Questions tagged [istio]
The istio tag has no usage guidance.
41
questions
3
votes
2
answers
4k
views
How can I get Egress Static IP per namespace within a EKS cluster
My current setup involves an EKS Cluster with multiple namespaces (multi-tenant) across many different EKS nodes in private subnets. I would like the egress traffic from the pods to have a dedicated ...
2
votes
1
answer
2k
views
Why is My Istio EnvoyFilter with TCP Idle Timeout Setting not working?
I have created an EnvoyFilter to apply TCP idle timeout to outbound requests. Here's my filter configuration:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-idle-...
- 53
2
votes
1
answer
7k
views
istio-proxy 403 error:'upstream connect error or disconnect/reset before headers. reset reason: connection failure'
We have deployed an application behind the istio ingress gateway and is accessible at test.domain.com/jenkinscore.We have used istio 1.4.5. The domain name is created for the istio ingress gateway ...
2
votes
0
answers
635
views
istio sidecar injection not working
I have installed istio in my k8s cluster, and labeled my desired namespace with
istio-injection=enabled
However, when I install a pod, it doesn't inject the sidecar.
I followed the instructions on ...
- 143
2
votes
1
answer
572
views
Jupyter notebook on kubernetes not being able to connect to outside docker service
Im running a kubernetes (kubeflow + k8s) pod with a jupyter notebook and a docker service outside of the kubernetes server, im currently trying to connect to a sql service but it keeps getting ...
- 31
2
votes
0
answers
805
views
Istio egress gateway HANDSHAKE_FAILURE_ON_CLIENT_HELLO with custom certs
What we ware trying to achieve is point mesh traffic to an external service via an egressgateway.
We tried several iterations, and now trying with an egressgateway in between.
The external service is ...
- 121
1
vote
2
answers
294
views
Istio outboundTrafficPolicy for pods in and out of the service mesh
I'm Trying to understand how Istio envoy proxy works when outboundTrafficPolicy mode is set to REGISTRY_ONLY. With the setup defined below I would expect that the inside pod would be blocked from ...
- 133
1
vote
1
answer
540
views
coreDNS flooded by istio (envoy)
When there are lots of external VMs which are accessible only via a firewall and there are multiple namespaces in the cluster, each with its own set of external VMs, you end up with a lot of ...
- 111
1
vote
2
answers
226
views
How do I configure routing for non-knative service in a Knative & Istio installed k8 cluster?
I have a Knative installed with Istio as networking layer (without injection)
The kubernetes cluster is using Istio ingress gateway as default ingress.
Most Knative service's routing are managed ...
- 11
1
vote
1
answer
844
views
How to setup custom authentication and authorization in Istio/K8?
Let's say, I have a project that has 8 pods(services). I understand that authentication and authorization are covered in Istio Gateway using jwt. So that every request is verified. But users with ...
- 13
1
vote
0
answers
500
views
aws-load-balancer-controller annotations not working
I'm trying to automatically start an ALB in my EKS cluster by using the aws-load-balancer-controller
This is what the logs of my deployment look like:
$ kubectl logs -n kube-system deployment.apps/aws-...
- 123
1
vote
1
answer
325
views
Istio Keeps On Showing TcpProxyValidationError Errors
I initially created an EnvoyFilter to apply idle_timeout of 5s to outbound requests originating from workloads with label app: mecha-dev.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
...
- 53
1
vote
0
answers
230
views
Istio Multicluster: Terminate mTLS at Ingress Gateway for Non-proxied Service
I am writing a service to coordinate Istio control planes in a "replicated control planes" configuration. I have managed to programmatically create ServiceEntry objects that correctly route ...
- 260
0
votes
1
answer
352
views
Issues Setting Up Istio Gateway
I have an AKS cluster with 2 nodes
Node A. 10.216.6.229 Node B. 10.216.6.230
We do not have External Load Balancer, so Istio Gateway EXTERNAL-IP is . As per Get Started documentation, I used command ...
- 1
0
votes
1
answer
608
views
Istio - Prometheus - HPA Stack not communicating [ HPA could not calculate the number of replicas ]
I have cluster with 1 control panel and 2 nodes.
Istio is installed as Service Mesh.
I do request management via istio ingress.
I want it to automatically scale by sharing metrics between Kubernetes ...
- 1
0
votes
1
answer
229
views
Istio Multi-master Multi-network Locality Failover Woes
I can't get "multi-primary multi-network" to play nice with locality failover (or locality load balancing for that matter). The endpoints are registered fine. The istio-system is labeled ...
- 260
0
votes
0
answers
17
views
No SNI sent from RTMPS client (OBS Studio)
We're trying to deploy an RTMP server on our Kubernetes cluster behind an Istio Api Gateway. All services share one port (443) and Istio terminates the SSL connection and routes each request to the ...
0
votes
0
answers
16
views
How istio works with multiple node groups on single eks cluster
In our vpc architecture, we have designed like one vpc with two availability zones, two public subnets , 2 private subnets , 2 private db subnets, internet gateway , route table association to pulic ...
0
votes
1
answer
162
views
How do we configure prometheus server to scrape metrics from a pod with Istio sidecar proxy?
A service pod is running with Istio sidecar container and is MTLS enabled. How do we define a service monitor to scrape metrics from this service ? Do we need to update the Prometheus server for the ...
- 101
0
votes
0
answers
65
views
Resolving OpenEBS Startup Probe Failure with Istio on Kubernetes: Connection Refused Error
I'm trying to deploy a Helm chart on my Kubernetes cluster where Istio is already installed. Here's a snippet of my Helm chart's dependencies:
dependencies:
- name: opensearch
version: "0.13.0&...
- 101
0
votes
0
answers
55
views
404 error on jaeger-collector in kubernetes deployment
I've tried istio in kubernetes by referring official site of istio. In that, I can access kiali, prometheus but I can't connect the jaeger-collector. Since I'm using EKS and VM, I've exposed them as ...
- 1
0
votes
2
answers
143
views
Azure Istio - Revision asm-1-17 is not supported by the service mesh add-on
I am trying to activate istio in my azure kubernetes cluster, with the following command:
az aks mesh enable --resource-group rgtest01 --name akstest01
I am getting the error message:
(BadRequest) ...
0
votes
1
answer
197
views
How to Install Istio CRDs in Remote Kubernetes Cluster
To avoid any XY problem, I'm sharing the full story.
I'd like to deploy a multi-cluster setup of Istio; specifically Primary-Remote (single mesh, single network) setup. Following this guide after a ...
- 195
0
votes
0
answers
248
views
Istio CNI blocks traffic in application init containers
After installing Istio CNI for ambient mesh, I faced the problem that Istio CNI blocked traffic in application init containers. I am familiar with the workaround to the problem that is proposed in the ...
0
votes
0
answers
43
views
Create an internal alias to external service with istio
Using istio is it possible to make an internal alias to a service outside the service mesh that was defined using a ServieEntry and control access to the external service?
For example suppose I have a ...
- 133
0
votes
0
answers
28
views
Following Istio TCP Traffic authorization tutorial and getting 'connection rejected' instead of 'connection succeeded'
I'm following the Istio security authorization TCP Traffic tutorial.
On step 5, Verify that sleep successfully communicates with tcp-echo on port 9002., I get a connection rejected result rather than ...
0
votes
0
answers
66
views
How to set azure app gateway ingress in one namespace and target service istio-ingress is in another namespace in kubernetes?
azure app gateway ingress in one namespace and target service istio-ingress is in another namespace, how to set that.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: server-ingress
...
0
votes
0
answers
833
views
Kubernetes Gateway API - Using HTTPRoute rules to rewrite URI paths
My goal is to have a single Gateway that can be used to host multiple applications at different paths. The URLRewrite filter exists, however, when it does not seem to be working as expected.
Using ...
- 261
0
votes
0
answers
115
views
How to route azure application gateway to a service in different namespace?
My ingress for azure application gateway, so that it will use istio gateway internally.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: server-ingress
namespace: productnamespace
...
- 11
0
votes
0
answers
101
views
How to use mTLS without using istio ingress and using azure app gateway ingress?
We have our application running in aks cluster and using cert-manager helm chart in separate namespace for lets encrypt certificate generation. argocd namespace is for handling deployments.
We need to ...
- 11
0
votes
1
answer
406
views
Istio: How do I exclude unhealthy destination from a VirtualService?
I'm trying to configure load balancing and failover for external services. Each HTTP endpoint for the service needs its own specific headers.
I created a virtual service with two destinations:
...
- 101
0
votes
0
answers
29
views
How to use open service mesh in kubernetes?
I am trying to test open service mesh for our application.
No tags in serverfault for service mesh or servicemesh or osm or open service mesh,etc.
So I kept istio as serverfault tag to this question ...
- 11
0
votes
1
answer
1k
views
Istio ingress gateway cannot connect to more than one replica for a service
I'm setting up Istio in a new AWS EKS cluster and created a basic nginx deployment to test. When the deployment only has one replica, it works perfectly, responding in less than 100ms.
When I add one ...
- 121
0
votes
1
answer
2k
views
istio gateway Not launching internal links, how to fix that?
I have deployed application in kubernetes.
It is working if we expose to a default load balancer service in azure kubernetes.
But, after setting a virtual service linked with istio ingress gateway, it ...
- 412
0
votes
2
answers
2k
views
How to route all traffic to a service in Istio?
I have a virtual service yaml file with below lines.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nodeserver
spec:
hosts:
- "*"
gateways:
- node-...
- 412
0
votes
1
answer
1k
views
istioctl kiali is not creating, how to fix that?
From the getting started link, I was able to create a gateway and the routing to bookinfo app provided in sample.
It got deployed and able to access the app from ingress gateway of istio.
The next ...
- 412
0
votes
0
answers
221
views
Openshift Route - Cookie specification - Istio Routing
I have requirement to pass cookie or headers in openshift route to istio virtual service and decide the traffic routing based on cookie or header passed from route to virtualservice.
Please share ...
- 101
0
votes
1
answer
63
views
Canary with istio, what happen if app backend service is down/slow
App A is a Php application, service B is elasticsearch.
A is deployed via istio, with canary pattern.
A'canary and A'current use the same B service.
If B is getting slow or down, A'canary and A'...
- 1,357
0
votes
0
answers
41
views
Can a local proxy 'improve' network reliability?
Apologies for the fairly vague question but I have been working with Envoy as part of Istio recently and was wondering about one of the benefits of sidecar proxies in general
By configuring a proxy ...
- 242
0
votes
1
answer
2k
views
istio service mesh for east-west traffic management in kubernetes cluster
I am having the confusion regarding the some of use-case in our environment. First one is we will be having api gateway of our own for north/south traffic which our api gateway will be listening to ...
0
votes
1
answer
720
views
Envoy/Istio as reverse-proxy to explicit IP
I'd like to route like this (nginx pseudo-config):
server_name fou.example.com;
location "/Forskning" {
upstream https://185.102.32.26/;
}
location "/" {
upstream http://fou-web.fou.svc.cluster....
- 386