Istio, no listener registered when ports are the same
Question
I have an EKS cluster with 2 EC2 nodes. I want to use Istio with ALB not the classic ELB, so I modified the gateway from the Istio helm chart to use NodePort like this:
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
spec:
type: NodePort
selector:
app: istio-ingressgateway
istio: ingressgateway
ports:
-
name: status-port
port: 15021
protocol: TCP
nodePort: 32767
-
name: http2
port: 80
protocol: TCP
nodePort: 31231
-
name: https
port: 443
protocol: TCP
nodePort: 31312
Also, I added the Ingress for the gateway:
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
namespace: istio-system
name: aws-load-balancer
spec:
controller: ingress.k8s.aws/alb
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: istio-system
name: ingress
labels:
app: ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-port: "32767"
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/subnets: subnet-foo,subnet-bar
spec:
ingressClassName: aws-load-balancer
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: istio-ingressgateway
port:
number: 80
The ALB and the TargetGroup are created as expected, the nodes are healthy according to the TargetGroup health check.
The sample bookinfo stack and gateway are installed to a labeled namesapce
% kubectl get ns bookinfo --show-labels
NAME STATUS AGE LABELS
bookinfo Active 18h istio-injection=enabled
Istioctl shows the proxy status
% istioctl proxy-status
NAME CDS LDS EDS RDS ISTIOD VERSION
details-v1-79f774bdb9-2scfv.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
istio-ingressgateway-8579cc48f8-2d5sd.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-75c795985d-pwx9j 1.10.0
productpage-v1-6b746f74dc-l795c.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
ratings-v1-b6994bb9-l2vcp.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v1-545db77b95-shzkj.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v2-7bf8c9648f-6k6mk.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v3-84779c7bbc-6mw5f.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
But when I try to reach it it gives back 502.
% curl http://internal-k8s-istiosys-ingress-foo-bar.eu-west-1.elb.amazonaws.com/productpage
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
Istio version: 1.10 Kubernetes version: 1.19 EKS version: eks.5
Edit:
It turned out there are no listeners attached:
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-2d5sd.istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
However, if I change a port for the Gateway from 80 to 9000, the listeners created but it is need to match with the ingress-gateway port
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-qzn59
ADDRESS PORT MATCH DESTINATION
0.0.0.0 9000 ALL Route: http.9000
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
1 answers
solution1
0 ACCPTED 2021-06-17 15:06:55
如果有人遇到同样的问题,事实证明默认 istio ingress gateway 无法绑定到 80,因为它是一个无特权的 pod,更新了部署规范,现在已启动并运行。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.