配置验证的问题

看似有效的配置不生效

手动验证您的配置是否正确,当有必要的时候请参照 Istio API 文档

接受无效配置

验证 istiod-istio-system validationwebhookconfiguration 配置是否存在并且是正确的。无效的 apiVersionapiGroupresource 配置应该在两个 webhook 其中之一被列举出来。

  1. $ kubectl get validatingwebhookconfiguration istiod-istio-system -o yaml
  2. apiVersion: admissionregistration.k8s.io/v1
  3. kind: ValidatingWebhookConfiguration
  4. metadata:
  5.   creationTimestamp: "2020-01-24T19:53:03Z"
  6.   generation: 1
  7.   labels:
  8.     app: istiod
  9.     istio: istiod
  10.     release: istio
  11.   name: istiod-istio-system
  12.   ownerReferences:
  13.   - apiVersion: rbac.authorization.k8s.io/v1
  14.     blockOwnerDeletion: true
  15.     controller: true
  16.     kind: ClusterRole
  17.     name: istiod-istio-system
  18.     uid: c3d24917-c2da-49ad-add3-c91c14608a45
  19.   resourceVersion: "36649"
  20.   selfLink: /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/istiod-istio-system
  21.   uid: 043e39d9-377a-4a67-a7cf-7ae4cb3c562c
  22. webhooks:
  23. - admissionReviewVersions:
  24.   - v1beta1
  25.   clientConfig:
  26.     # caBundle should be non-empty. This is periodically (re)patched
  27.     # every second by the webhook service using the ca-cert
  28.     # from the mounted service account secret.
  29.     caBundle: LS0t...
  30.     service:
  31.       # service corresponds to the Kubernetes service that implements the
  32.       # webhook, e.g. istio-galley.istio-system.svc:443
  33.       name: istio-istiod
  34.       namespace: istio-system
  35.       path: /validate
  36.       port: 443
  37.   failurePolicy: Fail
  38.   matchPolicy: Exact
  39.   name: validation.istio.io
  40.   namespaceSelector: {}
  41.   objectSelector: {}
  42.   rules:
  43.   - apiGroups:
  44.     - config.istio.io
  45.     - rbac.istio.io
  46.     - security.istio.io
  47.     - authentication.istio.io
  48.     - networking.istio.io
  49.     apiVersions:
  50.     - '*'
  51.     operations:
  52.     - CREATE
  53.     - UPDATE
  54.     resources:
  55.     - '*'
  56.     scope: '*'
  57.   sideEffects: None
  58.   timeoutSeconds: 30

如果 validatingwebhookconfiguration 不存在,那就验证 istio-validation configmap 是否存在。Istio 使用 configmap 的数据来创建或更新 validatingwebhookconfiguration

  1. $ kubectl -n istio-system get configmap istio-validation -o jsonpath='{.data}'
  2. map[config:apiVersion: admissionregistration.k8s.io/v1beta1
  3. kind: ValidatingWebhookConfiguration
  4. metadata:
  5.   name: istiod-istio-system
  6.   namespace: istio-system
  7.   labels:
  8.     app: istiod
  9.     release: istio
  10.     istio: istiod
  11. webhooks:
  12.   - name: validation.istio.io
  13.     clientConfig:
  14.       service:
  15.         name: istiod
  16.         namespace: istio-system
  17.         path: "/validate"
  18.         port: 443
  19.       caBundle: ""
  20.     rules:
  21.       - operations:
  22.         - CREATE
  23.         - UPDATE
  24.         apiGroups:
  25.         - config.istio.io
  26.         - rbac.istio.io
  27.         - security.istio.io
  28.         - authentication.istio.io
  29.         - networking.istio.io
  30.         apiVersions:
  31.         - "*"
  32.         resources:
  33.         - "*"
  34.     failurePolicy: Fail
  35.     sideEffects: None]
  36.         (... snip ...)

如果 istio-validation 中的 webhook 数组为空,则校验 global.configValidation 安装选项是否被设置。

校验配置如果失败会自动关闭,正常情况下配置存在并校验通过,webhook 将被调用。在资源创建或更新的时候,如果缺失 caBundle或者错误的证书,亦或网络连接问题都将会导致报错。如果你确信你的配置没有问题,webhook 没有被调用却看不到任何错误信息,你的集群配置肯定有问题。

创建配置失败报错:x509 certificate errors

x509: certificate signed by unknown authority 错误通常和 webhook 配置中的空 caBundle 有关,所以要确认它不为空 (请查阅验证 webhook 配置)。Istio 有意识的使用 istio-validation configmap 和根证书,调整了 webhook 配置。

  1. 验证 istio-pilot pod 是否在运行:

    1. $  kubectl -n istio-system get pod -lapp=pilot
    2. NAME                            READY     STATUS    RESTARTS   AGE
    3. istio-pilot-5dbbbdb746-d676g   1/1       Running   0          2d

  2. 检查 pod 日志是否有错误,修复 caBundle 失败的时候会报错:

    1. $ for pod in $(kubectl -n istio-system get pod -lapp=pilot -o jsonpath='{.items[*].metadata.name}'); do \
    2.     kubectl -n istio-system logs ${pod} \
    3. done

  3. 如果修复失败,请验证 Pilot 的 RBAC 配置:

    1. $ kubectl get clusterrole istiod-istio-system -o yaml
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: ClusterRole
    4.   name: istiod-istio-system
    5. rules:
    6. - apiGroups:
    7.   - admissionregistration.k8s.io
    8.   resources:
    9.   - validatingwebhookconfigurations
    10.   verbs:
    11.   - '*'

    Istio 需要 validatingwebhookconfigurations 的写权限来创建和更新 istio-galley validatingwebhookconfiguration 配置项。

创建配置报错:no such hostsno endpoints available

如果 istio-pilot pod 没有准备就绪,配置是不会被创建或者更新的,在下面的例子里您可以看到关于 no endpoints available 的错误信息。

检查 istio-pilot pod 是否运行,并且检查 endpoint 是否准备就绪。

  1. $ kubectl -n istio-system get pod -lapp=pilot
  2. NAME                            READY     STATUS    RESTARTS   AGE
  3. istio-pilot-5dbbbdb746-d676g   1/1       Running   0          2d
  1. $ kubectl -n istio-system get endpoints istio-pilot
  2. NAME           ENDPOINTS                          AGE
  3. istio-pilot   10.48.6.108:15014,10.48.6.108:443   3d

如果 pod 或者 endpoint 尚未准备就绪,请检查 pod log 和任何导致 webhook pod 无法启动的异常状态,以及服务流量。

  1. $ for pod in $(kubectl -n istio-system get pod -lapp=pilot -o jsonpath='{.items[*].metadata.name}'); do \
  2.     kubectl -n istio-system logs ${pod} \
  3. done
  1. $ for pod in $(kubectl -n istio-system get pod -lapp=pilot -o name); do \
  2.     kubectl -n istio-system describe ${pod} \
  3. done