Istio,当端口相同时没有注册监听器
Istio,当端口相同时没有注册监听器
提问于 2021-06-17 15:18:18
我有一个包含2个EC2节点的EKS集群。我想在ALB中使用Istio,而不是经典的ELB,所以我修改了Istio helm图表中的网关,以便像这样使用NodePort:
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
spec:
type: NodePort
selector:
app: istio-ingressgateway
istio: ingressgateway
ports:
-
name: status-port
port: 15021
protocol: TCP
nodePort: 32767
-
name: http2
port: 80
protocol: TCP
nodePort: 31231
-
name: https
port: 443
protocol: TCP
nodePort: 31312另外,我还为网关添加了Ingress:
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
namespace: istio-system
name: aws-load-balancer
spec:
controller: ingress.k8s.aws/alb
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: istio-system
name: ingress
labels:
app: ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-port: "32767"
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/subnets: subnet-foo,subnet-bar
spec:
ingressClassName: aws-load-balancer
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: istio-ingressgateway
port:
number: 80根据TargetGroup运行状况检查,ALB和TargetGroup已按预期创建,节点运行状况良好。
示例bookinfo stack和gateway被安装到标记的命名空间中
% kubectl get ns bookinfo --show-labels
NAME STATUS AGE LABELS
bookinfo Active 18h istio-injection=enabledIstioctl显示代理状态
% istioctl proxy-status
NAME CDS LDS EDS RDS ISTIOD VERSION
details-v1-79f774bdb9-2scfv.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
istio-ingressgateway-8579cc48f8-2d5sd.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-75c795985d-pwx9j 1.10.0
productpage-v1-6b746f74dc-l795c.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
ratings-v1-b6994bb9-l2vcp.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v1-545db77b95-shzkj.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v2-7bf8c9648f-6k6mk.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v3-84779c7bbc-6mw5f.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0但当我试图接近它时,它会返回502。
% curl http://internal-k8s-istiosys-ingress-foo-bar.eu-west-1.elb.amazonaws.com/productpage
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>Istio版本: 1.10 Kubernetes版本: 1.19 EKS版本: eks.5
编辑:
结果发现没有附加任何监听器:
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-2d5sd.istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*但是,如果我将网关的端口从80更改为9000,则会创建侦听器,但它需要与入口网关端口匹配
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-qzn59
ADDRESS PORT MATCH DESTINATION
0.0.0.0 9000 ALL Route: http.9000
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*回答 1
Stack Overflow用户
回答已采纳
发布于 2021-06-17 23:06:56
如果任何人面临同样的问题,事实证明默认的istio入口网关不能绑定到80,因为它是一个非特权pod,更新了部署规范,现在已经启动并运行。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/68014640
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号