本文介绍了部署istio Service Mesh后Kubernetes Pod无法发出https请求的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在EKS(Amazon)托管的k8s集群上探索istio服务网格.

I am exploring the istio service mesh on my k8s cluster hosted on EKS(Amazon).

我尝试使用用于bookapp演示的demo.yml文件以及我正确理解的大多数用例在新的k8s集群上部署istio-1.2.2.

I tried deploying istio-1.2.2 on a new k8s cluster with the demo.yml file used for bookapp demonstration and most of the use cases I understand properly.

然后,我在运行了数百个微服务的现有开发集群上使用头盔默认配置文件(推荐用于生产)部署了istio,我注意到我的服务可以调用http端点,但不能调用外部安全端点( https://www.google.com 等)

Then, I deployed istio using helm default profile(recommended for production) on my existing dev cluster with 100s of microservices running and what I noticed is my services can can call http endpoints but not able to call external secure endpoints(https://www.google.com, etc.)

我得到了:

尽管我能够从测试集群中调用外部https端点.

Though I am able to call external https endpoints from my testing cluster.

要进行验证,我检查了出口策略,两个群集均处于模式:ALLOW_ANY .

To verify, I check the egress policy and it is mode: ALLOW_ANY in both the clusters.

现在,我从开发集群中完全删除了istio并安装了demo.yml进行测试,但是现在这也不起作用.

Now, I removed the the istio completely from my dev cluster and install the demo.yml to test but now this is also not working.

我尝试与此相关,但是没有成功.

I try to relate my issue with this but didn't get any success.

https://discuss.istio.io/t/serviceentry-for-https-on-httpbin-org-resulting-in-connect-cr-srvr-hello-using-curl/2044

我不明白自己在想什么或做错了什么.

I don't understand what I am missing or what I am doing wrong.

注意:我指的是此设置: https://istio.io /docs/setup/kubernetes/install/helm/

Note: I am referring to this setup: https://istio.io/docs/setup/kubernetes/install/helm/

推荐答案

这很可能是Istio中的错误(例如,请参见 istio/istio#14520 ):如果您在集群中的任何位置有任何Kubernetes Service对象,该对象侦听端口443,但名称以http开头(而不是https) ,它将断开所有出站HTTPS连接.

This is most likely a bug in Istio (see for example istio/istio#14520): if you have any Kubernetes Service object, anywhere in your cluster, that listens on port 443 but whose name starts with http (not https), it will break all outbound HTTPS connections.

我遇到的这个实例涉及配置AWS负载均衡器以执行TLS终止. Kubernetes服务需要公开端口443来配置负载均衡器,但它会接收纯净的未加密HTTP.

The instance of this I've hit involves configuring an AWS load balancer to do TLS termination. The Kubernetes Service needs to expose port 443 to configure the load balancer, but it receives plain unencrypted HTTP.

apiVersion: v1
kind: Service
metadata:
  name: breaks-istio
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:...
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  selector: ...
  ports:
    - name: http-ssl # <<<< THIS NAME MATTERS
      port: 443
      targetPort: http

我对此进行了尝试,将name:更改为httpstcp-https似乎可行.那些名称前缀对Istio很重要,但我没有立即发现告诉Istio端口是HTTPS(即使它实际上不提供TLS)与普通未解释的TCP之间有任何功能上的区别.

When I've experimented with this, changing that name: to either https or tcp-https seems to work. Those name prefixes are significant to Istio, but I haven't immediately found any functional difference between telling Istio the port is HTTPS (even though it doesn't actually serve TLS) vs. plain uninterpreted TCP.

您确实需要搜索集群并找到监听端口443的每一个服务,并确保端口名称不是以http-...开头.

You do need to search your cluster and find every Service that listens to port 443, and make sure the port name doesn't start with http-....

这篇关于部署istio Service Mesh后Kubernetes Pod无法发出https请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 20:41