search

kubeslice / worker-operator

Kubeslice Worker Operator Opensource Repository: The KubeSlice Worker Operator is a Kubernetes operator that manages the lifecycle of KubeSlice worker clusters.
Apache License 2.0
58 stars 19 forks source link

Bug: Bookinfo pods in crashloop when istio mtls is enabled #331

Open bharath-avesha opened 5 months ago

bharath-avesha commented 5 months ago

πŸ“œ Description

Application pods in the bookinfo namespace connected to a slice go into a crashloop when using istio mtls peer authentication in STRICT mode.

πŸ‘Ÿ Reproduction steps

  1. Create a slice and add the bookinfo namespace to the applicationNamespace list in the slice configuration.
  2. Deploy the bookinfo app on the worker cluster.
  3. Enable istio peer authentication with STRICT mode. For example: apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: tls-policy namespace: bookinfo spec: mtls: mode: STRICT
  4. Deploy the bookinfo app in the bookinfo namespace. You will observe the app pods going into a crash loop.

πŸ‘ Expected behavior

The app pods should not crash.

πŸ‘Ž Actual Behavior

The app pods go into a crash loop.

🐚 Relevant log output

No response

Version

No response

πŸ–₯️ What operating system are you seeing the problem on?

No response

βœ… Proposed Solution

No response

πŸ‘€ Have you spent some time to check if this issue has been raised before?

Code of Conduct

kon3m commented 3 months ago

Can i work on this? please assign it to me if no one is working on it.

narmidm commented 3 months ago

sure @kon3m. will assign it to you.

kon3m commented 3 months ago

I followed the above steps but unfortunately was not able to reproduce the issue using KinD , is this issue reproducible in KinD @bharath-avesha

bharath-avesha commented 3 months ago

@kon3m can you please check if the nsm init and sidecar containers were injected into the pods in the bookinfo namespace? Those containers have to talk to the nsmgr control plane over tcp on port 5000. If the peer authentication is STRICT, istio sidecar in the bookinfo pod will try to enforce mtls on port 5000 and that will cause a failure because there is no istio sidecar in the nsmgr pods.

kon3m commented 3 months ago

@bharath-avesha yes they are injected into the pods and the pods are in the running state without any restarts. Please let me know if i am doing anything wrong while trying to reproduce this bug. Attaching the output of k get pod -o yaml and log of the cmd-nsc-init container cmd-nsc-init-log.txt bookinfo-pod-out.txt