stackoom
  简体   繁体   中英

Kubernetes pods can not make https request after deploying istio service mesh

 原文  2019-08-24 18:12:50       kubernetes/ istio/ api-gateway/ amazon-eks

Question

I am exploring the istio service mesh on my k8s cluster hosted on EKS(Amazon).

I tried deploying istio-1.2.2 on a new k8s cluster with the demo.yml file used for bookapp demonstration and most of the use cases I understand properly.

Then, I deployed istio using helm default profile(recommended for production) on my existing dev cluster with 100s of microservices running and what I noticed is my services can can call http endpoints but not able to call external secure endpoints( https://www.google.com , etc.)

I am getting :

curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

Though I am able to call external https endpoints from my testing cluster.

To verify, I check the egress policy and it is mode: ALLOW_ANY in both the clusters.

Now, I removed the the istio completely from my dev cluster and install the demo.yml to test but now this is also not working.

I try to relate my issue with this but didn't get any success.

https://discuss.istio.io/t/serviceentry-for-https-on-httpbin-org-resulting-in-connect-cr-srvr-hello-using-curl/2044

I don't understand what I am missing or what I am doing wrong.

Note: I am referring to this setup: https://istio.io/docs/setup/kubernetes/install/helm/

1 answers

solution1
 2 ACCPTED  2019-08-24 19:47:55

This is most likely a bug in Istio (see for example istio/istio#14520 ): if you have any Kubernetes Service object, anywhere in your cluster, that listens on port 443 but whose name starts with http (not https ), it will break all outbound HTTPS connections.

The instance of this I've hit involves configuring an AWS load balancer to do TLS termination. The Kubernetes Service needs to expose port 443 to configure the load balancer, but it receives plain unencrypted HTTP. 

apiVersion: v1
kind: Service
metadata:
  name: breaks-istio
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:...
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  selector: ...
  ports:
    - name: http-ssl # <<<< THIS NAME MATTERS
      port: 443
      targetPort: http

When I've experimented with this, changing that name: to either https or tcp-https seems to work. Those name prefixes are significant to Istio, but I haven't immediately found any functional difference between telling Istio the port is HTTPS (even though it doesn't actually serve TLS) vs. plain uninterpreted TCP.

You do need to search your cluster and find every Service that listens to port 443, and make sure the port name doesn't start with http-... .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question load testing kubernetes service (with istio service mesh) Why does Istio require Pods belong to at least one Service in Kubernetes? Istio service mesh in on premise kubernetes cluster in data center Deploying a kubernetes pods after a job is completed - helm Kubernetes Nginx Ingress can connect to https pods? Make a request on all pods in Google Kubernetes Connecting to Kubernetes API Server from a service in a worker node on istio Service Mesh Istio/CORS - can faking ORIGIN trigger a request block on mesh side? Istio on Azure Kubernetes Service? Istio vs Service Mesh Interface
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM