我已经在安装了Istio(1.5.6,默认配置文件)的K8s环境中部署了演示服务(在端口8000上运行)。 当我从群集外部调用公用地址时,它成功了。 当我从群集内的Pod呼叫内部群集地址时,它失败,响应代码为503。
当我将虚拟服务更改为使用端口而不是子集时,则在两种情况(外部和内部调用)中都会成功。
有什么想法我在做什么错吗?
apiVersion: v1
kind: Namespace
metadata:
labels:
dgp-origin: demo-app
istio-injection: enabled
name: demo
---
apiVersion: v1
kind: Service
metadata:
name: demo
namespace: demo
labels:
app: demo
version: v1
annotations:
networking.istio.io/exportTo: "*"
spec:
ports:
- name: http
port: 8000
selector:
app: demo
version: v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo
namespace: demo
spec:
replicas: 1
selector:
matchLabels:
app: demo
template:
metadata:
annotations:
sidecar.istio.io/inject: "true"
labels:
app: demo
version: v1
spec:
containers:
- name: echo
image: paddycarey/go-echo
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demo
namespace: demo
spec:
exportTo:
- "*"
host: demo.demo.svc.cluster.local
subsets:
- name: v1
labels:
app: demo
version: v1
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: demo
namespace: demo
spec:
selector:
app: istio-ingressgateway
servers:
- hosts:
- demo.external.com
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
- hosts:
- demo.demo.svc.cluster.local
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: demo
namespace: demo
spec:
exportTo:
- "*"
hosts:
- demo.external.com
- demo.demo.svc.cluster.local
gateways:
- mesh
- demo/demo
http:
- match:
- uri:
prefix: /
route:
- destination:
host: demo.demo.svc.cluster.local
# port:
# number: 8000
subset: v1
timeout: 55s
日志信息(来自另一个容器的istio-proxy)
外部呼叫:确定
{
"authority": "-",
"bytes_received": "511",
"bytes_sent": "4744",
"downstream_local_address": "172.19.2.100:443",
"downstream_remote_address": "172.18.140.129:37992",
"duration": "43",
"istio_policy_status": "-",
"method": "-",
"path": "-",
"protocol": "-",
"request_id": "-",
"requested_server_name": "-",
"response_code": "0",
"response_flags": "-",
"route_name": "-",
"start_time": "2020-08-10T10:32:25.149Z",
"upstream_cluster": "PassthroughCluster",
"upstream_host": "172.19.2.100:443",
"upstream_local_address": "172.18.140.129:37994",
"upstream_service_time": "-",
"upstream_transport_failure_reason": "-",
"user_agent": "-",
"x_forwarded_for": "-"
}
内部通话:不正常
{
"authority": "demo.demo.svc.cluster.local",
"bytes_received": "0",
"bytes_sent": "0",
"downstream_local_address": "172.18.212.107:80",
"downstream_remote_address": "172.18.140.129:37802",
"duration": "0",
"istio_policy_status": "-",
"method": "GET",
"path": "/",
"protocol": "HTTP/1.1",
"request_id": "f875b032-f7d4-4f36-9ce1-38166aced074",
"requested_server_name": "-",
"response_code": "503",
"response_flags": "NR",
"route_name": "-",
"start_time": "2020-08-10T10:33:51.262Z",
"upstream_cluster": "-",
"upstream_host": "-",
"upstream_local_address": "-",
"upstream_service_time": "-",
"upstream_transport_failure_reason": "-",
"user_agent": "curl/7.61.1",
"x_forwarded_for": "-"
}
更新:当服务在端口80上工作时
apiVersion: v1
kind: Service
metadata:
name: demo
namespace: demo
labels:
app: demo
version: v1
annotations:
networking.istio.io/exportTo: "*"
spec:
ports:
- name: http
port: 80
targetPort: 8000
selector:
app: demo
version: v1
答案 0 :(得分:2)
基于istio bookinfo应用,我要说的问题是部署中缺少标签。
有一个产品页面example
apiVersion: apps/v1
kind: Deployment
metadata:
name: details-v1
labels:
app: details
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: details
version: v1
template:
metadata:
labels:
app: details
version: v1
spec:
serviceAccountName: bookinfo-details
containers:
- name: details
image: docker.io/istio/examples-bookinfo-details-v1:1.16.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
编辑后,您可以尝试使用部署吗?
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo
namespace: demo
labels:
app: demo
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: demo
version: v1
template:
metadata:
annotations:
sidecar.istio.io/inject: "true"
labels:
app: demo
version: v1
spec:
containers:
- name: echo
image: paddycarey/go-echo
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
编辑
我已经测试了您的Yaml,此外,我还使用nginx pod创建了自己的示例。
我和您有同样的问题,仅当我将端口8000添加到虚拟服务中时,网格内部调用才有效。
在我使用nginx的示例中,一切正常。
因此,据此我认为这有问题
我的Yamls要与Nginx一起测试。
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: enabled
name: demo-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-v1
namespace: demo-app
spec:
selector:
matchLabels:
app: nginx1
version: v1
replicas: 1
template:
metadata:
labels:
version: v1
app: nginx1
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: demo-app
labels:
app: nginx1
spec:
ports:
- name: http-front
port: 80
protocol: TCP
selector:
app: nginx1
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: simpleexample
namespace: demo-app
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
namespace: demo-app
spec:
gateways:
- simpleexample
- mesh
hosts:
- 'nginx.demo-app.svc.cluster.local'
- 'example.com'
http:
- route:
- destination:
host: nginx
subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginxdest
namespace: demo-app
spec:
host: nginx
subsets:
- name: v1
labels:
version: v1
---
apiVersion: v1
kind: Pod
metadata:
name: ubu1
namespace: demo-app
spec:
containers:
- name: ubu1
image: ubuntu
command: ["/bin/sh"]
args: ["-c", "apt-get update && apt-get install curl -y && sleep 3000"]
外部通话测试
curl -v -H "host: example.com" xx.xx.xx.xx/
HTTP/1.1 200 OK
Hello nginx1
内部通话测试
root@ubu1:/# curl nginx/
Hello nginx1
让我知道是这样还是您需要进一步的帮助。