我正在遵循 Istio 安全授权TCP 流量教程。
在第 5 步,验证 sleep 是否成功与端口 9002 上的 tcp-echo 通信。,我得到的connection rejected结果而不是connection succeeded教程指示我应该收到的结果。
user@docker-host-01:~/istio-1.20.1$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \
> -c sleep -n foo -- sh -c \
> 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9000
connection succeeded
user@docker-host-01:~/istio-1.20.1$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \
> -c sleep -n foo -- sh -c \
> 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9001
connection succeeded
user@docker-host-01:~/istio-1.20.1$ TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
user@docker-host-01:~/istio-1.20.1$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \
> -c sleep -n foo -- sh -c \
> "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
connection rejected
user@docker-host-01:~/istio-1.20.1$ echo $TCP_ECHO_IP
10.244.0.27
user@docker-host-01:~/istio-1.20.1$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002"
user@docker-host-01:~/istio-1.20.1$
下面的日志似乎表明该消息是从sleeppod 发送的,但从未被 pod 接收tcp-echo。如果我理解正确的话,连接到的日志条目10.244.0.27:9002被路由到PassthroughCluster指示它没有通过 IP 正确路由,而它在之前的条目中通过 pod 名称正确路由。
user@docker-host-01:~/istio-1.20.1$ kubectl logs -l app=sleep -c istio-proxy -n foo
[2024-01-01T14:59:50.262Z] "- - -" 0 - - - "-" 10 16 9 - "-" "-" "-" "-" "10.244.0.27:9000" outbound|9000||tcp-echo.foo.svc.cluster.local 10.244.0.26:52798 10.111.194.106:9000 10.244.0.26:36087 - -
[2024-01-01T14:59:54.343Z] "- - -" 0 - - - "-" 10 16 9 - "-" "-" "-" "-" "10.244.0.27:9001" outbound|9001||tcp-echo.foo.svc.cluster.local 10.244.0.26:43342 10.111.194.106:9001 10.244.0.26:42365 - -
[2024-01-01T15:00:02.734Z] "- - -" 0 - - - "-" 10 0 0 - "-" "-" "-" "-" "10.244.0.27:9002" PassthroughCluster 10.244.0.26:33738 10.244.0.27:9002 10.244.0.26:33999 - -
2024-01-01T15:02:03.306941Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
[2024-01-01T15:03:52.319Z] "- - -" 0 - - - "-" 10 0 0 - "-" "-" "-" "-" "10.244.0.27:9002" PassthroughCluster 10.244.0.26:34762 10.244.0.27:9002 10.244.0.26:44177 - -
user@docker-host-01:~/istio-1.20.1$ kubectl logs -l app=tcp-echo -c istio-proxy -n foo
[2024-01-01T14:59:50.263Z] "- - -" 0 - - - "-" 554 590 8 - "-" "-" "-" "-" "10.244.0.27:9000" inbound|9000|| 127.0.0.6:58755 10.244.0.27:9000 10.244.0.26:52798 outbound_.9000_._.tcp-echo.foo.svc.cluster.local -
[2024-01-01T14:59:54.344Z] "- - -" 0 - - - "-" 554 590 8 - "-" "-" "-" "-" "10.244.0.27:9001" inbound|9001|| 127.0.0.6:43015 10.244.0.27:9001 10.244.0.26:43342 outbound_.9001_._.tcp-echo.foo.svc.cluster.local -
我希望得到帮助,了解为什么我的环境导致教程命令偏离预期输出以及如何纠正它。谢谢!
环境详情:
- Ubuntu 20.04 上的 minikube v1.32.0
- Docker 24.0.7 上的 Kubernetes v1.28.3
- 桥接 CNI
- istio v1.20.1