Istio開啟mtls請(qǐng)求503問題分析
背景
為測(cè)試Istio流量管理,將兩個(gè)服務(wù)sleep�����、flaskapp的兩個(gè)版本v1����、v2(部署文件見參考鏈接)部署到Istio環(huán)境中�����,通過sleep-v1向flaskapp發(fā)起調(diào)用http://flaskapp/env/version�,正常結(jié)果會(huì)交替打印出結(jié)果v1和v2,然而在調(diào)用過程中報(bào)錯(cuò)503 reset reason: connection failure����,故將問題的步驟、現(xiàn)象�����、分析、驗(yàn)證整理于此�。
步驟
部署sleep、flaskapp應(yīng)用����,同時(shí)Istio平臺(tái)開啟mTls,命名空間kangxzh開啟自動(dòng)注入�����,部署如下圖所示:
kubectl apply -f sleep.istio.yaml -n kangxzh
kubectl apply -f flask.isito.yaml -n kangxzh
#查看pod創(chuàng)建情況
kubectl -n kangxzh get pod -w
flaskapp-v1-775dbb9b79-z54fj 2/2 Running 0 13s
flaskapp-v2-d454cdd47-mdb8s 2/2 Running 0 14s
sleep-v1-7f45c6cf94-zgdsf 2/2 Running 0 19h
sleep-v2-58dff94b49-fz6sj 2/2 Running 0 19h
現(xiàn)象
在sleep應(yīng)用中發(fā)起http請(qǐng)求�,調(diào)用flaskapp,curl http://flaskapp/env/version�����,如下所示:
#
export SOURCE_POD=$(kubectl get pod -l app=sleep,version=v1 -o jsonpath={.items..metadata.name})
# 進(jìn)入sleep發(fā)起http請(qǐng)求
kubectl -n kangxzh exec -it -c sleep $SOURCE_POD bash
bash-4.4# curl http://flaskapp/env/version
# 響應(yīng)
upstream connect error or disconnect/reset before headers. reset reason: connection failure
背景
1.檢測(cè)flaskapp tls 配置�,如下:
[root@kubernetes-master flaskapp]# istioctl authn tls-check flaskapp-v1-775dbb9b79-z54fj flaskapp.kangxzh.svc.cluster.local
HOST:PORT STATUS SERVER CLIENT AUTHN POLICY DESTINATION RULE
flaskapp.kangxzh.svc.cluster.local:80 OK mTLS mTLS default/ default/istio-system
STATUS OK 證明flaskapp tls配置正確。
進(jìn)入sleep istio-proxy向flaskapp發(fā)起http請(qǐng)求:
kubectl -n kangxzh exec -it -c istio-proxy $SOURCE_POD bash
# 發(fā)起請(qǐng)求
curl http://flaskapp/env/version
# 響應(yīng)
v1
2.發(fā)現(xiàn)通過istio-proxy可以得到相應(yīng)�,因?yàn)殚_啟了mtls,通過istio-proxy直接請(qǐng)求是需要添加istio相關(guān)證書的����,此時(shí)沒有加入證書也可請(qǐng)求�,所以想到檢查flaskapp iptables配置�����,如下所示:
# 獲取進(jìn)程號(hào)
PID=$(docker inspect --format {{.State.Pid}} $(docker ps | grep flaskapp-v1 | awk '{print $1}' | head -n 1))
# 查看iptables 規(guī)則
nsenter -t ${PID} -n iptables -t nat -L -n -v
# 輸出
Chain PREROUTING (policy ACCEPT 477 packets, 28620 bytes)
pkts bytes target prot opt in out source destination
487 29220 ISTIO_INBOUND tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 487 packets, 29220 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 220 packets, 20367 bytes)
pkts bytes target prot opt in out source destination
0 480 ISTIO_OUTPUT tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 220 packets, 20367 bytes)
pkts bytes target prot opt in out source destination
Chain ISTIO_INBOUND (1 references)
pkts bytes target prot opt in out source destination
10 600 ISTIO_IN_REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #是沒有的����,修改后增加
Chain ISTIO_IN_REDIRECT (1 references)
pkts bytes target prot opt in out source destination
10 600 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 15001
Chain ISTIO_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ISTIO_REDIRECT all -- * lo 0.0.0.0/0 !127.0.0.1
8 480 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1337
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1337
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.1
0 0 ISTIO_REDIRECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ISTIO_REDIRECT (2 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 15001
證明envoy沒有劫持到flaskapp 80的流量,也就是說上述第2步是sleep-istio-proxy直接請(qǐng)求flaskapp�����,沒有經(jīng)過flaskapp-istio-proxy 轉(zhuǎn)發(fā)����。
- 此時(shí)才檢查flaskapp deployment,如下所示:
...
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: flaskapp-v1
spec:
replicas: 1
template:
metadata:
labels:
app: flaskapp
version: v1
spec:
containers:
- name: flaskapp
image: dustise/flaskapp
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80 #缺少containerPort
env:
- name: version
value: v1
...
官網(wǎng)說明https://istio.io/docs/setup/kubernetes/additional-setup/requirements/中:
Pod ports: Pods must include an explicit list of the ports each container listens on. Use a containerPort configuration in the container specification for each port. Any unlisted ports bypass the Istio proxy.
# 未列出來來的端口都會(huì)繞過istio proxy
同時(shí)describe flaskapp pod 如下所示:
kubectl describe pod flaskapp-v1-6df8d69fb8-fb5mr -n kangxzh
#
istio-proxy:
... 省略若干
Args:
...
--concurrency
2
--controlPlaneAuthPolicy
MUTUAL_TLS
--statusPort
15020
--applicationPorts
"" #為空
在deployment中增加containerPort: 80后�,如下所示:
istio-proxy:
... 省略若干
Args:
...
--concurrency
2
--controlPlaneAuthPolicy
MUTUAL_TLS
--statusPort
15020
--applicationPorts
80
注意:在Istio1.2版本以后也可通過設(shè)置Pod annotation 中 traffic.sidecar.istio.io/includeInboundPorts來達(dá)到同樣的目的,缺省值為Pod的containerPorts列表����,逗號(hào)分隔的監(jiān)聽端口列表�����,這些流量會(huì)被重定向到 Sidecar,* 會(huì)重定向所有端口����,具體詳情參見官網(wǎng)1.2新特性(見參考鏈接)
驗(yàn)證
sleep 發(fā)起請(qǐng)求:
[root@kubernetes-master flaskapp]# kubectl -n kangxzh exec -it -c sleep $SOURCE_POD bash
bash-4.4# curl http://flaskapp/env/version
#響應(yīng)
v1
sleep-istio-proxy 未攜帶證書,發(fā)起請(qǐng)求:
kubectl -n kangxzh exec -it -c istio-proxy $SOURCE_POD bash
istio-proxy@sleep-v1-7f45c6cf94-zgdsf:/$ curl http://flaskapp/env/version
#響應(yīng)
curl: (56) Recv failure: Connection reset by peer
sleep-istio-proxy 攜帶證書�����,發(fā)起請(qǐng)求
istio-proxy@sleep-v1-7f45c6cf94-zgdsf:/$ curl https://flaskapp:80/env/version --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
#響應(yīng)
v1
參考鏈接
https://github.com/fleeto/sleep
https://github.com/fleeto/flaskapp
https://istio.io/docs/setup/kubernetes/additional-setup/requirements/
https://preliminary.istio.io/about/notes/1.2/
