istio – 连接拒绝

huangapple go评论72阅读模式
英文:

istio - connection refused

问题

我在尝试连接到一个K8s工作负载时遇到了"connection refused"错误。

这是使用kubeadm进行的自定义K8s安装。

域名:example.com 解析到K8s服务器的IP地址。

我部署了一个示例Pod(nginx)以及一个相应的服务。我可以通过导航到集群IP(内部的10.0.0.0/24范围已路由到我的K8s主节点,因此可以直接访问)来验证它的工作。

在主节点上,我不能看到任何监听80端口的进程,使用netstat也是如此。
我还可以在端口80上运行一个自定义的Web服务器(使用python3 -m http.server 80),成功地提供本地目录,这意味着没有其他进程在使用这个端口。

请问您需要提供哪些日志信息?

英文:

I am getting a connection refused error when trying to connect to a k8s workload.

This is a custom installation of k8s using kubeadm.

Domain: example.com resolves to the IP address of the k8s server.

I have deployed a sample pod (nginx) with an accompanying service. I can see that it works by navigating to the cluster ip (the internal 10.0.0.0/24 range has been routed to my k8s master node so it is accessible directly).

On the master node I can't see anything listening to port 80 using netstat.
I can also run a custom web server on port 80 (using python3 -m http.server 80) which succeeds in serving the local directory which means that no other process does.

Ask me anything. I will provide logs.

Kubernetes

  • v.1.27.3

Istio

  • client version: 1.17.1
  • control plane version: 1.18.0
  • data plane version: 1.18.0 (1 proxies)

gateway.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gw-foo
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - example.com
    port:
      name: http
      number: 80
      protocol: HTTP

virtualservice.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: plex-vs
  namespace: default
spec:
  gateways:
  - default/gw-foo
  hosts:
  - example.com
  http:
  - match:
    - port: 80
    name: foo
    route:
    - destination:
        host: foo-svc.some-namespace.svc.cluster.local
        port:
          number: 30000

Custom kubeadm-config.yaml

# kubeadm-config.yaml
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
kubernetesVersion: v1.27.3
networking:
  podSubnet: "10.3.0.0/24"
---
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: systemd
#serverTLSBootstrap: true
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: "192.168.1.200"

Istio Ingress status

$ kubectl -n istio-ingress get deployment istio-ingressgateway 
NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
istio-ingressgateway   1/1     1            1           47h
$ kubectl -n istio-ingress describe deployments.apps istio-ingressgateway 
Name:                   istio-ingressgateway
Namespace:              istio-ingress
CreationTimestamp:      Tue, 11 Jul 2023 21:55:48 +0300
Labels:                 app=istio-ingressgateway
                        app.kubernetes.io/managed-by=Helm
                        app.kubernetes.io/name=istio-ingressgateway
                        app.kubernetes.io/version=1.18.0
                        helm.sh/chart=gateway-1.18.0
                        istio=ingressgateway
Annotations:            deployment.kubernetes.io/revision: 1
                        meta.helm.sh/release-name: istio-ingressgateway
                        meta.helm.sh/release-namespace: istio-ingress
Selector:               app=istio-ingressgateway,istio=ingressgateway
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app=istio-ingressgateway
                    istio=ingressgateway
                    sidecar.istio.io/inject=true
  Annotations:      inject.istio.io/templates: gateway
                    prometheus.io/path: /stats/prometheus
                    prometheus.io/port: 15020
                    prometheus.io/scrape: true
                    sidecar.istio.io/inject: true
  Service Account:  istio-ingressgateway
  Containers:
   istio-proxy:
    Image:      auto
    Port:       15090/TCP
    Host Port:  0/TCP
    Limits:
      cpu:     2
      memory:  1Gi
    Requests:
      cpu:        100m
      memory:     128Mi
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   istio-ingressgateway-778d69499b (1/1 replicas created)
Events:          <none>

Istioctl analyze output

$ istioctl analyze -A
Warning [IST0108] (Pod istio-ingress/istio-ingressgateway-778d69499b-g6mkv) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod istio-system/istiod-5f859db56c-796zw) Unknown annotation: ambient.istio.io/redirection
Warning [IST0108] (Pod default/my-nginx-7754db7798-ft46j) Unknown annotation: istio.io/rev
Info [IST0102] (Namespace calico-apiserver) The namespace is not enabled for Istio injection. Run 'kubectl label namespace calico-apiserver istio-injection=enabled' to enable it, or 'kubectl label namespace calico-apiserver istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace calico-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace calico-system istio-injection=enabled' to enable it, or 'kubectl label namespace calico-system istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace cert-manager) The namespace is not enabled for Istio injection. Run 'kubectl label namespace cert-manager istio-injection=enabled' to enable it, or 'kubectl label namespace cert-manager istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace hello-kubernetes) The namespace is not enabled for Istio injection. Run 'kubectl label namespace hello-kubernetes istio-injection=enabled' to enable it, or 'kubectl label namespace hello-kubernetes istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace istio-ingress) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-ingress istio-injection=enabled' to enable it, or 'kubectl label namespace istio-ingress istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace tigera-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace tigera-operator istio-injection=enabled' to enable it, or 'kubectl label namespace tigera-operator istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service calico-apiserver/calico-api) Port name apiserver (port: 443, targetPort: 5443) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service calico-system/calico-kube-controllers-metrics) Port name metrics-port (port: 9094, targetPort: 9094) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service calico-system/calico-typha) Port name calico-typha (port: 5473, targetPort: calico-typha) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service hello-kubernetes/hello-world-service) Port name hello-svc (port: 8065, targetPort: 31870) doesn't follow the naming convention of Istio port.

答案1

得分: 1

搞清楚了。

以下是我对我的理解出了问题的解释。

我原以为在我的主机上会有一些进程在监听80端口和443端口。

事实并非如此,如下所示:

kubectl -n istio-system get svc istio-ingressgateway
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.107.128.144   <pending>     15021:31095/TCP,80:32657/TCP,443:30544/TCP,31400:31995/TCP,15443:30016/TCP   58m

我所要做的就是将所有非安全的http流量路由到主机的32657端口,将安全的https流量路由到主机的30544端口。

英文:

Figured it out.

Here's what was going wrong with my understanding.

I was expecting some process to be listening on port 80 and 443 on my master host.

That is simply not the case as demonstrated below:

kubectl -n istio-system get svc istio-ingressgateway
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.107.128.144   &lt;pending&gt;     15021:31095/TCP,80:32657/TCP,443:30544/TCP,31400:31995/TCP,15443:30016/TCP   58m

All I had to do was to route all unsecure http traffic to port 32657 and secure https traffic to port 30544 on the master host.

答案2

得分: 0

你提到,“example.com解析到k8s服务器的IP地址” - example.com必须解析到运行在您集群内的入口网关服务的IP地址。

英文:

You mention, "example.com resolves to the IP address of the k8s server" - example.com has to resolve to the IP address of the ingress gateway service running inside your cluster.

huangapple
  • 本文由 发表于 2023年7月14日 01:20:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76681880.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定