Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Analysis of the problem of Istio opening mtls request 503

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Background

To test Istio traffic management, two versions of sleep and flaskapp, v1 and v2 (see link for deployment file), are deployed to the Istio environment. When http://flaskapp/env/version is called to flaskapp through sleep-v1, the results v1 and v2 will be printed alternately. However, an error of 503 reset reason: connection failure is reported during the call, so the steps, phenomena, analysis and verification of the problem are sorted out here.

Steps

Deploy sleep and flaskapp applications, enable mTls on Istio platform, enable automatic injection of namespace kangxzh, and deploy as shown below:

Kubectl apply-f sleep.istio.yaml-n kangxzhkubectl apply-f flask.isito.yaml-n kangxzh# View pod creation kubectl-n kangxzh get pod-wflaskapp-v1-775dbb9b79-z54fj 2 Running 0 13sflaskapp-v2-d454cdd47-mdb8s 2 13sflaskapp-v2-d454cdd47-mdb8s 2 Running 0 14ssleep-v1-7f45c6cf94-zgdsf 2 Running 0 19hsleep-v2-58dff94b49-fz6sj 2 Running 0 19h phenomenon

Initiate a http request in the sleep application and call flaskapp,curl http://flaskapp/env/version, as shown below:

# export SOURCE_POD=$ (kubectl get pod-l app=sleep,version=v1-o jsonpath= {.items.metadata.name}) # enter sleep to launch http request kubectl-n kangxzh exec-it-c sleep $SOURCE_POD bashbash-4.4# curl http://flaskapp/env/version# response upstream connect error or disconnect/reset before headers. Reset reason: connection failure background

1. Detect the flaskapp tls configuration as follows:

[root@kubernetes-master flaskapp] # istioctl authn tls-check flaskapp-v1-775dbb9b79-z54fj flaskapp.kangxzh.svc.cluster.localHOST:PORT STATUS SERVER CLIENT AUTHN POLICY DESTINATION RULEflaskapp.kangxzh.svc.cluster.local:80 OK mTLS mTLS default/ default/istio-system

STATUS OK certifies that flaskapp tls is configured correctly.

Enter sleep istio-proxy to initiate a http request to flaskapp:

Kubectl-n kangxzh exec-it-c istio-proxy $SOURCE_POD bash# initiates a request for curl http://flaskapp/env/version# response v1

two。 It is found that the corresponding can be obtained through istio-proxy. Since mtls is enabled, an istio-related certificate needs to be added for a direct request through istio-proxy. If you do not join a certificate, you can also request it, so you want to check the flaskapp iptables configuration, as shown below:

# get process number PID=$ (docker inspect-- format {{State.Pid}} $(docker ps | grep flaskapp-v1 | awk'{print $1}'| head-n 1)) # View iptables rules nsenter-t ${PID}-n iptables-t nat-L-n-v# output Chain PREROUTING (policy ACCEPT 477 packets 28620 bytes) pkts bytes target prot opt in out source destination 487 29220 ISTIO_INBOUND tcp-- * 0.0.0.0 0.0.0.0/0Chain INPUT (policy ACCEPT 487packets, 29220 bytes) pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 220packets 20367 bytes) pkts bytes target prot opt in out source destination 0480 ISTIO_OUTPUT tcp-- * 0.0.0.0 0.0.0.0/0Chain POSTROUTING (policy ACCEPT 220packets) 20367 bytes) pkts bytes target prot opt in out source destinationChain ISTIO_INBOUND (1 references) pkts bytes target prot opt in out source destination 10 600 ISTIO_IN_REDIRECT tcp-- * * 0.0.0.0 ISTIO_IN_REDIRECT tcp 0 0.0.0.0 ISTIO_IN_REDIRECT tcp 0 tcp dpt:80 # is not available After modification, add Chain ISTIO_IN_REDIRECT (1 references) pkts bytes target prot opt in out source destination 10 600 REDIRECT tcp-- * * 0.0.0.0 redir ports 15001Chain ISTIO_OUTPUT 0 redir ports 15001Chain ISTIO_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ISTIO_REDIRECT all-- * lo 0.0.0.0 RETURN all 0! 127.0.0.1 8 480 RETURN all-- * 0.0.0.0 RETURN all 0 0.0.0.0 RETURN all 0 owner UID match 000 0-- * 0.0.0.0 Universe 0 0.0.0.0 owner GID match 0 owner GID match 0 000 RETURN all-- * * 0.0.0.0 pkts bytes target 0 127.0.0.1 0 ISTIO_REDIRECT all-- * 0.0.0.0 pkts bytes target 0 0.0.0.0/0Chain ISTIO_REDIRECT (2 references) Prot opt in out source destination 00 REDIRECT tcp-- * * 0.0.0.0 REDIRECT tcp 0 0.0.0.0 redir ports 15001

It is proved that envoy did not hijack the traffic to flaskapp 80, that is to say, step 2 above is that sleep-istio-proxy directly requests flaskapp without being forwarded by flaskapp-istio-proxy.

Check the flaskapp deployment at this point, as shown below:

...

-apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: flaskapp-v1spec: replicas: 1 template: metadata: labels: app: flaskapp version: v1spec: containers:-name: flaskapp image: dustise/flaskapp imagePullPolicy: IfNotPresent ports:-name: http containerPort: 80 # containerPort env:-name: version value: v1 is missing.

On the official website, https://istio.io/docs/setup/kubernetes/additional-setup/requirements/:

Pod ports: Pods must include an explicit list of the ports each container listens on. Use a containerPort configuration in the container specification for each port. Ports not listed by Any unlisted ports bypass the Istio proxy.# will bypass istio proxy

At the same time, describe flaskapp pod is as follows:

Kubectl describe pod flaskapp-v1-6df8d69fb8-fb5mr-n kangxzh#istio-proxy:... Omit some Args:.-- concurrency 2-- controlPlaneAuthPolicy MUTUAL_TLS-- statusPort 15020-- applicationPorts "" # is empty

After adding containerPort: 80 to deployment, it is as follows:

Istio-proxy:... Omit some Args:.-- concurrency 2-- controlPlaneAuthPolicy MUTUAL_TLS-- statusPort 15020-- applicationPorts 80

Note: after the Istio1.2 version, you can also achieve the same goal by setting traffic.sidecar.istio.io/includeInboundPorts in Pod annotation. The default value is the containerPorts list of Pod and the comma-separated list of listening ports. These traffic will be redirected to Sidecar,* and all ports will be redirected. For details, please see the new feature 1.2 of the official website (see link).

Verification

Sleep initiates a request:

[root@kubernetes-master flaskapp] # kubectl-n kangxzh exec-it-c sleep $SOURCE_POD bashbash-4.4# curl http://flaskapp/env/version# response v1

Sleep-istio-proxy does not carry a certificate. Initiate a request:

Kubectl-n kangxzh exec-it-c istio-proxy $SOURCE_POD bashistio-proxy@sleep-v1-7f45c6cf94Mae zgdsfblog http://flaskapp/env/version# $curl http://flaskapp/env/version# response curl: (56) Recv failure: Connection reset by peer sleep-istio-proxy carries a certificate Initiate a request for istio-proxy@sleep-v1-7f45c6cf94Muzgdsfblog https://flaskapp:80/env/version $curl https://flaskapp:80/env/version-- key / etc/certs/key.pem-- cert / etc/certs/cert-chain.pem-- cacert / etc/certs/root-cert.pem-k # response v1

Reference link

Https://github.com/fleeto/sleep

Https://github.com/fleeto/flaskapp

Https://istio.io/docs/setup/kubernetes/additional-setup/requirements/

Https://preliminary.istio.io/about/notes/1.2/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report