创建部署问题时,请参考下面模板,你提供的信息越多,越容易及时获得解答。如果未按模板创建问题,管理员有权关闭问题。
确保帖子格式清晰易读,用 markdown code block 语法格式化代码块。
你只花一分钟创建的问题,不能指望别人花上半个小时给你解答。
操作系统信息
例如:虚拟机/物理机,Centos7.5/Ubuntu18.04,4C/8G
macos11.5 12c16g
Kubernetes版本信息
将 kubectl version 命令执行结果贴在下方
v1.21.14 k3s / v1.24.6 k3s 均试过
容器运行时
将 docker version / crictl version / nerdctl version 结果贴在下方
KubeSphere版本信息
例如:v2.1.1/v3.0.0。离线安装还是在线安装。在已有K8s上安装还是使用kk安装。
3.3.2
问题是什么
报错日志是什么,最好有截图。
服务网格异常,无法启用灰度功能,istiod 报错如下
2023-05-09T14:33:51.398353Z error ads Failed to authenticate client from 10.42.0.199:60580: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:05.106708Z error ads Failed to authenticate client from 10.42.0.198:59926: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:07.119039Z error ads Failed to authenticate client from 10.42.0.199:33218: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:15.545581Z error ads Failed to authenticate client from 10.42.0.204:53136: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:20.101277Z error ads Failed to authenticate client from 10.42.0.187:43042: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:24.279343Z error ads Failed to authenticate client from 10.42.0.198:53866: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:25.272768Z warn serverca Authentication failed for 10.42.0.204:35660: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:25.461441Z error ads Failed to authenticate client from 10.42.0.204:60920: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:25.514024Z warn serverca Authentication failed for 10.42.0.198:40918: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:29.597281Z error ads Failed to authenticate client from 10.42.0.199:58050: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:31.029923Z warn serverca Authentication failed for 10.42.0.199:60710: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:32.488429Z error ads Failed to authenticate client from 10.42.0.187:34150: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:36.842148Z error ads Failed to authenticate client from 10.42.0.187:34162: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:40.317580Z error ads Failed to authenticate client from 10.42.0.187:45528: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:46.507406Z error ads Failed to authenticate client from 10.42.0.198:58126: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:51.679483Z error ads Failed to authenticate client from 10.42.0.199:34724: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:54.728539Z error ads Failed to authenticate client from 10.42.0.204:34896: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:34:55.523363Z warn serverca Authentication failed for 10.42.0.187:35720: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:57.106254Z warn serverca Authentication failed for 10.42.0.204:35660: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:57.327642Z warn serverca Authentication failed for 10.42.0.198:40918: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:34:58.160239Z error ads Failed to authenticate client from 10.42.0.187:46368: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:11.503778Z error ads Failed to authenticate client from 10.42.0.204:55558: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:11.702292Z warn serverca Authentication failed for 10.42.0.199:60710: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:35:12.256165Z error ads Failed to authenticate client from 10.42.0.198:46012: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:15.938860Z info ads Push debounce stable[36] 3: 100.717884ms since last change, 100.811426ms since last push, full=true
2023-05-09T14:35:15.948788Z info ads XDS: Pushing:2023-05-09T14:35:15Z/25 Services:35 ConnectedEndpoints:0 Version:2023-05-09T14:35:15Z/25
2023-05-09T14:35:17.178114Z error ads Failed to authenticate client from 10.42.0.199:49168: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:18.471458Z error ads Failed to authenticate client from 10.42.0.187:40866: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:23.107151Z error ads Failed to authenticate client from 10.42.0.204:58980: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:27.144366Z error ads Failed to authenticate client from 10.42.0.198:56506: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:30.365932Z warn serverca Authentication failed for 10.42.0.187:35720: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:35:36.837178Z warn serverca Authentication failed for 10.42.0.204:35660: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:35:36.890996Z warn serverca Authentication failed for 10.42.0.198:40918: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:35:43.034003Z error ads Failed to authenticate client from 10.42.0.187:43742: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:46.608914Z error ads Failed to authenticate client from 10.42.0.199:42186: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:51.995223Z error ads Failed to authenticate client from 10.42.0.204:32922: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:55.133959Z error ads Failed to authenticate client from 10.42.0.198:56930: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:35:57.364067Z error ads Failed to authenticate client from 10.42.0.198:56940: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:07.576390Z error ads Failed to authenticate client from 10.42.0.198:57622: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:12.946304Z error ads Failed to authenticate client from 10.42.0.187:40734: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:14.285420Z warn serverca Authentication failed for 10.42.0.199:60710: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:36:15.287575Z error ads Failed to authenticate client from 10.42.0.199:33004: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:16.532702Z error ads Failed to authenticate client from 10.42.0.199:33012: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:17.450295Z error ads Failed to authenticate client from 10.42.0.204:48230: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:21.188926Z error ads Failed to authenticate client from 10.42.0.198:57020: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:21.222673Z error ads Failed to authenticate client from 10.42.0.199:42766: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:26.803372Z error ads Failed to authenticate client from 10.42.0.199:42768: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:29.855869Z error ads Failed to authenticate client from 10.42.0.187:55266: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:35.151366Z error ads Failed to authenticate client from 10.42.0.198:40856: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:36.124491Z warn serverca Authentication failed for 10.42.0.187:35720: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:36:39.613913Z error ads Failed to authenticate client from 10.42.0.199:59924: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:41.018780Z error ads Failed to authenticate client from 10.42.0.198:57396: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:42.572998Z error ads Failed to authenticate client from 10.42.0.204:50054: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:43.362929Z warn serverca Authentication failed for 10.42.0.204:35660: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:36:43.503300Z warn serverca Authentication failed for 10.42.0.198:40918: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:36:45.044008Z error ads Failed to authenticate client from 10.42.0.204:50068: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:48.116149Z error ads Failed to authenticate client from 10.42.0.187:57596: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:36:57.585954Z error ads Failed to authenticate client from 10.42.0.204:38460: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:01.051979Z error ads Failed to authenticate client from 10.42.0.199:35560: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:01.730067Z error ads Failed to authenticate client from 10.42.0.198:33740: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:05.010878Z error ads Failed to authenticate client from 10.42.0.199:35562: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:05.295682Z error ads Failed to authenticate client from 10.42.0.199:35578: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:08.633276Z error ads Failed to authenticate client from 10.42.0.198:33756: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:09.917112Z warn serverca Authentication failed for 10.42.0.187:35720: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:37:10.629329Z error ads Failed to authenticate client from 10.42.0.198:60402: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:13.636924Z error ads Failed to authenticate client from 10.42.0.199:40258: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:13.894353Z error ads Failed to authenticate client from 10.42.0.187:56006: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:17.164159Z warn serverca Authentication failed for 10.42.0.199:60710: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]].
2023-05-09T14:37:25.576223Z error ads Failed to authenticate client from 10.42.0.204:34664: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:29.734789Z error ads Failed to authenticate client from 10.42.0.198:48282: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:30.356873Z error ads Failed to authenticate client from 10.42.0.199:35106: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
2023-05-09T14:37:34.596789Z error ads Failed to authenticate client from 10.42.0.187:57326: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster “Kubernetes”: the service account authentication returns an error: [invalid bearer token, token audiences [“https://kubernetes.default.svc.cluster.local” “k3s”] is invalid for the target audiences [“istio-ca”]]
示例应用的 istio-proxy 报错如下
2023-05-09T15:10:57.906598Z error failed scraping envoy metrics: error scraping http://localhost:15090/stats/prometheus: Get “http://localhost:15090/stats/prometheus”: dial tcp 127.0.0.1:15090: connect: connection refused
2023-05-09T15:11:12.902250Z error failed scraping envoy metrics: error scraping http://localhost:15090/stats/prometheus: Get “http://localhost:15090/stats/prometheus”: dial tcp 127.0.0.1:15090: connect: connection refused
2023-05-09T15:11:15.101590Z info xdsproxy connected to upstream XDS server: istiod-1-11-2.istio-system.svc:15012
2023-05-09T15:11:15.130669Z warning envoy config StreamAggregatedResources gRPC config stream closed: 16, authentication failure
2023-05-09T15:11:15.126571Z warn xdsproxy upstream [47] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2023-05-09T15:11:27.899030Z error failed scraping envoy metrics: error scraping http://localhost:15090/stats/prometheus: Get “http://localhost:15090/stats/prometheus”: dial tcp 127.0.0.1:15090: connect: connection refused
2023-05-09T15:11:36.889176Z info xdsproxy connected to upstream XDS server: istiod-1-11-2.istio-system.svc:15012
2023-05-09T15:11:36.903848Z warn xdsproxy upstream [48] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2023-05-09T15:11:36.906693Z warning envoy config StreamAggregatedResources gRPC config stream closed: 16, authentication failure
2023-05-09T15:11:37.696040Z warn sds failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure
2023-05-09T15:11:42.900376Z error failed scraping envoy metrics: error scraping http://localhost:15090/stats/prometheus: Get “http://localhost:15090/stats/prometheus”: dial tcp 127.0.0.1:15090: connect: connection refused
2023-05-09T15:11:54.592574Z info xdsproxy connected to upstream XDS server: istiod-1-11-2.istio-system.svc:15012
2023-05-09T15:11:54.606786Z warn xdsproxy upstream [49] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2023-05-09T15:11:54.609407Z warning envoy config StreamAggregatedResources gRPC config stream closed: 16, authentication failure
2023-05-09T15:11:57.902120Z error failed scraping envoy metrics: error scraping http://localhost:15090/stats/prometheus: Get “http://localhost:15090/stats/prometheus”: dial tcp 127.0.0.1:15090: connect: connection refused
2023-05-09T15:12:00.958690Z info xdsproxy connected to upstream XDS server: istiod-1-11-2.istio-system.svc:15012
2023-05-09T15:12:00.971693Z warn xdsproxy upstream [50] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2023-05-09T15:12:00.973853Z warning envoy config StreamAggregatedResources gRPC config stream closed: 16, authentication failure
k8s 集群没有这个问题,猜测与 k3s 有关
