search

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.
36 stars 9 forks source link

External services connectivity problem #384

Closed oleg-filiutsich closed 6 years ago

oleg-filiutsich commented 6 years ago

What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details

istioctl version
Version: 0.8.0
GitRevision: 6f9f420f0c7119ff4fa6a1966a6f6d89b1b4db84
User: root@48d5ddfd72da
Hub: docker.io/istio
GolangVersion: go1.10.1
BuildStatus: Clean

kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Is Istio Auth enabled or not ? I installed istio via commands

$ helm template ~/istio-0.8.0/install/kubernetes/helm/istio --name istio --namespace istio-system --set servicegraph.enable=true --set tracing.enabled=true --set grafana.enabled=true --set servicegraph.enabled=true --set global.proxy.includeIPRanges="0.0.0.0/0" > $HOME/istio.yaml

$ kubectl apply -f $HOME/istio.yaml
$ kubectl label namespace default istio-injection=enabled

What happened: I run my microservice. The service try use external consul server 192.168.100.15 (without kubernetes cluster) but connect blocked by istio.

What you expected to happen: Istio allow any connect to external world via IP or dns names.

AWKIF commented 6 years ago

--set global.proxy.includeIPRanges="0.0.0.0/0"

I don't know why put this value but this is your issue. Put your service range instead, or create ServiceEntry rules https://istio.io/docs/tasks/traffic-management/egress/

oleg-filiutsich commented 6 years ago

@AWKIF Big thank you for answer. Sorry I not understood how correctly set allow IP range like 0.0.0.0/0 for access to external services. Can you give me some example?

AWKIF commented 6 years ago

In k8s your services are deployed on a certain ip ranges (--cluster-cidr on my kubeproxy), Just put this network range here: ie: --set global.proxy.includeIPRanges="100.32.0.0/16" From the doc: The simplest way to use the global.proxy.includeIPRanges variable is to pass it the IP range(s) used for internal cluster services, thereby excluding external IPs from being redirected to the sidecar proxy. The values used for internal IP range(s), however, depends on where your cluster is running. For example, with Minikube the range is 10.0.0.1/24,

oleg-filiutsich commented 6 years ago

@AWKIF Thank you.

# For flanel net
$ helm template ~/istio-0.8.0/install/kubernetes/helm/istio --name istio --namespace istio-system --set servicegraph.enable=true --set tracing.enabled=true --set grafana.enabled=true --set servicegraph.enabled=true --set global.proxy.includeIPRanges="10.244.0.0/16"  -x templates/sidecar-injector-configmap.yaml | kubectl apply -f -

at last it is works! Ipic

AWKIF commented 6 years ago

glad to know :) cheers !