[英]App Identity and Access Adapter for Istio Mixer I/O timeout
按照https://github.com/ibm-cloud-security/app-identity-and-access-adapter 上的安裝文檔進行操作。 一切似乎都安裝正確(盡管我確實必須更新 oidc-config.yaml 和 policy.yaml 模板文件以防止 discoveryUrl 模式出錯。
我正在使用示例文件夾中的 OIDC 示例策略,使用我的 URL 和客戶端機密進行更新。
在 Mixer 中,我收到以下錯誤:
2020-01-11T16:26:43.920036Z info grpc: addrConn.createTransport failed to connect to {svc-appidentityandaccessadapter:47304 0 <nil>}. Err :connection error: desc = "transport: Error while dialing dial tcp 10.43.152.188:47304: i/o timeout". Reconnecting...
2020-01-11T16:26:43.920168Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, TRANSIENT_FAILURE
2020-01-11T16:26:44.920497Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, CONNECTING
2020-01-11T16:26:44.920804Z info roundrobinPicker: newPicker called with readySCs: map[]
2020-01-11T16:26:44.924250Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, READY
2020-01-11T16:26:44.924615Z info roundrobinPicker: newPicker called with readySCs: map[{svc-appidentityandaccessadapter:47304 0 <nil>}:0xc000646bc0]
看起來它處於 READY 狀態,但是當我在 Web 瀏覽器中加載應用程序時,沒有任何反應,我可以直接訪問該應用程序。
適配器日志:
2020-01-11T16:26:24.518Z info initializer/policyinitializer.go:112 Successfully constructed k8s client {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z info web/web.go:390 Synced secret: appidentityandaccessadapter-cookie-sig-enc-keys {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z info adapter/adapter.go:142 Listening on: [::]:47304 {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:33.160Z info keyset/keyset.go:117 Synced public keys {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z info keyset/keyset.go:50 Synced JWKs successfully. {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z info crdeventhandler/add_event.go:55 OidcConfig created/updated {"source": "appidentityandaccessadapter-adapter", "ID": "5b90d600-0ed4-4a42-b97f-379a502732f4", "name": "oidc-provider-config", "namespace": "default"}
2020-01-11T16:26:37.091Z info crdeventhandler/add_event.go:67 Policy created/updated {"source": "appidentityandaccessadapter-adapter", "ID": "440e5c32-fb39-4e24-8f99-eab62dcf2502"}
通過運行檢查disablePolicyCheck
kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
如果它返回disablePolicyCheck: true
,請運行以下命令:
istioctl manifest apply --set values.global.disablePolicyChecks=false \
--set values.mixer.policy.enabled=true \
--set values.pilot.policy.enabled=true
Istio 目前不尊重global.disablePolicyCheck
配置,而沒有設置pilot.policy.enabled=true
。
此外,在Istio默認的配置文件集mixer.policy.enabled
以false
的性能的原因。
運行上述命令后, kubectl
命令將返回disablePolicyChecks: false
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.