v3.4.1 安装在 阿里云ACK1.30 版本上。
使用阿里云ASM(istio) nativate 模式注入sidercar,容器状态是正常的,但是界面显示Init:½, 初始化中。 好像init container中 Completed 状态无法正常识别
init 状态显示如下图:
container 显示如下:
kubectl 命令显示如下(2/2):
pod注入后的 yaml 如下:
apiVersion: v1
kind: Pod
metadata:
annotations:
istio.io/rev: 1-22-6
k8s.aliyun.com/pod-ips: 10.100.95.93
kubectl.kubernetes.io/default-container: notification-sms
kubectl.kubernetes.io/default-logs-container: notification-sms
kubectl.kubernetes.io/restartedAt: "2024-09-25T17:27:09+08:00"
sidecar.istio.io/inject: "true"
sidecar.istio.io/interceptionMode: REDIRECT
sidecar.istio.io/status: '{"initContainers":["istio-validation","istio-proxy"],"containers":null,"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"1-22-6"}'
traffic.sidecar.istio.io/excludeInboundPorts: "15020"
traffic.sidecar.istio.io/excludeOutboundIPRanges: 10.101.0.1/32
traffic.sidecar.istio.io/includeInboundPorts: '\*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '\*'creationTimestamp: “2024-09-25T11:52:17Z”
generateName: notification-sms-v1-d44b7f94-
labels:
app: notification-sms
pod-template-hash: d44b7f94
security.istio.io/tlsMode: istio
service.istio.io/canonical-name: notification-sms
service.istio.io/canonical-revision: v1
version: v1name: notification-sms-v1-d44b7f94-4nwgx
namespace: dw-prod-a
ownerReferences:
apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: notification-sms-v1-d44b7f94
uid: 470093f0-6669-45d8-b3ad-f2af4b1942e8
resourceVersion: “2566306”
uid: 3fad0269-57c3-4793-b730-aa3364499cdf
spec:
containers:
env:
name: PROJECT_NAME
value: notification-sms
name: env
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
name: OTEL_SERVICE_NAME
value: $(OTEL_CLUSTER)-notification-sms
name: VERSION
value: v1
envFrom:
configMapRef:
name: appenv
image: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms:production-deploy-20240925194000
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /app-health/notification-sms/livez
port: 15020
scheme: HTTP
initialDelaySeconds: 20
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
name: notification-sms
ports:
containerPort: 8080
name: http
protocol: TCP
containerPort: 9000
name: grpc
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /app-health/notification-sms/readyz
port: 15020
scheme: HTTP
initialDelaySeconds: 20
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
resources:
limits:
cpu: 800m
memory: 1Gi
requests:
cpu: 10m
memory: 64Mi
securityContext:
capabilities:
drop:
KILL
MKNOD
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: true
dnsConfig:
options:
- name: single-request-reopen
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostAliases:
hostnames:
istiod-1-22-6.istio-system.svc
ip: 10.100.136.26
imagePullSecrets:
name: acr-credential-secret-aggregation
initContainers:
args:
istio-iptables
-p
“15001”
-z
“15006”
-u
“1337”
-m
REDIRECT
-i
‘*’
-x
10.101.0.1/32
-b
‘*’
-d
15090,15021,15081,9191,15020
–log_output_level=default:info
–run-validation
–skip-rule-apply
env:
name: DNS_AGENT
name: EXIT_ON_ZERO_ACTIVE_CONNECTIONS
value: “true”
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
imagePullPolicy: IfNotPresent
name: istio-validation
resources:
limits:
cpu: “2”
memory: 1Gi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: true
args:
proxy
sidecar
–domain
$(POD_NAMESPACE).svc.cluster.local
–proxyLogLevel=warning
–proxyComponentLogLevel=misc:error
–log_output_level=default:info
env:
name: TERMINATION_DRAIN_DURATION_SECONDS
value: “5”
name: PILOT_CERT_PROVIDER
value: istiod
name: CA_ADDR
value: istiod-1-22-6.istio-system.svc:15012
name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
divisor: “0”
resource: limits.cpu
name: PROXY_CONFIG
value: ‘{“concurrency”:2,“configPath”:“/etc/istio/proxy”,“discoveryAddress”:“istiod-1-22-6.istio-system.svc:15012”,“proxyMetadata”:{“DNS_AGENT”:"",“EXIT_ON_ZERO_ACTIVE_CONNECTIONS”:“true”},“tracing”:{“zipkin”:{“address”:“zipkin.istio-system:9411”}}}’
name: ISTIO_META_POD_PORTS
value: |-
[
{"name":"http","containerPort":8080,"protocol":"TCP"} ,{"name":"grpc","containerPort":9000,"protocol":"TCP"}
]
- name: ISTIO_META_APP_CONTAINERS
value: notification-sms
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
divisor: "0"
resource: limits.memory
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
divisor: "0"
resource: limits.cpu
- name: ISTIO_META_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_WORKLOAD_NAME
value: notification-sms-v1
- name: ASM_APP_VERSION
value: v1
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/dw-prod-a/deployments/notification-sms-v1
- name: ISTIO_META_MESH_ID
value: cf93e8b8057684aaaa392d483a8060e44
- name: ASM_ID
value: cc150cd69be5a428f995afdec24b8d8c0
- name: TRUST_DOMAIN
value: cluster.local
- name: DNS_AGENT
- name: EXIT_ON_ZERO_ACTIVE_CONNECTIONS
value: "true"
- name: ISTIO_META_CLUSTER_ID
value: cf93e8b8057684aaaa392d483a8060e44
- name: ISTIO_KUBE_APP_PROBERS
value: '{"/app-health/notification-sms/livez":{"tcpSocket":{"port":9000},"timeoutSeconds":3},"/app-health/notification-sms/readyz":{"tcpSocket":{"port":9000},"timeoutSeconds":3}}'
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- pilot-agent
- request
- --debug-port=15020
- POST
- drain
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
restartPolicy: Always
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: truenodeName: ack-dw-prod10.100.94.185
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
emptyDir: {}
name: workload-socket
emptyDir: {}
name: credential-socket
emptyDir: {}
name: workload-certs
emptyDir:
medium: Memory
name: istio-envoy
emptyDir: {}
name: istio-data
downwardAPI:
defaultMode: 420
items:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: istio-podinfo
name: istio-token
projected:
defaultMode: 420
sources:
serviceAccountToken:
audience: istio-ca
expirationSeconds: 86400
path: istio-token
configMap:
defaultMode: 420
name: istio-ca-root-cert
name: istiod-ca-cert
name: kube-api-access-shhnr
projected:
defaultMode: 420
sources:
serviceAccountToken:
expirationSeconds: 3607
path: token
configMap:
items:
key: ca.crt
path: ca.crt
name: kube-root-ca.crt
downwardAPI:
items:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
lastProbeTime: null
lastTransitionTime: “2024-09-25T11:52:18Z”
status: “True”
type: PodReadyToStartContainers
lastProbeTime: null
lastTransitionTime: “2024-09-25T11:52:20Z”
status: “True”
type: Initialized
lastProbeTime: null
lastTransitionTime: “2024-09-25T11:52:47Z”
status: “True”
type: Ready
lastProbeTime: null
lastTransitionTime: “2024-09-25T11:52:47Z”
status: “True”
type: ContainersReady
lastProbeTime: null
lastTransitionTime: “2024-09-25T11:52:17Z”
status: “True”
type: PodScheduled
containerStatuses:
containerID: containerd://1ea400a42e0d72ea0f128ed71f66ade5d56fc244b4307301aca71c69469383d9
image: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms:production-deploy-20240925194000
imageID: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms@sha256:d0b5343a703248d512643ab50df1a161595c9d9a5fdd83d52fc0d5029f63e5fa
lastState: {}
name: notification-sms
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2024-09-25T11:52:22Z"
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: true
recursiveReadOnly: DisabledhostIP: 10.100.94.185
hostIPs:
ip: 10.100.94.185
initContainerStatuses:
containerID: containerd://2281917072fc7675c83d109023f72a0ccdcc196fde77fa7e5b105e3035070fe5
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
imageID: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2@sha256:052c034215c5c248e10556b7e506de0068c110eb6b50a584ff2393b70c3e116c
lastState: {}
name: istio-validation
ready: true
restartCount: 0
started: false
state:
terminated:
containerID: containerd://2281917072fc7675c83d109023f72a0ccdcc196fde77fa7e5b105e3035070fe5 exitCode: 0 finishedAt: "2024-09-25T11:52:18Z" reason: Completed startedAt: "2024-09-25T11:52:18Z"
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: true
recursiveReadOnly: DisabledcontainerID: containerd://6bbc9f1d298cc46593a9b5aaa1638a3a5a04d0bfbd59ee20c9b8e8f95c847b19
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
imageID: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2@sha256:052c034215c5c248e10556b7e506de0068c110eb6b50a584ff2393b70c3e116c
lastState: {}
name: istio-proxy
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2024-09-25T11:52:19Z"
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-shhnr
readOnly: true
recursiveReadOnly: Disabledphase: Running
podIP: 10.100.95.93
podIPs:
ip: 10.100.95.93
qosClass: Burstable
startTime: “2024-09-25T11:52:17Z”
