我无法获得演示配置文件以使用istioctl。似乎istioctl在创建IngressGateway和AddonComponents时遇到问题。我尝试过进行类似问题的头盔安装。我从kops和相同的问题上做了一个新的k8s集群。调试此问题的任何帮助将不胜感激。
我正在遵循这些说明。https://istio.io/docs/setup/getting-started/#download
我正在跑步
istioctl manifest apply --set profile=demo --logtostderr
这是输出
2020-04-06T19:59:24.951136Z info Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
- Applying manifest for component Base...
✔ Finished applying manifest for component Base.
- Applying manifest for component Pilot...
✔ Finished applying manifest for component Pilot.
- Applying manifest for component IngressGateways...
- Applying manifest for component EgressGateways...
- Applying manifest for component AddonComponents...
✔ Finished applying manifest for component EgressGateways.
2020-04-06T20:00:11.501795Z error installer error running kubectl: exit status 1
✘ Finished applying manifest for component AddonComponents.
2020-04-06T20:00:40.418396Z error installer error running kubectl: exit status 1
✘ Finished applying manifest for component IngressGateways.
2020-04-06T20:00:40.421746Z info
Component AddonComponents - manifest apply returned the following errors:
2020-04-06T20:00:40.421823Z info Error: error running kubectl: exit status 1
2020-04-06T20:00:40.421884Z info Error detail:
Error from server (Timeout): error when creating "STDIN": Timeout: request did not complete within requested timeout 30s (repeated 1 times)
clusterrole.rbac.authorization.k8s.io/kiali unchanged
clusterrole.rbac.authorization.k8s.io/kiali-viewer unchanged
clusterrole.rbac.authorization.k8s.io/prometheus-istio-system unchanged
clusterrolebinding.rbac.authorization.k8s.io/kiali unchanged
clusterrolebinding.rbac.authorization.k8s.io/prometheus-istio-system unchanged
serviceaccount/kiali-service-account unchanged
serviceaccount/prometheus unchanged
configmap/istio-grafana unchanged
configmap/istio-grafana-configuration-dashboards-citadel-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-galley-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-istio-mesh-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-istio-performance-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-istio-service-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-istio-workload-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-mixer-dashboard unchanged
configmap/istio-grafana-configuration-dashboards-pilot-dashboard unchanged
configmap/kiali configured
configmap/prometheus unchanged
secret/kiali unchanged
deployment.apps/grafana unchanged
deployment.apps/istio-tracing unchanged
deployment.apps/kiali unchanged
deployment.apps/prometheus unchanged
service/grafana unchanged
service/jaeger-agent unchanged
service/jaeger-collector unchanged
service/jaeger-collector-headless unchanged
service/jaeger-query unchanged
service/kiali unchanged
service/prometheus unchanged
service/tracing unchanged
service/zipkin unchanged
2020-04-06T20:00:40.421999Z info
Component IngressGateways - manifest apply returned the following errors:
2020-04-06T20:00:40.422056Z info Error: error running kubectl: exit status 1
2020-04-06T20:00:40.422096Z info Error detail:
Error from server (Timeout): error when creating "STDIN": Timeout: request did not complete within requested timeout 30s (repeated 2 times)
serviceaccount/istio-ingressgateway-service-account unchanged
deployment.apps/istio-ingressgateway configured
poddisruptionbudget.policy/ingressgateway unchanged
role.rbac.authorization.k8s.io/istio-ingressgateway-sds unchanged
rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds unchanged
service/istio-ingressgateway unchanged
2020-04-06T20:00:40.422134Z info
✘ Errors were logged during apply operation. Please check component installation logs above.
Error: failed to apply manifests: errors were logged during apply operation
我运行以下命令来验证安装,然后运行上述命令。
istioctl verify-install
Checking the cluster to make sure it is ready for Istio installation...
#1. Kubernetes-api
-----------------------
Can initialize the Kubernetes client.
Can query the Kubernetes API Server.
#2. Kubernetes-version
-----------------------
Istio is compatible with Kubernetes: v1.16.7.
#3. Istio-existence
-----------------------
Istio will be installed in the istio-system namespace.
#4. Kubernetes-setup
-----------------------
Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap.
#5. SideCar-Injector
-----------------------
This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#deploying-an-app
如您的日志中所述
2020-04-06T19:59:24.951136Z info检测到您的群集不支持第三方JWT身份验证。回退到不太安全的第一方JWT。
如上所述here
要确定您的集群是否支持第三方令牌,请查找TokenRequest API:
$ kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
虽然大多数云提供商现在都支持此功能,但许多本地开发工具和自定义安装可能不支持。要启用此功能,请参考Kubernetes documentation。
为了向Istio控制平面进行身份验证,Istio代理将使用服务帐户令牌。 Kubernetes支持以下两种形式的令牌:
第三方令牌,该令牌具有一定范围的受众和有效期。没有过期且已安装到所有吊舱中的第一方令牌。由于第一方令牌的属性不太安全,因此Istio将默认使用第三方令牌。但是,并非在所有Kubernetes平台上都启用此功能。
如果使用istioctl进行安装,将自动检测到支持。这也可以手动完成,并通过传递-set values.global.jwtPolicy = third-party-jwt或-set values.global.jwtPolicy = first-party- jwt。
如果那样行不通,我会打开一个新的github问题,或添加注释here,因为安装问题与此类似。