本文主要是介绍Istio 自动注入 sidecar 失败导致无法访问webhook服务,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
最近工作中在部署Istio环境的过程中发现官方示例启动的pod不能访问不到Istio的webhook,这个问题也是困扰了我一天,我把他归类到sidecar注入失败的情况下,特此记录,便于日后查阅。
1、第一种可能(我遇到的情况)
如果自动注入时,报如下错误信息:
Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "rev.validation.istio.io": failed to call webhook: Post "https://istiod.istio-system.svc:443/validate?timeout=10s": dial tcp 10.101.106.199:443: i/o timeout造成上述问题的原因是 kube-apiserver 的 --enable-admission-plugins 没有配置 MutatingAdmissionWebhook,ValidatingAdmissionWebhook参数,所以解决问题的方法就是找到 kube-apiserver.yaml 配置文件,我是通过kubeadm安装的,所以路径在 /etc/kubernetes/manifests 下,把 --enable-admission-plugins 修改为 NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook 后保存文件,删掉 kube-apiserver 的pod,让他自己根据新的配置文件重新启动(注意:如果是用kubeadm安装的修改内容如果错误,可能会导致k8s集群中的kube-apiserver全部挂掉,导致无法访问集群,这时就需要从官网下载kube-apiserver二进制文件,重新拉起一个进程,再执行删除pod的操作),修改后文件内容如下:
apiVersion: v1
kind: Pod
metadata:annotations:kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.1.61:6443creationTimestamp: nulllabels:component: kube-apiservertier: control-planename: kube-apiservernamespace: kube-system
spec:containers:- command:- kube-apiserver- --advertise-address=192.168.1.61- --allow-privileged=true- --authorization-mode=Node,RBAC- --client-ca-file=/etc/kubernetes/pki/ca.crt- --enable-admission-plugins=NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook- --enable-bootstrap-token-auth=true- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key- --etcd-servers=https://127.0.0.1:2379- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key- --requestheader-allowed-names=front-proxy-client- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt- --requestheader-extra-headers-prefix=X-Remote-Extra-- --requestheader-group-headers=X-Remote-Group- --requestheader-username-headers=X-Remote-User- --secure-port=6443- --service-account-issuer=https://kubernetes.default.svc.cluster.local- --service-account-key-file=/etc/kubernetes/pki/sa.pub- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key- --service-cluster-ip-range=10.96.0.0/12- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key- --feature-gates=RemoveSelfLink=falseimage: registry.aliyuncs.com/google_containers/kube-apiserver:v1.23.0imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 8httpGet:host: 192.168.1.61path: /livezport: 6443scheme: HTTPSinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 15name: kube-apiserverreadinessProbe:failureThreshold: 3httpGet:host: 192.168.1.61path: /readyzport: 6443scheme: HTTPSperiodSeconds: 1timeoutSeconds: 15resources:requests:cpu: 250mstartupProbe:failureThreshold: 24httpGet:host: 192.168.1.61path: /livezport: 6443scheme: HTTPSinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 15volumeMounts:- mountPath: /etc/ssl/certsname: ca-certsreadOnly: true- mountPath: /etc/pkiname: etc-pkireadOnly: true- mountPath: /etc/kubernetes/pkiname: k8s-certsreadOnly: truehostNetwork: truepriorityClassName: system-node-criticalsecurityContext:seccompProfile:type: RuntimeDefaultvolumes:- hostPath:path: /etc/ssl/certstype: DirectoryOrCreatename: ca-certs- hostPath:path: /etc/pkitype: DirectoryOrCreatename: etc-pki- hostPath:path: /etc/kubernetes/pkitype: DirectoryOrCreatename: k8s-certs
status: {}2、第二种可能
安装 Istio 时,配置了 enableNamespacesByDefault: false
sidecarInjectorWebhook:enabled: true# 变量为true,就会为所有命名空间开启自动注入功能。如果赋值为false,则只有标签为istio-injection的命名空间才会开启自动注入功能enableNamespacesByDefault: falserewriteAppHTTPProbe: false解决方法:
# 设置标签
$ kubectl label namespace default istio-injection=enabled --overwrite# 查看
$ kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 374d enabled如果要重新禁用注入istio sidecar,执行下面命令:
$ kubectl label namespace default istio-injection=disabled --overwrite3、第三种可能
安装 Istio 时,设置 autoInject: disabled
proxy:includeIPRanges: 192.168.16.0/20,192.168.32.0/20# 是否开启自动注入功能,取值enabled则该pods只要没有被注解为sidecar.istio.io/inject: "false",就会自动注入。如果取值为disabled,则需要为pod设置注解sidecar.istio.io/inject: "true"才会进行注入autoInject: disabled解决方法:
- 第一个方法:设置
autoInject: enabled - 第二个方法:在
Pod或者Deployment声明sidecar.istio.io/inject: "true"
这篇关于Istio 自动注入 sidecar 失败导致无法访问webhook服务的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
