ISTIO - 出口网关返回 - 命令以退出代码 35 终止?

【问题标题】:ISTIO - Egress Gateway returns - command terminated with exit code 35?ISTIO - 出口网关返回 - 命令以退出代码 35 终止?
【发布时间】:2020-10-24 13:22:08
【问题描述】:

我已经使用以下配置安装了 ISTIO

cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  # Enable the addons that we will want to use
  addonComponents:
    grafana:
      enabled: true
    prometheus:
      enabled: true
    tracing:
      enabled: true
    kiali:
      enabled: true
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
    kiali:
      dashboard:
        auth:
          strategy: anonymous
  components:
    egressGateways:
    - name: istio-egressgateway
      enabled: true
  meshConfig:
    accessLogFile: /dev/stdout
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
EOF

并已配置 Egress Gateway、Destination Rule 和 Virtual Service,如下所示

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: akv2k8s-test
  labels:
    istio-injection: enabled
    azure-key-vault-env-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: edition-cnn-com
  namespace: akv2k8s-test
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 443
    name: https-port
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: edition-cnn-com
  namespace: akv2k8s-test
spec:
  hosts:
  - edition.cnn.com
  tls:
  - match:
    - port: 443
      sniHosts:
      - edition.cnn.com
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 443
      weight: 100
EOF

尝试访问时会引发错误

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/sleep/sleep.yaml -n akv2k8s-test
export SOURCE_POD=$(kubectl get pod -l app=sleep -n akv2k8s-test -o jsonpath={.items..metadata.name})
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail

我该如何解决这个问题?

更新:我也试过下面的,但结果还是一样

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc-entry
  namespace: akv2k8s-test
spec:
  hosts:
  - google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: google.com
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ext-res-gw
  namespace: akv2k8s-test
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - google.com
    tls:
      mode: PASSTHROUGH
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ext-res-vs
  namespace: akv2k8s-test
spec:
  hosts:
  - google.com
  gateways:
  - mesh
  - ext-res-gw
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
  - match:
    - gateways:
      - ext-res-gw
      port: 443
      sniHosts:
      - google.com
    route:
    - destination:
        host: google.com
        port:
          number: 443
      weight: 100
EOF

【问题讨论】:

  • Egress Gateway 中没有日志,因为您不使用它,您使用 Istio ServiceEntry 从您的 Istio 集群中访问可公开访问的服务 edition.cnn.com。我在新的 gke 集群上使用了你的 yamls,它没有任何问题。您提到您使用目标规则,请您添加 yaml 吗?
  • 退出代码 35 来自 curl。 curl 的文档curl.haxx.se/libcurl/c/libcurl-errors.html 说这是 SSL 握手问题。您如何进行 SSL 终止?
  • 我该如何解决这个问题?

标签: kubernetes istio istio-sidecar


【解决方案1】:

我不确定第一个示例有什么问题,因为没有所有依赖项,关于更新,您的 DestinationRule 存在问题

应该是

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: google

代替

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: google.com

和主机/sniHosts

应该是

www.google.com

代替

google.com

https://www.google.com 有一个工作示例。

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc-entry
  namespace: akv2k8s-test
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: google
---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ext-res-gw
  namespace: akv2k8s-test
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - www.google.com
    tls:
      mode: PASSTHROUGH

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ext-res-vs
  namespace: akv2k8s-test
spec:
  hosts:
  - www.google.com
  gateways:
  - mesh
  - ext-res-gw
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
  - match:
    - gateways:
      - ext-res-gw
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: www.google.com
        port:
          number: 443
      weight: 100

还有注册模式、curl和egress日志。

kubectl get istiooperator istio-control-plane -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY

kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://www.google.com
HTTP/2 200

kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
[2020-10-27T14:16:37.735Z] "- - -" 0 - "-" "-" 844 17705 45 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:59814 xx.xx.xx.xx:8443 1xx.xx.xx.xx:33112 www.google.com -
[2020-10-27T14:18:45.896Z] "- - -" 0 - "-" "-" 883 17647 38 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:56834 xx.xx.xx.xx:8443 xx.xx.xx.xx:33964 www.google.com -

请参考这个documentation

【讨论】:

  • 太好了,它就像一个魅力。我用了2天,无法正常工作,非常感谢。
  • 能否请您简单解释一下tls之间的区别:-匹配:-网关:-网格和-匹配:-网关:-ext-res-gw端口:443
  • 我会假设 - 匹配: - 网关: - ext-res-gw 将首先被击中,这会将请求重定向到定义为 tls 的网状网关: - 匹配: - 网关: - 网状
  • Mesh 网关是一个内部 istio 网关,适用于 Mesh 中的所有 Sidecar,我知道它在任何地方都没有得到很好的描述,它有一个 example。正如我提到的heremesh gateway 是第一个睡眠目标,然后从mesh gateway 请求转到egress gateway,在你的情况下是ext-res-gw,然后你点击external service,它在你的情况下是www.google.com。所以流量是这样的,睡眠 -> 网状网关 -> 出口网关 -> 外部
  • 在生产环境中使用 ISTIO 配置 Prometheus、Grafana、Kiali 是否有任何可用指南?像秘密,卷。我提出了一个单独的问题,但被关闭了。如果可能的话,我只需要一些参考资料。
猜你喜欢
  • 2020-06-18
  • 2022-01-18
  • 2021-07-09
  • 2017-04-28
  • 1970-01-01
  • 1970-01-01
  • 2018-07-25
  • 1970-01-01
  • 2022-12-29
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode