在 2024 年尝试创建新的 Istio Ingress 网关时使用 Istio/X 进行 ImagePullBackOff
问题描述 投票:0回答:1
我目前正在使用 Istio 的默认 Ingress 网关,但我想创建更多网关,以便每个服务拥有一个 LoadBalancer。我想创建一个 Helm 图表来方便他们的创建。
我尝试了几种配置,例如这个一个或这个另一个,但我无法创建第二个Ingress。我遇到的主要错误是:
cat <<EOF | helm template install/kubernetes/helm/istio/ --name istio --namespace istio-private-gateways -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.istioNamespace=istio-system -f - | kubectl apply --context=$CTX_CLUSTER1 -f -
> gateways:
> enabled: true
> istio-egressgateway:
> enabled: false
> istio-ingressgateway:
> enabled: false
> istio-private-egressgateway:
> enabled: true
> labels:
> app: istio-private-egressgateway
> istio: private-egressgateway
> replicaCount: 1
> autoscaleMin: 1
> autoscaleMax: 5
> cpu:
> targetAverageUtilization: 80
> type: ClusterIP
> ports:
> - port: 80
> name: http
> - port: 443
> name: https
> - port: 15444
> name: tls-for-cross-cluster-communication
> - port: 31400
> name: tcp-1
> - port: 31401
> name: tcp-2
> secretVolumes:
> - name: c1-example-com-certs
> secretName: c1-example-com-certs
> mountPath: /etc/istio/c1.example.com/certs
> - name: c1-trusted-certs
> secretName: c1-trusted-certs
> mountPath: /etc/istio/example.com/certs
> EOF
Error: unknown flag: --name
error: no objects passed to apply
&
Error: unknown shorthand flag: 'x' in -x
error: no objects passed to apply
所以我尝试从 Istio 默认的 Ingress Gateway 更新模板:
Deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingressgateway-beta
namespace: beta-v2
labels:
istio: ingressgateway-beta
spec:
replicas: 1
selector:
matchLabels:
istio: ingressgateway-beta
template:
metadata:
labels:
istio: ingressgateway-beta
annotations:
sidecar.istio.io/inject: "false"
# scheduler.alpha.kubernetes.io/critical-pod is deprecated, consider using priorityClassName instead
spec:
serviceAccountName: beta-ingressgateway-service-account
tolerations:
- key: "env"
operator: "Equal"
value: "beta"
effect: "NoSchedule"
#nodeSelector:
# env: beta
containers:
- name: istio-proxy
image: "istio/pilot"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- ingressgateway-beta
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot.istio-system:8080
resources:
requests:
cpu: 100m
memory: 128Mi
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-beta-certs
mountPath: "/etc/istio/ingressgateway-beta-certs"
readOnly: true
- name: ingressgateway-beta-ca-certs
mountPath: "/etc/istio/ingressgateway-beta-ca-certs"
readOnly: true
imagePullSecrets:
- name: regcred
volumes:
- name: istio-certs
secret:
secretName: istio.beta-ingressgateway-service-account
optional: true
- name: ingressgateway-beta-certs
secret:
secretName: "istio-ingressgateway-beta-certs"
optional: true
- name: ingressgateway-beta-ca-certs
secret:
secretName: "istio-ingressgateway-beta-ca-certs"
optional: true
affinity: {}
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch # Use kubernetes.io/arch instead of beta.kubernetes.io/arch
# operator: In
# values:
# - amd64
# - ppc64le
# - s390x
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 2
# preference:
# matchExpressions:
# - key: kubernetes.io/arch # Use kubernetes.io/arch instead of beta.kubernetes.io/arch
# operator: In
# values:
# - amd64
service.yaml
apiVersion: v1
kind: Service
metadata:
name: ingressgateway-beta
namespace: beta-v2
annotations:
labels:
istio: ingressgateway-beta
spec:
type: LoadBalancer
selector:
istio: ingressgateway-beta
ports:
-
name: http
port: 80
targetPort: 80
-
name: https
port: 443
targetPort: 443
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: beta-ingressgateway-service-account
namespace: beta-v2
labels:
app: ingressgateway-beta
应用这三个 .yaml 文件后,我就有了一个正在运行的 LoadBalancer 和一个正确的 ServiceAccount。但是,我在部署映像时遇到了一些问题。我尝试过使用 istio/proxy、istio/proxyv2、istio/proxyv2:1.12.5-distroless 和最新的 istio/pilot,但它们都不起作用。
我认为这个问题与我创建 imagePullSecrets 的方式无关,因为我密切关注了 Kubernetes 文档。
kubectl version
Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3
istio-1.20.3
总结一下:我正在寻找一种替代方法来创建有效的自定义入口网关,或帮助对我当前的配置进行故障排除。
1个回答
0
投票
投票
所以,我找到了一个2020 年的好教程,它为我提供了这种架构。
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app: my-gateway-custom-name-istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: my-gateway-custom-name-ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: my-gateway-custom-name-istio-ingressgateway
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 80
type: Utilization
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: my-gateway-custom-name-istio-ingressgateway
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: my-gateway-custom-name-istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: my-gateway-custom-name-ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: my-gateway-custom-name-istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app: my-gateway-custom-name-istio-ingressgateway
istio: my-gateway-custom-name-ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
istio.io/rev: default
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: my-gateway-custom-name-istio-ingressgateway
chart: gateways
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: my-gateway-custom-name-ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
service.istio.io/canonical-name: my-gateway-custom-name-istio-ingressgateway
service.istio.io/canonical-revision: latest
sidecar.istio.io/inject: "false"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution: null
requiredDuringSchedulingIgnoredDuringExecution: null
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
env:
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_WORKLOAD_NAME
value: my-gateway-custom-name-istio-ingressgateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/my-gateway-custom-name-istio-ingressgateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
value: cluster.local
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: docker.io/istio/proxyv2:1.20.3
name: istio-proxy
ports:
- containerPort: 15021
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
securityContext:
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: istio-ingressgateway-service-account
volumes:
- emptyDir: {}
name: workload-socket
- emptyDir: {}
name: credential-socket
- emptyDir: {}
name: workload-certs
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app: my-gateway-custom-name-istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: my-gateway-custom-name-ingressgateway
istio.io/rev: default
operator.istio.io/component: my-gateway-custom-name-IngressGateways
release: istio
name: my-gateway-custom-name-ingressgateway
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app: my-gateway-custom-name-istio-ingressgateway
istio: my-gateway-custom-name-ingressgateway
---
apiVersion: v1
kind: Service
metadata:
annotations: null
labels:
app: my-gateway-custom-name-istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: my-gateway-custom-name-ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: my-gateway-custom-name-istio-ingressgateway
namespace: istio-system
spec:
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: my-gateway-custom-name-istio-ingressgateway
istio: my-gateway-custom-name-ingressgateway
type: LoadBalancer
---
它按预期工作! 现在,您只需将“my-gateway-custom-name-ingressgateway”更改为您想要的任何内容即可。
最新问题
- 无法在Android模拟器上运行Flutter应用程序-看不懂日志
- 添加/删除时反应图像上传重新渲染上传的图像
- 如何为 TYPO3 后端中的默认文本/媒体内容元素分配预览模板?
- NestJS Mongoose populate() 不适用于 ObjectId 数组,但适用于单个 ObjectId
- 使用 angularx-social-login 进行 Angular google 自动登录
- Jenkins cleanWs 插件未根据模式保存文件
- lua类构造函数中的本地对象?
- 有没有办法重新连接到断开的 VS Code 远程 SSH 连接?
- Redis 与 RocksDB
- 什么时候应该使用MySQL压缩协议?
- react 如何在不使用“`”符号的情况下允许多行返回?
- 在C#中动态添加和加载资源中的图像
- 使用 Turbo Native Android 播放背景音频
- Python:使用 Selenium/BS4 抓取使用脚本填充的画布
- 为什么不同版本的intern方法有变化?
- 无法使用凭据从 Spring Boot 应用程序连接到 Neo4J 数据库
- Google 是否可以看到通过 Google 跟踪代码管理器发送的数据?
- Powershell - XML 根据子节点值重命名节点名称
- 优化 SQL 查询流程
- 如何在 JavaFX 中使用不确定的 ProgressIndicator 来制作可暂停任务?
© www.soinside.com 2019 - 2024. All rights reserved.