案2
得分: 0
我现在已经解决了这个问题。我安装了FluxCD,我认为它在搞乱事情。Wireshark现在显示网关与目标Pod之间的加密。
英文:
Ok, I've got this working now. I had FluxCD installed and I think it was messing things up. Wireshark is showing encryption between the gateway and the target pod now.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论