NoServerCertificateVerificationDestinationLevel

消息名称NoServerCertificateVerificationDestinationLevel
消息代码IST0128
描述No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.
等级Error

如果流量策略需要 caCertificates,但是在目标规则(Destination Rule)中没有相关信息,会出现该问题。

示例

当您的集群中包含以下目标规则时(Destination Rule):

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: DestinationRule
  3. metadata:
  4.   name: db-tls
  5. spec:
  6.   host: mydbserver.prod.svc.cluster.local
  7.   trafficPolicy:
  8.     tls:
  9.       mode: SIMPLE
  10.       clientCertificate: /etc/certs/myclientcert.pem
  11.       privateKey: /etc/certs/client_private_key.pem
  12.       # caCertificates not set

您将会收到以下信息:

  1. Error [IST0128] (DestinationRule db-tls.default) DestinationRule default/db-tls in namespace default has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: mydbserver.prod.svc.cluster.local

在这个示例中,目标规则(Destination Rule)db-tls 被明确为 TLS,但是没有设置 CA 文件信息。

解决方案

  • 提供 CA 证书的文件名
  • 修改流量策略为不需要证书的类型