InvalidExternalControlPlaneConfig

消息名称InvalidExternalControlPlaneConfig
消息代码IST0163
描述Address for the ingress gateway on the external control plane is not valid
等级Warning

当为外部控制平面上的入口网关提供的地址无效时,会出现此消息。 该地址可能因多种原因而无效,包括:主机名地址格式错误、 主机名无法通过 DNS 查询解析为 IP 地址或者主机名解析出的 IP 地址数为零。

示例

当集群的 ValidatingWebhookConfigurationMutatingWebhookConfiguration (为清楚起见而缩短)缺少 Webhook URL 时:

  1. apiVersion: admissionregistration.k8s.io/v1
  2. kind: ValidatingWebhookConfiguration
  3. metadata:
  4.   name: istio-validator-external-istiod
  5. webhooks:
  6. - admissionReviewVersions:
  7.   - v1beta1
  8.   - v1
  9.   clientConfig:
  10.     url:
  11.   name: rev.validation.istio.io
  13. ---
  14. apiVersion: admissionregistration.k8s.io/v1
  15. kind: ValidatingWebhookConfiguration
  16. metadata:
  17.   name: istiod-default-validator
  18. webhooks:
  19. - admissionReviewVersions:
  20.   - v1beta1
  21.   - v1
  22.   clientConfig:
  23.     url: https://test.com:15017/validate
  24.   failurePolicy: Ignore
  25.   name: validation.istio.io
  27. ---
  28. apiVersion: admissionregistration.k8s.io/v1
  29. kind: MutatingWebhookConfiguration
  30. metadata:
  31.   name: istio-sidecar-injector-external-istiod
  32. webhooks:
  33. - admissionReviewVersions:
  34.   - v1beta1
  35.   - v1
  36.   clientConfig:
  37.     url:
  38.   failurePolicy: Fail
  39.   name: rev.namespace.sidecar-injector.istio.io
  40. - admissionReviewVersions:
  41.   - v1beta1
  42.   - v1
  43.   clientConfig:
  44.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  45.   failurePolicy: Fail
  46.   name: rev.object.sidecar-injector.istio.io
  47. - admissionReviewVersions:
  48.   - v1beta1
  49.   - v1
  50.   clientConfig:
  51.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  52.   failurePolicy: Fail
  53.   name: namespace.sidecar-injector.istio.io
  54. - admissionReviewVersions:
  55.   - v1beta1
  56.   - v1
  57.   clientConfig:
  58.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  59.   failurePolicy: Fail
  60.   name: object.sidecar-injector.istio.io

您将收到此消息:

  1. Warning [IST0163] (MutatingWebhookConfiguration istio-sidecar-injector-external-istiod testing.yml:28) The hostname () that was provided for the webhook (rev.namespace.sidecar-injector.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.
  2. Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname () that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.

当集群的 ValidatingWebhookConfigurationMutatingWebhookConfiguration (为清楚起见而缩短)所使用的主机名在 DNS 查询期间无法被解析时:

  1. apiVersion: admissionregistration.k8s.io/v1
  2. kind: ValidatingWebhookConfiguration
  3. metadata:
  4.   name: istio-validator-external-istiod
  5. webhooks:
  6. - admissionReviewVersions:
  7.   - v1beta1
  8.   - v1
  9.   clientConfig:
  10.     url: https://thisisnotarealdomainname.com:15017/validate
  11.   name: rev.validation.istio.io
  13. ---
  14. apiVersion: admissionregistration.k8s.io/v1
  15. kind: ValidatingWebhookConfiguration
  16. metadata:
  17.   name: istiod-default-validator
  18. webhooks:
  19. - admissionReviewVersions:
  20.   - v1beta1
  21.   - v1
  22.   clientConfig:
  23.     url: https://test.com:15017/validate
  24.   failurePolicy: Ignore
  25.   name: validation.istio.io
  27. ---
  28. apiVersion: admissionregistration.k8s.io/v1
  29. kind: MutatingWebhookConfiguration
  30. metadata:
  31.   name: istio-sidecar-injector-external-istiod
  32. webhooks:
  33. - admissionReviewVersions:
  34.   - v1beta1
  35.   - v1
  36.   clientConfig:
  37.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  38.   failurePolicy: Fail
  39.   name: rev.namespace.sidecar-injector.istio.io
  40. - admissionReviewVersions:
  41.   - v1beta1
  42.   - v1
  43.   clientConfig:
  44.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  45.   failurePolicy: Fail
  46.   name: rev.object.sidecar-injector.istio.io
  47. - admissionReviewVersions:
  48.   - v1beta1
  49.   - v1
  50.   clientConfig:
  51.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  52.   failurePolicy: Fail
  53.   name: namespace.sidecar-injector.istio.io
  54. - admissionReviewVersions:
  55.   - v1beta1
  56.   - v1
  57.   clientConfig:
  58.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  59.   failurePolicy: Fail
  60.   name: object.sidecar-injector.istio.io

您将收到此消息:

  1. Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname (https://thisisnotarealdomainname.com:15017/validate) that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster cannot be resolved via a DNS lookup. Traffic may not flow properly.

如何修复

有多种方法可以解决这些无效配置,具体取决于配置无效的原因。

如果您的 Webhook 配置未定义 URL, 则添加使用主机名的有效 URL 将解决此警告消息。 有关如何执行此操作的说明可以在此处找到。

如果您的主机名无法通过 DNS 查找解析为 IP 地址, 您可以尝试在本地计算机上运行 dig <your-hostname> 来查看是否触发 DNS 解析。如果您的本地计算机可以通过 DNS 查询来解析主机名, 那可能是您的集群不能解析此主机名。任何阻止 DNS 流量的安全规则都可能导致解析查询失败。 新的 DNS 记录可能需要长达 72 小时才能在网络上传播, 具体取决于您的 DNS 提供商和具体配置。

如果您的主机名解析为 0 个 IP 地址,请检查 Webhook URL 是否使用正确的主机名,以及您的 DNS 提供商是否正确地拥有至少一个可供您的主机名解析的 IP 地址。