istio – 连接拒绝

huangapple
go评论98阅读模式
英文:

istio - connection refused

问题

我在尝试连接到一个K8s工作负载时遇到了"connection refused"错误。

这是使用kubeadm进行的自定义K8s安装。

域名:example.com 解析到K8s服务器的IP地址。

我部署了一个示例Pod(nginx)以及一个相应的服务。我可以通过导航到集群IP(内部的10.0.0.0/24范围已路由到我的K8s主节点,因此可以直接访问)来验证它的工作。

在主节点上,我不能看到任何监听80端口的进程,使用netstat也是如此。
我还可以在端口80上运行一个自定义的Web服务器(使用python3 -m http.server 80),成功地提供本地目录,这意味着没有其他进程在使用这个端口。

请问您需要提供哪些日志信息?

英文:

I am getting a connection refused error when trying to connect to a k8s workload.

This is a custom installation of k8s using kubeadm.

Domain: example.com resolves to the IP address of the k8s server.

I have deployed a sample pod (nginx) with an accompanying service. I can see that it works by navigating to the cluster ip (the internal 10.0.0.0/24 range has been routed to my k8s master node so it is accessible directly).

On the master node I can't see anything listening to port 80 using netstat.
I can also run a custom web server on port 80 (using python3 -m http.server 80) which succeeds in serving the local directory which means that no other process does.

Ask me anything. I will provide logs.

Kubernetes

  • v.1.27.3

Istio

  • client version: 1.17.1
  • control plane version: 1.18.0
  • data plane version: 1.18.0 (1 proxies)

gateway.yaml

  1. apiVersion: networking.istio.io/v1beta1
  2. kind: Gateway
  3. metadata:
  4.   name: gw-foo
  5.   namespace: default
  6. spec:
  7.   selector:
  8.     istio: ingressgateway
  9.   servers:
  10.   - hosts:
  11.     - example.com
  12.     port:
  13.       name: http
  14.       number: 80
  15.       protocol: HTTP

virtualservice.yaml

  1. apiVersion: networking.istio.io/v1beta1
  2. kind: VirtualService
  3. metadata:
  4.   name: plex-vs
  5.   namespace: default
  6. spec:
  7.   gateways:
  8.   - default/gw-foo
  9.   hosts:
  10.   - example.com
  11.   http:
  12.   - match:
  13.     - port: 80
  14.     name: foo
  15.     route:
  16.     - destination:
  17.         host: foo-svc.some-namespace.svc.cluster.local
  18.         port:
  19.           number: 30000

Custom kubeadm-config.yaml

  1. # kubeadm-config.yaml
  2. kind: ClusterConfiguration
  3. apiVersion: kubeadm.k8s.io/v1beta3
  4. kubernetesVersion: v1.27.3
  5. networking:
  6.   podSubnet: "10.3.0.0/24"
  7. ---
  8. kind: KubeletConfiguration
  9. apiVersion: kubelet.config.k8s.io/v1beta1
  10. cgroupDriver: systemd
  11. #serverTLSBootstrap: true
  12. ---
  13. apiVersion: kubeadm.k8s.io/v1beta3
  14. kind: InitConfiguration
  15. localAPIEndpoint:
  16.   advertiseAddress: "192.168.1.200"

Istio Ingress status

  1. $ kubectl -n istio-ingress get deployment istio-ingressgateway 
  2. NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
  3. istio-ingressgateway   1/1     1            1           47h
  1. $ kubectl -n istio-ingress describe deployments.apps istio-ingressgateway 
  2. Name:                   istio-ingressgateway
  3. Namespace:              istio-ingress
  4. CreationTimestamp:      Tue, 11 Jul 2023 21:55:48 +0300
  5. Labels:                 app=istio-ingressgateway
  6.                         app.kubernetes.io/managed-by=Helm
  7.                         app.kubernetes.io/name=istio-ingressgateway
  8.                         app.kubernetes.io/version=1.18.0
  9.                         helm.sh/chart=gateway-1.18.0
  10.                         istio=ingressgateway
  11. Annotations:            deployment.kubernetes.io/revision: 1
  12.                         meta.helm.sh/release-name: istio-ingressgateway
  13.                         meta.helm.sh/release-namespace: istio-ingress
  14. Selector:               app=istio-ingressgateway,istio=ingressgateway
  15. Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
  16. StrategyType:           RollingUpdate
  17. MinReadySeconds:        0
  18. RollingUpdateStrategy:  25% max unavailable, 25% max surge
  19. Pod Template:
  20.   Labels:           app=istio-ingressgateway
  21.                     istio=ingressgateway
  22.                     sidecar.istio.io/inject=true
  23.   Annotations:      inject.istio.io/templates: gateway
  24.                     prometheus.io/path: /stats/prometheus
  25.                     prometheus.io/port: 15020
  26.                     prometheus.io/scrape: true
  27.                     sidecar.istio.io/inject: true
  28.   Service Account:  istio-ingressgateway
  29.   Containers:
  30.    istio-proxy:
  31.     Image:      auto
  32.     Port:       15090/TCP
  33.     Host Port:  0/TCP
  34.     Limits:
  35.       cpu:     2
  36.       memory:  1Gi
  37.     Requests:
  38.       cpu:        100m
  39.       memory:     128Mi
  40.     Environment:  <none>
  41.     Mounts:       <none>
  42.   Volumes:        <none>
  43. Conditions:
  44.   Type           Status  Reason
  45.   ----           ------  ------
  46.   Progressing    True    NewReplicaSetAvailable
  47.   Available      True    MinimumReplicasAvailable
  48. OldReplicaSets:  <none>
  49. NewReplicaSet:   istio-ingressgateway-778d69499b (1/1 replicas created)
  50. Events:          <none>

Istioctl analyze output

  1. $ istioctl analyze -A
  2. Warning [IST0108] (Pod istio-ingress/istio-ingressgateway-778d69499b-g6mkv) Unknown annotation: istio.io/rev
  3. Warning [IST0108] (Pod istio-system/istiod-5f859db56c-796zw) Unknown annotation: ambient.istio.io/redirection
  4. Warning [IST0108] (Pod default/my-nginx-7754db7798-ft46j) Unknown annotation: istio.io/rev
  5. Info [IST0102] (Namespace calico-apiserver) The namespace is not enabled for Istio injection. Run 'kubectl label namespace calico-apiserver istio-injection=enabled' to enable it, or 'kubectl label namespace calico-apiserver istio-injection=disabled' to explicitly mark it as not needing injection.
  6. Info [IST0102] (Namespace calico-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace calico-system istio-injection=enabled' to enable it, or 'kubectl label namespace calico-system istio-injection=disabled' to explicitly mark it as not needing injection.
  7. Info [IST0102] (Namespace cert-manager) The namespace is not enabled for Istio injection. Run 'kubectl label namespace cert-manager istio-injection=enabled' to enable it, or 'kubectl label namespace cert-manager istio-injection=disabled' to explicitly mark it as not needing injection.
  8. Info [IST0102] (Namespace hello-kubernetes) The namespace is not enabled for Istio injection. Run 'kubectl label namespace hello-kubernetes istio-injection=enabled' to enable it, or 'kubectl label namespace hello-kubernetes istio-injection=disabled' to explicitly mark it as not needing injection.
  9. Info [IST0102] (Namespace istio-ingress) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-ingress istio-injection=enabled' to enable it, or 'kubectl label namespace istio-ingress istio-injection=disabled' to explicitly mark it as not needing injection.
  10. Info [IST0102] (Namespace tigera-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace tigera-operator istio-injection=enabled' to enable it, or 'kubectl label namespace tigera-operator istio-injection=disabled' to explicitly mark it as not needing injection.
  11. Info [IST0118] (Service calico-apiserver/calico-api) Port name apiserver (port: 443, targetPort: 5443) doesn't follow the naming convention of Istio port.
  12. Info [IST0118] (Service calico-system/calico-kube-controllers-metrics) Port name metrics-port (port: 9094, targetPort: 9094) doesn't follow the naming convention of Istio port.
  13. Info [IST0118] (Service calico-system/calico-typha) Port name calico-typha (port: 5473, targetPort: calico-typha) doesn't follow the naming convention of Istio port.
  14. Info [IST0118] (Service hello-kubernetes/hello-world-service) Port name hello-svc (port: 8065, targetPort: 31870) doesn't follow the naming convention of Istio port.

答案1

得分: 1

搞清楚了。

以下是我对我的理解出了问题的解释。

我原以为在我的主机上会有一些进程在监听80端口和443端口。

事实并非如此,如下所示:

  1. kubectl -n istio-system get svc istio-ingressgateway
  2. NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
  3. istio-ingressgateway   LoadBalancer   10.107.128.144   <pending>     15021:31095/TCP,80:32657/TCP,443:30544/TCP,31400:31995/TCP,15443:30016/TCP   58m

我所要做的就是将所有非安全的http流量路由到主机的32657端口,将安全的https流量路由到主机的30544端口。

英文:

Figured it out.

Here's what was going wrong with my understanding.

I was expecting some process to be listening on port 80 and 443 on my master host.

That is simply not the case as demonstrated below:

  1. kubectl -n istio-system get svc istio-ingressgateway
  2. NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
  3. istio-ingressgateway   LoadBalancer   10.107.128.144   &lt;pending&gt;     15021:31095/TCP,80:32657/TCP,443:30544/TCP,31400:31995/TCP,15443:30016/TCP   58m

All I had to do was to route all unsecure http traffic to port 32657 and secure https traffic to port 30544 on the master host.

答案2

得分: 0

你提到,“example.com解析到k8s服务器的IP地址” - example.com必须解析到运行在您集群内的入口网关服务的IP地址。

英文:

You mention, "example.com resolves to the IP address of the k8s server" - example.com has to resolve to the IP address of the ingress gateway service running inside your cluster.

huangapple
  • 本文由 发表于 2023年7月14日 01:20:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76681880.html
  • istio
  • kubernetes
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定