kubernetes Istio网关,连接被拒绝

0yg35tkg  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(2)|浏览(175)

我有一个裸机kubernetes集群,它使用metallb作为ELB。
我特灵用istio gateway公开一个服务,但遇到连接拒绝问题。我是新来的,请帮我检查一下我的旅客清单。
版本:

Kubernetes clsuter version: 1.27
Docker version 20.10.12, build e91ed57 
cni-dockerd : cri-dockerd-0.3.4
OS: CentOS 7
MetalLB v0.13.10

字符串
问题:

注意ceph-dashboard.xxx.com在/etc/hosts文件中

[ggfan@fedora rook]$ curl -vvv https://ceph-dashboard.xxx.com/
*   Trying 172.28.6.200:443...
* connect to 172.28.6.200 port 443 failed: Connection refused
* Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused


服务:

Name:              rook-ceph-mgr-dashboard
Namespace:         rook-ceph
Labels:            app=rook-ceph-mgr
                   rook_cluster=rook-ceph
Annotations:       <none>
Selector:          app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.102.185.38
IPs:               10.102.185.38
Port:              http-dashboard  7000/TCP
TargetPort:        7000/TCP
Endpoints:         172.16.228.168:7000
Session Affinity:  None
Events:            <none>


网关和虚拟服务定义:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ceph-dashboard-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 7000
      name: http-dashboard
      protocol: http-web
    tls:
      mode: SIMPLE
      credentialName: lecerts
    hosts:
    - ceph-dashboard.bgzchina.com
    
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ceph-dashboard-vs
spec:
  hosts:
  - "ceph-dashboard.bgzchina.com"
  gateways:
  - ceph-dashboard-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        port:
          number: 7000
        host: rook-ceph-mgr-dashboard


lecerts是tls secret从let's encrypt:

[ggfan@fedora ingress-nginx]$ kubectl describe secret lecerts -n rook-ceph
Name:         lecerts
Namespace:    rook-ceph
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  5238 bytes
tls.key:  241 bytes


isto ingressgateway服务:

West Farmer
  上午 10:50
Hi, I am tring to expose a service with gateway, but I am facing connection refused problem, any idea ?
the service :
Name:              rook-ceph-mgr-dashboard
Namespace:         rook-ceph
Labels:            app=rook-ceph-mgr
                   rook_cluster=rook-ceph
Annotations:       <none>
Selector:          app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.102.185.38
IPs:               10.102.185.38
Port:              http-dashboard  7000/TCP
TargetPort:        7000/TCP
Endpoints:         172.16.228.168:7000
Session Affinity:  None
Events:            <none>
gateway and virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ceph-dashboard-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 7000
      name: http-dashboard
      protocol: http-web
    tls:
      mode: SIMPLE
      credentialName: lecerts
    hosts:
    - ceph-dashboard.bgzchina.com
    
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ceph-dashboard-vs
spec:
  hosts:
  - "ceph-dashboard.bgzchina.com"
  gateways:
  - ceph-dashboard-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        port:
          number: 7000
        host: rook-ceph-mgr-dashboard
istio-ingressgateway:
[ggfan@fedora rook]$ kubectl -n istio-system describe svc istio-ingressgateway
Name:                     istio-ingressgateway
Namespace:                istio-system
Labels:                   app=istio-ingressgateway
                          install.operator.istio.io/owning-resource=unknown
                          install.operator.istio.io/owning-resource-namespace=istio-system
                          istio=ingressgateway
                          istio.io/rev=default
                          operator.istio.io/component=IngressGateways
                          operator.istio.io/managed=Reconcile
                          operator.istio.io/version=1.18.1
                          release=istio
Annotations:              metallb.universe.tf/ip-allocated-from-pool: default-pool
Selector:                 app=istio-ingressgateway,istio=ingressgateway
Type:                     LoadBalancer
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.98.117.31
IPs:                      10.98.117.31
LoadBalancer Ingress:     172.28.6.200
Port:                     status-port  15021/TCP
TargetPort:               15021/TCP
NodePort:                 status-port  31967/TCP
Endpoints:                172.16.228.161:15021
Port:                     http2  80/TCP
TargetPort:               8080/TCP
NodePort:                 http2  31509/TCP
Endpoints:                172.16.228.161:8080
Port:                     https  443/TCP
TargetPort:               8443/TCP
NodePort:                 https  30320/TCP
Endpoints:                172.16.228.161:8443
Port:                     tcp  31400/TCP
TargetPort:               31400/TCP
NodePort:                 tcp  32554/TCP
Endpoints:                172.16.228.161:31400
Port:                     tls  15443/TCP
TargetPort:               15443/TCP
NodePort:                 tls  32483/TCP
Endpoints:                172.16.228.161:15443
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type    Reason        Age                From             Message
  ----    ------        ----               ----             -------
  Normal  nodeAssigned  45m                metallb-speaker  announcing from node "k8sc01wn03" with protocol "layer2"
  Normal  nodeAssigned  28m (x4 over 88m)  metallb-speaker  announcing from node "k8sc01mn01" with protocol "layer2"

nsc4cvqm

nsc4cvqm1#

请将应用程序网关端口与istio-ingressgateway服务https端口信息匹配。入口网关服务中没有定义7000端口。
应用网关中的以下信息必须与istio-ingressgateway服务https信息中的信息匹配。

- port:
  number: 443
  name: https
  protocol: HTTPS

字符串

uttx8gqw

uttx8gqw2#

Istio网关连接被拒绝可能是由于以下任何原因造成的:

1.如果istio-ingressgateway没有为给定端口配置侦听器,则它将不接受该端口上的连接。(Istio将配置代理来监听端口,确保允许端口的外部流量进入网格)。

  1. Gateway对象正在指定credentialNameSecret Discovery Service (SDS)未启用。详细信息请参阅网关TLS设置参考中的credentialName
    检查Gateway对象是否已创建,可以看到credentialName参数的指定如下:
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - httpbin.example.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: httpbin-credential
      mode: SIMPLE

字符串
您可以搜索飞行员日志以了解更多详细信息。
要检查SDS是否被启用,可以检查istio-system命名空间上的istioConfigMap。如果sdsUdsPath为空或未设置,则表示SDS未启用。
要获取该值,可以运行以下命令:

kubectl get configmap istio -n istio-system -o jsonpath='{.data}' \| grep sdsUdsPath


如果已设置,则输出如下所示:

sdsUdsPath: unix:/etc/istio/proxy/SDS


如果禁用SDS,则该值将为空,如下所示:

sdsUdsPath:

相关问题