仅做个人问题记录使用。
参考文章: https://www.codercto.com/a/30981.html
环境:k8s 1.12.5 istio 1.0.6
成功部署istio环境,以及官方demo bookinfo
kubectl get svc -n istio-system
istio-ingressgateway LoadBalancer 10.68.127.105 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:25726/TCP,8060:36952/TCP,853:31262/TCP,15030:23502/TCP,15031:26498/TCP 83d
demo gateway 使用80端口,使用 集群ip + 31380/productpage 可以正常访问页面。
问题:
执行
kubectl apply -f samples/bookinfo/networking/destination-rule-reviews.yaml
添加 destination-rule 后,再次访问页面,报错:
Error fetching product reviews!
Sorry, product reviews are currently unavailable for this book.
查看pod日志,首先查看 productpage 日志
kubectl logs -f --tail 50 -n default -c istio-proxy productpage-v1-8d69b45c-b6vwr
发现503报错
[2019-06-05T09:08:05.203Z] "GET /reviews/0HTTP/1.1" 503 UC 0 57 0 - "-" "python-requests/2.18.4" "8185c0b4-9992-9153-b9d9-50d43bb1fe48" "reviews:9080" "172.20.166.134:9080" outbound|9080|v3|reviews.default.svc.cluster.local - 10.68.241.202:9080 172.20.166.135:47110
[2019-06-05T09:08:05.208Z] "GET /reviews/0HTTP/1.1" 503 UC 0 57 0 - "-" "python-requests/2.18.4" "8185c0b4-9992-9153-b9d9-50d43bb1fe48" "reviews:9080" "172.20.166.134:9080" outbound|9080|v3|reviews.default.svc.cluster.local - 10.68.241.202:9080 172.20.166.135:47114
查看 reviews端pod日志。执行命令后发现后端没有日志输出。
执行如下命令,打开revrews-v3 sidecar istio-proxy (Envroy)全部日志:
kubectl exec -it -c istio-proxy reviews-v3-748456d47b-nn86k -- curl -X POST http://localhost:15000/logging?level=trace
再次查看日志,发现如下一条报错:
[2019-06-05 09:08:05.204][27][debug][connection] external/envoy/source/common/ssl/ssl_socket.cc:141] [C97] SSL error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST
报错原因与SSL认证有关。
解决方法:
修改 samples/bookinfo/networking/destination-rule-reviews.yaml ,添加tls 配置:
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
然后 重新 kubectl apply 问题解决。
问题原因:
部署的istio 环境 开启了全网格双向TLS认证(mtls),官网文档地址:https://istio.io/docs/tasks/security/authn-policy/#globally-enabling-istio-mutual-tls
验证:
[root@master1 networking]# kubectl get MeshPolicy default -o yaml
apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":{"app":"istio-security","chart":"security-1.0.6","heritage":"Tiller","release":"istio"},"name":"default","namespace":""},"spec":{"peers":[{"mtls":{}}]}}
creationTimestamp: 2019-03-13T10:52:26Z
generation: 1
labels:
app: istio-security
chart: security-1.0.6
heritage: Tiller
release: istio
name: default
resourceVersion: "1856"
selfLink: /apis/authentication.istio.io/v1alpha1/meshpolicies/default
uid: 16c622f0-457e-11e9-acf2-005056a6096b
spec:
peers:
- mtls: {}
所以需要在创建 destination rule 时 添加tls 配置,其中配置项详情:
https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/
Name | Description |
---|---|
DISABLE |
Do not setup a TLS connection to the upstream endpoint. |
SIMPLE |
Originate a TLS connection to the upstream endpoint. |
MUTUAL |
Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. |
ISTIO_MUTUAL |
Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. Compared to Mutual mode, this mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in |
ISTIO_MUTUAL 就是使用
使用Istio自动生成的证书进行mTLS认证
扩展:
https://istio.io/docs/reference/config/istio.authentication.v1alpha1/#MutualTls
可以通过 policy 配置 mTLS,主要配置项有:
MutualTls.Mode
Name | Description |
---|---|
STRICT |
Client cert must be presented, connection is in TLS. |
PERMISSIVE |
Connection can be either plaintext or TLS, and client cert can be omitted. |
模式, 可以设置宽容模式,接收非 istio 管理的pod的流量
也可以通过 targets: 指定 namespace 或者pod。