Istio 504位于ALB到EKS节点上，而不是Istio网关。

Question

错误描述

我用的是EKS (1.23)和ALB。ALB用ACM提供的证书终止TLS。

使用安装在EKS集群中的terraform I，如下所示：

• 等碱基
• istiod
• 网关

全是1.15.0版本。

集群上配置的其他内容：

• 端口15000-15090的EKS节点上的aws_security_group_rules (入口和出口)
• 必需的k8s命名空间
• 所需的k8s入口通过ALB控制器配置alb
• ALB所需的ACM证书
• 必需的Route53 DNS条目

所有这些事情都很普遍，所以我不认为有任何奇怪的东西在那里。我在多个地方都有这样的配置，没有Istio。

我还添加了一些httpbin Service和Deployment以及相关的Gateway和VirtualService。

在入口中，我配置了两个路径(除了用于ALB的ssl-redirect指令)：

• /healthz/ready指向status-port
• 然后/指向http2

入口-网关服务是NodePort类型，这是这种类型的设置所需要的。

(重要)集群中有两个节点。

AWS控制台目标组详细信息页面显示2/2目标是健康的。

哇哦..。

当我输入address https://httpbin.somedomain.com时，每秒钟请求都会得到504 Gateway Timeout。当我进入https://httpbin.somedomain.com/healthz/ready时，我每次都能得到200个。当我将集群中的节点数量增加到3,504发生在3个请求中的2个。

我很清楚，这和ALB在机器上的循环有关.但是为什么呢？status-port总是200岁。

版本

$ istioctl version
client version: 1.15.0
control plane version: 1.15.0
data plane version: 1.15.0 (3 proxies)

$ kubectl version --short
Client Version: v1.23.2
Server Version: v1.23.7-eks-4721010

$ helm version --short
v3.8.0+gd141386

更多信息

$ istioctl bug-report

Target cluster context: v2-xxx

Running with the following config: 

istio-namespace: istio-system
full-secrets: false
timeout (mins): 30
include: {  }
exclude: { Namespaces: kube-node-lease,kube-public,kube-system,local-path-storage }
end-time: 2022-09-27 17:29:26.34498 +0200 CEST



Cluster endpoint: https://yyy.yl4.eu-west-1.eks.amazonaws.com
CLI version:
version.BuildInfo{Version:"1.15.0", GitRevision:"e3364ab424b70ca8ee1ca76cb0b3afb73476aaac", GolangVersion:"go1.19", BuildStatus:"Clean", GitTag:"1.15.0"}

The following Istio control plane revisions/versions were found in the cluster:
Revision default:
&version.MeshInfo{
    {
        Component: "pilot",
        Info:      version.BuildInfo{Version:"1.15.0", GitRevision:"e3364ab424b70ca8ee1ca76cb0b3afb73476aaac", GolangVersion:"go1.19", BuildStatus:"Clean", GitTag:"1.15.0"},
    },
}

The following proxy revisions/versions were found in the cluster:
Revision default: Versions {1.15.0}


Fetching proxy logs for the following containers:

argocd//argo-cd-argocd-application-controller-0/application-controller
argocd/argo-cd-argocd-applicationset-controller/argo-cd-argocd-applicationset-controller-9dddcffbf-zrcgl/applicationset-controller
argocd/argo-cd-argocd-dex-server/argo-cd-argocd-dex-server-75c975ccb7-xmd82/dex-server
argocd/argo-cd-argocd-notifications-controller/argo-cd-argocd-notifications-controller-5854964cbf-z8nlr/notifications-controller
argocd/argo-cd-argocd-redis/argo-cd-argocd-redis-664b98cfd7-lndsf/argo-cd-argocd-redis
argocd/argo-cd-argocd-repo-server/argo-cd-argocd-repo-server-75f49f7ccf-xsblh/repo-server
argocd/argo-cd-argocd-server/argo-cd-argocd-server-6599d8d846-dqr6s/server
first/httpbin/httpbin-7bffdcffd-2klzj/httpbin
first/httpbin/httpbin-7bffdcffd-2klzj/istio-proxy

...

istio-ingress-internal/internal/internal-554ddcb684-kr52c/istio-proxy
istio-ingress-internet-facing/internet-facing/internet-facing-555fd48d8d-2tx74/istio-proxy
istio-system/istiod/istiod-86cd5997bb-r6797/discovery

...

Fetching Istio control plane information from cluster.

Running istio analyze on all namespaces and report as below:
Analysis Report:
Info [IST0102] (Namespace argocd) The namespace is not enabled for Istio injection. Run 'kubectl label namespace argocd istio-injection=enabled' to enable it, or 'kubectl label namespace argocd istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service argocd/argo-cd-argocd-applicationset-controller) Port name webhook (port: 7000, targetPort: webhook) doesn't follow the naming convention of Istio port.

...

Creating an archive at /Users/zzz/bug-report.tar.gz.
Cleaning up temporary files in /var/folders/l4/82mt4l7x4r5dzp1j4ppxqqzm0000gn/T/bug-report.
Done.

原版这里

Answer 1

我通过允许在EKS节点组中的机器之间使用端口80来解决这个问题。我不明白为什么这对TBH有帮助。