我的书签
添加书签
移除书签- Galley Configuration Problems
- Seemingly valid configuration is rejected
- Invalid configuration is accepted
- Creating configuration fails with x509 certificate errors
- Creating configuration fails with no such hosts or no endpoints available errors
Galley Configuration Problems
Seemingly valid configuration is rejected
Manually verify your configuration is correct, cross-referencingIstio API reference whennecessary.
Invalid configuration is accepted
Verify the istio-galley validationwebhookconfiguration exists andis correct. The apiVersion, apiGroup, and resource of theinvalid configuration should be listed in one of the two webhooksentries.
$ kubectl get validatingwebhookconfiguration istio-galley -o yamlapiVersion: admissionregistration.k8s.io/v1beta1kind: ValidatingWebhookConfigurationmetadata:labels:app: istio-galleyname: istio-galleyownerReferences:- apiVersion: apps/v1blockOwnerDeletion: truecontroller: truekind: Deploymentname: istio-galleyuid: 5c64585d-91c6-11e8-a98a-42010a8001a8webhooks:- clientConfig:# caBundle should be non-empty. This is periodically (re)patched# every second by the webhook service using the ca-cert# from the mounted service account secret.caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==service:# service corresponds to the Kubernetes service that implements the# webhook, e.g. istio-galley.istio-system.svc:443name: istio-galleynamespace: istio-systempath: /admitpilotfailurePolicy: Failname: pilot.validation.istio.ionamespaceSelector: {}rules:- apiGroups:- config.istio.ioapiVersions:- v1alpha2operations:- CREATE- UPDATEresources:- httpapispecs- httpapispecbindings- quotaspecs- quotaspecbindings- apiGroups:- rbac.istio.ioapiVersions:- '*'operations:- CREATE- UPDATEresources:- '*'- apiGroups:- authentication.istio.ioapiVersions:- '*'operations:- CREATE- UPDATEresources:- '*'- apiGroups:- networking.istio.ioapiVersions:- '*'operations:- CREATE- UPDATEresources:- destinationrules- envoyfilters- gateways- virtualservices- clientConfig:# caBundle should be non-empty. This is periodically (re)patched# every second by the webhook service using the ca-cert# from the mounted service account secret.caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==service:# service corresponds to the Kubernetes service that implements the# webhook, e.g. istio-galley.istio-system.svc:443name: istio-galleynamespace: istio-systempath: /admitmixerfailurePolicy: Failname: mixer.validation.istio.ionamespaceSelector: {}rules:- apiGroups:- config.istio.ioapiVersions:- v1alpha2operations:- CREATE- UPDATEresources:- rules- attributemanifests- circonuses- deniers- fluentds- kubernetesenvs- listcheckers- memquotas- noops- opas- prometheuses- rbacs- servicecontrols- solarwindses- stackdrivers- statsds- stdios- apikeys- authorizations- checknothings- listentries- logentries- metrics- quotas- reportnothings- servicecontrolreports- tracespans
If the validatingwebhookconfiguration doesn’t exist, verify theistio-galley-configuration configmap exists. istio-galley usesthe data from this configmap to create and update thevalidatingwebhookconfiguration.
$ kubectl -n istio-system get configmap istio-galley-configuration -o jsonpath='{.data}'map[validatingwebhookconfiguration.yaml:apiVersion: admissionregistration.k8s.io/v1beta1kind: ValidatingWebhookConfigurationmetadata:name: istio-galleynamespace: istio-systemlabels:app: istio-galleychart: galley-1.0.0release: istioheritage: Tillerwebhooks:- name: pilot.validation.istio.ioclientConfig:service:name: istio-galleynamespace: istio-systempath: "/admitpilot"caBundle: ""rules:- operations:(... snip ...)
If the webhook array in istio-galley-configuration is empty, verifythe galley.enabled and global.configValidation installation options areset.
The istio-galley validation configuration is fail-close. Ifconfiguration exists and is scoped properly, the webhook will beinvoked. A missing caBundle, bad certificate, or network connectivityproblem will produce an error message when the resource iscreated/updated. If you don’t see any error message and the webhookwasn’t invoked and the webhook configuration is valid, your cluster ismisconfigured.
Creating configuration fails with x509 certificate errors
x509: certificate signed by unknown authority related errors aretypically caused by an empty caBundle in the webhookconfiguration. Verify that it is not empty (see verify webhookconfiguration). Theistio-galley deployment consciously reconciles webhook configurationused the istio-galley-configuration configmap and root certificatemounted from istio.istio-galley-service-account secret in theistio-system namespace.
- Verify the
istio-galleypod(s) are running:
$ kubectl -n istio-system get pod -listio=galleyNAME READY STATUS RESTARTS AGEistio-galley-5dbbbdb746-d676g 1/1 Running 0 2d
- Verify you’re using Istio version >= 1.0.0. Older version of Galleydid not properly re-patch the
caBundle. This typically happenedwhen theistio.yamlwas re-applied, overwriting a previouslypatchedcaBundle.
$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath='{.items[*].metadata.name}'); do \kubectl -n istio-system exec ${pod} -it /usr/local/bin/galley version| grep ^Version; \doneVersion: 1.0.0
- Check the Galley pod logs for errors. Failing to patch the
caBundleshould print an error.
$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath='{.items[*].metadata.name}'); do \kubectl -n istio-system logs ${pod} \done
- If the patching failed, verify the RBAC configuration for Galley:
$ kubectl get clusterrole istio-galley-istio-system -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:labels:app: istio-galleyname: istio-galley-istio-systemrules:- apiGroups:- admissionregistration.k8s.ioresources:- validatingwebhookconfigurationsverbs:- '*'- apiGroups:- config.istio.ioresources:- '*'verbs:- get- list- watch- apiGroups:- '*'resourceNames:- istio-galleyresources:- deploymentsverbs:- get
istio-galley needs validatingwebhookconfigurations write access tocreate and update the istio-galley validatingwebhookconfiguration.
Creating configuration fails with no such hosts or no endpoints available errors
Validation is fail-close. If the istio-galley pod is not ready,configuration cannot be created and updated. In such cases you’ll seean error about no endpoints available.
Verify the istio-galley pod(s) are running and endpoints are ready.
$ kubectl -n istio-system get pod -listio=galleyNAME READY STATUS RESTARTS AGEistio-galley-5dbbbdb746-d676g 1/1 Running 0 2d
$ kubectl -n istio-system get endpoints istio-galleyNAME ENDPOINTS AGEistio-galley 10.48.6.108:15014,10.48.6.108:443 3d
If the pods or endpoints aren’t ready, check the pod logs andstatus for any indication about why the webhook pod is failing to startand serve traffic.
$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath='{.items[*].metadata.name}'); do \kubectl -n istio-system logs ${pod} \done
$ for pod in $(kubectl -n istio-system get pod -listio=galley -o name); do \kubectl -n istio-system describe ${pod} \done
