错误描述
我正在使用心电图(1.23(和ALB。ALB正在使用ACM提供的证书终止TLS。
使用安装在EKS集群中的地形图如下:
- istio-base
- istiod
- 网关
所有1.15.0版本。
集群上配置的其他东西:
- 端口15000-15090的EKS节点上的aws_security_group_rules,包括入口和出口
- 必需的K8命名空间
- 通过ALB控制器配置ALB所需的k8s入口
- ALB所需的ACM证书
- 必需的Route53 DNS条目
所有这些事情都很常见,所以我不认为有什么奇怪的事情。在没有Istio的情况下,我在多个地方都这样配置了它。
我还添加了一些httpbinService和Deployment以及相关的Gateway和VirtualService。
在入口中,我配置了2条路径(除了ALB的ssl-redirect指令(:
/healthz/ready指向status-port- 则CCD_ 9指向CCD_
入口网关服务是NodePort类型,这是此类设置所必需的。
(重要信息(群集中有2个节点。
AWS控制台目标组详细信息页面显示有2/2个目标是健康的。
Sooooooo。。。
当我输入地址https://httpbin.somedomain.com时,每秒钟请求得到504 Gateway Timeout。当我输入https://httpbin.somedomain.com/healthz/ready时,我每次得到200。当我将集群中的节点数量增加到3时,3个请求中有2个请求会出现504。
我很清楚,这与ALB在机器上的循环赛有关。。。但为什么呢?status-port总是200。
版本
$ istioctl version
client version: 1.15.0
control plane version: 1.15.0
data plane version: 1.15.0 (3 proxies)
$ kubectl version --short
Client Version: v1.23.2
Server Version: v1.23.7-eks-4721010
$ helm version --short
v3.8.0+gd141386
附加信息
$ istioctl bug-report
Target cluster context: v2-xxx
Running with the following config:
istio-namespace: istio-system
full-secrets: false
timeout (mins): 30
include: { }
exclude: { Namespaces: kube-node-lease,kube-public,kube-system,local-path-storage }
end-time: 2022-09-27 17:29:26.34498 +0200 CEST
Cluster endpoint: https://yyy.yl4.eu-west-1.eks.amazonaws.com
CLI version:
version.BuildInfo{Version:"1.15.0", GitRevision:"e3364ab424b70ca8ee1ca76cb0b3afb73476aaac", GolangVersion:"go1.19", BuildStatus:"Clean", GitTag:"1.15.0"}
The following Istio control plane revisions/versions were found in the cluster:
Revision default:
&version.MeshInfo{
{
Component: "pilot",
Info: version.BuildInfo{Version:"1.15.0", GitRevision:"e3364ab424b70ca8ee1ca76cb0b3afb73476aaac", GolangVersion:"go1.19", BuildStatus:"Clean", GitTag:"1.15.0"},
},
}
The following proxy revisions/versions were found in the cluster:
Revision default: Versions {1.15.0}
Fetching proxy logs for the following containers:
argocd//argo-cd-argocd-application-controller-0/application-controller
argocd/argo-cd-argocd-applicationset-controller/argo-cd-argocd-applicationset-controller-9dddcffbf-zrcgl/applicationset-controller
argocd/argo-cd-argocd-dex-server/argo-cd-argocd-dex-server-75c975ccb7-xmd82/dex-server
argocd/argo-cd-argocd-notifications-controller/argo-cd-argocd-notifications-controller-5854964cbf-z8nlr/notifications-controller
argocd/argo-cd-argocd-redis/argo-cd-argocd-redis-664b98cfd7-lndsf/argo-cd-argocd-redis
argocd/argo-cd-argocd-repo-server/argo-cd-argocd-repo-server-75f49f7ccf-xsblh/repo-server
argocd/argo-cd-argocd-server/argo-cd-argocd-server-6599d8d846-dqr6s/server
first/httpbin/httpbin-7bffdcffd-2klzj/httpbin
first/httpbin/httpbin-7bffdcffd-2klzj/istio-proxy
...
istio-ingress-internal/internal/internal-554ddcb684-kr52c/istio-proxy
istio-ingress-internet-facing/internet-facing/internet-facing-555fd48d8d-2tx74/istio-proxy
istio-system/istiod/istiod-86cd5997bb-r6797/discovery
...
Fetching Istio control plane information from cluster.
Running istio analyze on all namespaces and report as below:
Analysis Report:
Info [IST0102] (Namespace argocd) The namespace is not enabled for Istio injection. Run 'kubectl label namespace argocd istio-injection=enabled' to enable it, or 'kubectl label namespace argocd istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service argocd/argo-cd-argocd-applicationset-controller) Port name webhook (port: 7000, targetPort: webhook) doesn't follow the naming convention of Istio port.
...
Creating an archive at /Users/zzz/bug-report.tar.gz.
Cleaning up temporary files in /var/folders/l4/82mt4l7x4r5dzp1j4ppxqqzm0000gn/T/bug-report.
Done.
此处为原始问题
我通过允许EKS节点组中的机器之间允许端口80来解决这个问题。我不明白为什么它对TBH有帮助。