我有一个裸机kubernetes集群,它使用metallb作为ELB。
我特灵用istio gateway
公开一个服务,但遇到连接拒绝问题。我是新来的,请帮我检查一下我的旅客清单。
版本:
Kubernetes clsuter version: 1.27
Docker version 20.10.12, build e91ed57
cni-dockerd : cri-dockerd-0.3.4
OS: CentOS 7
MetalLB v0.13.10
字符串
问题:
注意:ceph-dashboard.xxx.com
在/etc/hosts文件中
[ggfan@fedora rook]$ curl -vvv https://ceph-dashboard.xxx.com/
* Trying 172.28.6.200:443...
* connect to 172.28.6.200 port 443 failed: Connection refused
* Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
型
服务:
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
型
网关和虚拟服务定义:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
型
lecerts是tls secret从let's encrypt:
[ggfan@fedora ingress-nginx]$ kubectl describe secret lecerts -n rook-ceph
Name: lecerts
Namespace: rook-ceph
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 5238 bytes
tls.key: 241 bytes
型
isto ingressgateway服务:
West Farmer
上午 10:50
Hi, I am tring to expose a service with gateway, but I am facing connection refused problem, any idea ?
the service :
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
gateway and virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
istio-ingressgateway:
[ggfan@fedora rook]$ kubectl -n istio-system describe svc istio-ingressgateway
Name: istio-ingressgateway
Namespace: istio-system
Labels: app=istio-ingressgateway
install.operator.istio.io/owning-resource=unknown
install.operator.istio.io/owning-resource-namespace=istio-system
istio=ingressgateway
istio.io/rev=default
operator.istio.io/component=IngressGateways
operator.istio.io/managed=Reconcile
operator.istio.io/version=1.18.1
release=istio
Annotations: metallb.universe.tf/ip-allocated-from-pool: default-pool
Selector: app=istio-ingressgateway,istio=ingressgateway
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.98.117.31
IPs: 10.98.117.31
LoadBalancer Ingress: 172.28.6.200
Port: status-port 15021/TCP
TargetPort: 15021/TCP
NodePort: status-port 31967/TCP
Endpoints: 172.16.228.161:15021
Port: http2 80/TCP
TargetPort: 8080/TCP
NodePort: http2 31509/TCP
Endpoints: 172.16.228.161:8080
Port: https 443/TCP
TargetPort: 8443/TCP
NodePort: https 30320/TCP
Endpoints: 172.16.228.161:8443
Port: tcp 31400/TCP
TargetPort: 31400/TCP
NodePort: tcp 32554/TCP
Endpoints: 172.16.228.161:31400
Port: tls 15443/TCP
TargetPort: 15443/TCP
NodePort: tls 32483/TCP
Endpoints: 172.16.228.161:15443
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal nodeAssigned 45m metallb-speaker announcing from node "k8sc01wn03" with protocol "layer2"
Normal nodeAssigned 28m (x4 over 88m) metallb-speaker announcing from node "k8sc01mn01" with protocol "layer2"
型
2条答案
按热度按时间nsc4cvqm1#
请将应用程序网关端口与istio-ingressgateway服务https端口信息匹配。入口网关服务中没有定义7000端口。
应用网关中的以下信息必须与istio-ingressgateway服务https信息中的信息匹配。
字符串
uttx8gqw2#
Istio网关连接被拒绝可能是由于以下任何原因造成的:
1.如果istio-ingressgateway没有为给定端口配置侦听器,则它将不接受该端口上的连接。(Istio将配置代理来监听端口,确保允许端口的外部流量进入网格)。
检查Gateway对象是否已创建,可以看到credentialName参数的指定如下:
字符串
您可以搜索飞行员日志以了解更多详细信息。
要检查SDS是否被启用,可以检查istio-system命名空间上的istioConfigMap。如果sdsUdsPath为空或未设置,则表示SDS未启用。
要获取该值,可以运行以下命令:
型
如果已设置,则输出如下所示:
型
如果禁用SDS,则该值将为空,如下所示:
型