Note that @vadimeisenbergibm explained the problem is that I am specifying hostnames and not an IP block, and deploying with kubectl. I modified the Egress to use numeric CIDRs and it worked as expected. In that case the bug is that istioctl create -f kafka-egress.yaml also does not produce warnings or any messages. It may also be a bug that specifying an invalid Egress breaks things unrelated to the Egress -- my expectation is that an invalid Egress does not harm other traffic.
The symptom of having an invalid TCP Egress is as follows:
There is a bug that manifests if a Pod makes uses a TCP service and is started while there is an Egress that also refers to a TCP service. I tested this in Istio 0.5.x using minikube version 0.25 and Kubernetes version 1.9.0.
To reproduce deploy the attached set of two MySQL pods with kubectl apply -f deploy.yaml
Then, verify you can go to the client MySQL machine and operate on the server MySQL machine using the password 'passw0rd'
kubectl exec -it test-client-mysql-<instance-id> -- mysql -h mysql -p
Use 'passw0rd' for the password. quit to get out. Then, kubectl apply -f kafka-egress.yaml. Wait a few seconds then
kubectl exec -it test-client-mysql-<instance-id> -- mysql -h mysql -p
It should still work. Then, kubectl delete pod test-client-mysql-<instance-id>, wait for the new pod to initialize and try again
kubectl exec -it test-client-mysql-<new-instance-id> -- mysql -h mysql -p
This time, instead of a mysql prompt you receive an error message
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
esnible
commented
6 years ago
Note that @vadimeisenbergibm explained the problem is that I am specifying hostnames and not an IP block, and deploying with kubectl. I modified the Egress to use numeric CIDRs and it worked as expected. In that case the bug is that
istioctl create -f kafka-egress.yamlalso does not produce warnings or any messages. It may also be a bug that specifying an invalid Egress breaks things unrelated to the Egress -- my expectation is that an invalid Egress does not harm other traffic.The symptom of having an invalid TCP Egress is as follows:
There is a bug that manifests if a Pod makes uses a TCP service and is started while there is an Egress that also refers to a TCP service. I tested this in Istio 0.5.x using minikube version 0.25 and Kubernetes version 1.9.0.
To reproduce deploy the attached set of two MySQL pods with
kubectl apply -f deploy.yamlThen, verify you can go to the client MySQL machine and operate on the server MySQL machine using the password 'passw0rd'
Use 'passw0rd' for the password.
quitto get out. Then,kubectl apply -f kafka-egress.yaml. Wait a few seconds thenIt should still work. Then,
kubectl delete pod test-client-mysql-<instance-id>, wait for the new pod to initialize and try againThis time, instead of a mysql prompt you receive an error message