kubernetesistioistio-sidecar
ISTIO - Egress Gateway returns - command terminated with exit code 35?
I have installed ISTIO with the below configuration
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
meshConfig:
accessLogFile: /dev/stdout
outboundTrafficPolicy:
mode: REGISTRY_ONLY
EOF
and have configured the Egress Gateway, Destination Rule & Virtual Service as shown below
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: akv2k8s-test
labels:
istio-injection: enabled
azure-key-vault-env-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: edition-cnn-com
namespace: akv2k8s-test
spec:
hosts:
- edition.cnn.com
tls:
- match:
- port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
While trying to access it throws an error
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/sleep/sleep.yaml -n akv2k8s-test
export SOURCE_POD=$(kubectl get pod -l app=sleep -n akv2k8s-test -o jsonpath={.items..metadata.name})
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
How do I fix this?
Update: I have also tried the below, but still the same result
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- google.com
tls:
mode: PASSTHROUGH
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- google.com
route:
- destination:
host: google.com
port:
number: 443
weight: 100
EOF
Solution
I'm not sure what's wrong with first example as there are no all dependencies, about the update there was an issue with your DestinationRule
It should be
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
Instead of
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: google.com
and hosts/sniHosts
It should be
www.google.com
Instead of
google.com
There is working example for https://www.google.com.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
namespace: akv2k8s-test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: google
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-res-gw
namespace: akv2k8s-test
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- www.google.com
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-res-vs
namespace: akv2k8s-test
spec:
hosts:
- www.google.com
gateways:
- mesh
- ext-res-gw
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: google
port:
number: 443
- match:
- gateways:
- ext-res-gw
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: www.google.com
port:
number: 443
weight: 100
And there is registry mode, curl and egress logs.
kubectl get istiooperator istio-control-plane -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://www.google.com
HTTP/2 200
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
[2020-10-27T14:16:37.735Z] "- - -" 0 - "-" "-" 844 17705 45 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:59814 xx.xx.xx.xx:8443 1xx.xx.xx.xx:33112 www.google.com -
[2020-10-27T14:18:45.896Z] "- - -" 0 - "-" "-" 883 17647 38 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:56834 xx.xx.xx.xx:8443 xx.xx.xx.xx:33964 www.google.com -
Please refer to this documentation.
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars