容器组状态显示异常，istio sidercar注入后，处于Completed 状态无法识别为正常

qingyufei

v3.4.1 安装在阿里云ACK1.30 版本上。

使用阿里云ASM（istio） nativate 模式注入sidercar，容器状态是正常的，但是界面显示Init:½，初始化中。好像init container中 Completed 状态无法正常识别

init 状态显示如下图：

container 显示如下：

kubectl 命令显示如下（2/2）：

pod注入后的 yaml 如下：

apiVersion: v1

kind: Pod

metadata:

annotations:

istio.io/rev: 1-22-6

k8s.aliyun.com/pod-ips: 10.100.95.93

kubectl.kubernetes.io/default-container: notification-sms

kubectl.kubernetes.io/default-logs-container: notification-sms

kubectl.kubernetes.io/restartedAt: "2024-09-25T17:27:09+08:00"

sidecar.istio.io/inject: "true"

sidecar.istio.io/interceptionMode: REDIRECT

sidecar.istio.io/status: '{"initContainers":["istio-validation","istio-proxy"],"containers":null,"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"1-22-6"}'

traffic.sidecar.istio.io/excludeInboundPorts: "15020"

traffic.sidecar.istio.io/excludeOutboundIPRanges: 10.101.0.1/32

traffic.sidecar.istio.io/includeInboundPorts: '\*'

traffic.sidecar.istio.io/includeOutboundIPRanges: '\*'

creationTimestamp: “2024-09-25T11:52:17Z”

generateName: notification-sms-v1-d44b7f94-

labels:

app: notification-sms

pod-template-hash: d44b7f94

security.istio.io/tlsMode: istio

service.istio.io/canonical-name: notification-sms

service.istio.io/canonical-revision: v1

version: v1

name: notification-sms-v1-d44b7f94-4nwgx

namespace: dw-prod-a

ownerReferences:

apiVersion: apps/v1

blockOwnerDeletion: true

controller: true

kind: ReplicaSet

name: notification-sms-v1-d44b7f94

uid: 470093f0-6669-45d8-b3ad-f2af4b1942e8

resourceVersion: “2566306”

uid: 3fad0269-57c3-4793-b730-aa3364499cdf

spec:

containers:

env:
- name: PROJECT_NAME
  
  value: notification-sms
- name: env
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: metadata.namespace
- name: OTEL_SERVICE_NAME
  
  value: $(OTEL_CLUSTER)-notification-sms
- name: VERSION
  
  value: v1
  
  envFrom:
- configMapRef:
  
  name: appenv
  
  image: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms:production-deploy-20240925194000
  
  imagePullPolicy: IfNotPresent
  
  livenessProbe:
  
  failureThreshold: 3
  
  httpGet:
  
  path: /app-health/notification-sms/livez
  
  port: 15020
  
  scheme: HTTP
  
  initialDelaySeconds: 20
  
  periodSeconds: 10
  
  successThreshold: 1
  
  timeoutSeconds: 3
  
  name: notification-sms
  
  ports:
- containerPort: 8080
  
  name: http
  
  protocol: TCP
- containerPort: 9000
  
  name: grpc
  
  protocol: TCP
  
  readinessProbe:
  
  failureThreshold: 3
  
  httpGet:
  
  path: /app-health/notification-sms/readyz
  
  port: 15020
  
  scheme: HTTP
  
  initialDelaySeconds: 20
  
  periodSeconds: 10
  
  successThreshold: 1
  
  timeoutSeconds: 3
  
  resources:
  
  limits:
  
  cpu: 800m
  
  memory: 1Gi
  
  requests:
  
  cpu: 10m
  
  memory: 64Mi
  
  securityContext:
  
  capabilities:
  
  drop:
  - KILL
  - MKNOD
    
    privileged: true
  terminationMessagePath: /dev/termination-log
  
  terminationMessagePolicy: File
  
  volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  
  name: kube-api-access-shhnr
  
  readOnly: true
dnsConfig:

options:
- name: single-request-reopen
dnsPolicy: ClusterFirst

enableServiceLinks: true

hostAliases:
hostnames:
- istiod-1-22-6.istio-system.svc
  
  ip: 10.100.136.26
imagePullSecrets:
name: acr-credential-secret-aggregation

initContainers:
args:
- istio-iptables
- -p
- “15001”
- -z
- “15006”
- -u
- “1337”
- -m
- REDIRECT
- -i
- ‘*’
- -x
- 10.101.0.1/32
- -b
- ‘*’
- -d
- 15090,15021,15081,9191,15020
- –log_output_level=default:info
- –run-validation
- –skip-rule-apply
  
  env:
- name: DNS_AGENT
- name: EXIT_ON_ZERO_ACTIVE_CONNECTIONS
  
  value: “true”
  
  image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
  
  imagePullPolicy: IfNotPresent
  
  name: istio-validation
  
  resources:
  
  limits:
  
  cpu: “2”
  
  memory: 1Gi
  
  requests:
  
  cpu: 10m
  
  memory: 10Mi
  
  securityContext:
  
  allowPrivilegeEscalation: false
  
  privileged: false
  
  readOnlyRootFilesystem: true
  
  runAsGroup: 1337
  
  runAsNonRoot: true
  
  runAsUser: 1337
  
  terminationMessagePath: /dev/termination-log
  
  terminationMessagePolicy: File
  
  volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  
  name: kube-api-access-shhnr
  
  readOnly: true
args:
- proxy
- sidecar
- –domain
- $(POD_NAMESPACE).svc.cluster.local
- –proxyLogLevel=warning
- –proxyComponentLogLevel=misc:error
- –log_output_level=default:info
  
  env:
- name: TERMINATION_DRAIN_DURATION_SECONDS
  
  value: “5”
- name: PILOT_CERT_PROVIDER
  
  value: istiod
- name: CA_ADDR
  
  value: istiod-1-22-6.istio-system.svc:15012
- name: POD_NAME
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: metadata.name
- name: POD_NAMESPACE
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: metadata.namespace
- name: INSTANCE_IP
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: status.podIP
- name: SERVICE_ACCOUNT
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: spec.serviceAccountName
- name: HOST_IP
  
  valueFrom:
  
  fieldRef:
  
  apiVersion: v1
  
  fieldPath: status.hostIP
- name: ISTIO_CPU_LIMIT
  
  valueFrom:
  
  resourceFieldRef:
  
  divisor: “0”
  
  resource: limits.cpu
- name: PROXY_CONFIG
  
  value: ‘{“concurrency”:2,“configPath”:“/etc/istio/proxy”,“discoveryAddress”:“istiod-1-22-6.istio-system.svc:15012”,“proxyMetadata”:{“DNS_AGENT”:"",“EXIT_ON_ZERO_ACTIVE_CONNECTIONS”:“true”},“tracing”:{“zipkin”:{“address”:“zipkin.istio-system:9411”}}}’
- name: ISTIO_META_POD_PORTS
  
  value: |-
  
  [
```
{"name":"http","containerPort":8080,"protocol":"TCP"}

,{"name":"grpc","containerPort":9000,"protocol":"TCP"}
```

]

- name: ISTIO_META_APP_CONTAINERS

  value: notification-sms

- name: GOMEMLIMIT

  valueFrom:

    resourceFieldRef:

      divisor: "0"

      resource: limits.memory

- name: GOMAXPROCS

  valueFrom:

    resourceFieldRef:

      divisor: "0"

      resource: limits.cpu

- name: ISTIO_META_NODE_NAME

  valueFrom:

    fieldRef:

      apiVersion: v1

      fieldPath: spec.nodeName

- name: ISTIO_META_INTERCEPTION_MODE

  value: REDIRECT

- name: ISTIO_META_WORKLOAD_NAME

  value: notification-sms-v1

- name: ASM_APP_VERSION

  value: v1

- name: ISTIO_META_OWNER

  value: kubernetes://apis/apps/v1/namespaces/dw-prod-a/deployments/notification-sms-v1

- name: ISTIO_META_MESH_ID

  value: cf93e8b8057684aaaa392d483a8060e44

- name: ASM_ID

  value: cc150cd69be5a428f995afdec24b8d8c0

- name: TRUST_DOMAIN

  value: cluster.local

- name: DNS_AGENT

- name: EXIT_ON_ZERO_ACTIVE_CONNECTIONS

  value: "true"

- name: ISTIO_META_CLUSTER_ID

  value: cf93e8b8057684aaaa392d483a8060e44

- name: ISTIO_KUBE_APP_PROBERS

  value: '{"/app-health/notification-sms/livez":{"tcpSocket":{"port":9000},"timeoutSeconds":3},"/app-health/notification-sms/readyz":{"tcpSocket":{"port":9000},"timeoutSeconds":3}}'

image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun

imagePullPolicy: IfNotPresent

lifecycle:

  preStop:

    exec:

      command:

      - pilot-agent

      - request

      - --debug-port=15020

      - POST

      - drain

name: istio-proxy

ports:

- containerPort: 15090

  name: http-envoy-prom

  protocol: TCP

readinessProbe:

  failureThreshold: 30

  httpGet:

    path: /healthz/ready

    port: 15021

    scheme: HTTP

  initialDelaySeconds: 1

  periodSeconds: 2

  successThreshold: 1

  timeoutSeconds: 3

resources:

  limits:

    cpu: "2"

    memory: 1Gi

  requests:

    cpu: 100m

    memory: 128Mi

restartPolicy: Always

securityContext:

  allowPrivilegeEscalation: false

  capabilities:

    drop:

    - ALL

  privileged: false

  readOnlyRootFilesystem: true

  runAsGroup: 1337

  runAsNonRoot: true

  runAsUser: 1337

terminationMessagePath: /dev/termination-log

terminationMessagePolicy: File

volumeMounts:

- mountPath: /var/run/secrets/workload-spiffe-uds

  name: workload-socket

- mountPath: /var/run/secrets/credential-uds

  name: credential-socket

- mountPath: /var/run/secrets/workload-spiffe-credentials

  name: workload-certs

- mountPath: /var/run/secrets/istio

  name: istiod-ca-cert

- mountPath: /var/lib/istio/data

  name: istio-data

- mountPath: /etc/istio/proxy

  name: istio-envoy

- mountPath: /var/run/secrets/tokens

  name: istio-token

- mountPath: /etc/istio/pod

  name: istio-podinfo

- mountPath: /var/run/secrets/kubernetes.io/serviceaccount

  name: kube-api-access-shhnr

  readOnly: true

nodeName: ack-dw-prod10.100.94.185

preemptionPolicy: PreemptLowerPriority

priority: 0

restartPolicy: Always

schedulerName: default-scheduler

securityContext: {}

serviceAccount: default

serviceAccountName: default

terminationGracePeriodSeconds: 30

tolerations:

effect: NoExecute

key: node.kubernetes.io/not-ready

operator: Exists

tolerationSeconds: 300
effect: NoExecute

key: node.kubernetes.io/unreachable

operator: Exists

tolerationSeconds: 300

volumes:
emptyDir: {}

name: workload-socket
emptyDir: {}

name: credential-socket
emptyDir: {}

name: workload-certs
emptyDir:

medium: Memory

name: istio-envoy
emptyDir: {}

name: istio-data
downwardAPI:

defaultMode: 420

items:
- fieldRef:
  
  apiVersion: v1
  
  fieldPath: metadata.labels
  
  path: labels
  - fieldRef:
    
    apiVersion: v1
    
    fieldPath: metadata.annotations
    
    path: annotations
  name: istio-podinfo
name: istio-token

projected:

defaultMode: 420

sources:
- serviceAccountToken:
  
  audience: istio-ca
  
  expirationSeconds: 86400
  
  path: istio-token
configMap:

defaultMode: 420

name: istio-ca-root-cert

name: istiod-ca-cert
name: kube-api-access-shhnr

projected:

defaultMode: 420

sources:
- serviceAccountToken:
  
  expirationSeconds: 3607
  
  path: token
  - configMap:
    
    items:
    - key: ca.crt
      
      path: ca.crt
      
      name: kube-root-ca.crt
  - downwardAPI:
    
    items:
    - fieldRef:
      
      apiVersion: v1
      
      fieldPath: metadata.namespace
      
      path: namespace

status:

conditions:

lastProbeTime: null

lastTransitionTime: “2024-09-25T11:52:18Z”

status: “True”

type: PodReadyToStartContainers
lastProbeTime: null

lastTransitionTime: “2024-09-25T11:52:20Z”

status: “True”

type: Initialized
lastProbeTime: null

lastTransitionTime: “2024-09-25T11:52:47Z”

status: “True”

type: Ready
lastProbeTime: null

lastTransitionTime: “2024-09-25T11:52:47Z”

status: “True”

type: ContainersReady
lastProbeTime: null

lastTransitionTime: “2024-09-25T11:52:17Z”

status: “True”

type: PodScheduled

containerStatuses:
containerID: containerd://1ea400a42e0d72ea0f128ed71f66ade5d56fc244b4307301aca71c69469383d9

image: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms:production-deploy-20240925194000

imageID: registry-dt-registry-vpc.cn-hangzhou.cr.aliyuncs.com/runtime/notification-sms@sha256:d0b5343a703248d512643ab50df1a161595c9d9a5fdd83d52fc0d5029f63e5fa

lastState: {}

name: notification-sms

ready: true

restartCount: 0

started: true

state:

running:
```
startedAt: "2024-09-25T11:52:22Z"
```

volumeMounts:

- mountPath: /var/run/secrets/kubernetes.io/serviceaccount

  name: kube-api-access-shhnr

  readOnly: true

  recursiveReadOnly: Disabled

hostIP: 10.100.94.185

hostIPs:

ip: 10.100.94.185

initContainerStatuses:

containerID: containerd://2281917072fc7675c83d109023f72a0ccdcc196fde77fa7e5b105e3035070fe5

image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun

imageID: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2@sha256:052c034215c5c248e10556b7e506de0068c110eb6b50a584ff2393b70c3e116c

lastState: {}

name: istio-validation

ready: true

restartCount: 0

started: false

state:

terminated:

containerID: containerd://2281917072fc7675c83d109023f72a0ccdcc196fde77fa7e5b105e3035070fe5

exitCode: 0

finishedAt: "2024-09-25T11:52:18Z"

reason: Completed

startedAt: "2024-09-25T11:52:18Z"

volumeMounts:

- mountPath: /var/run/secrets/kubernetes.io/serviceaccount

  name: kube-api-access-shhnr

  readOnly: true

  recursiveReadOnly: Disabled

containerID: containerd://6bbc9f1d298cc46593a9b5aaa1638a3a5a04d0bfbd59ee20c9b8e8f95c847b19

image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun

imageID: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2@sha256:052c034215c5c248e10556b7e506de0068c110eb6b50a584ff2393b70c3e116c

lastState: {}

name: istio-proxy

ready: true

restartCount: 0

started: true

state:

running:
```
startedAt: "2024-09-25T11:52:19Z"
```

volumeMounts:

- mountPath: /var/run/secrets/workload-spiffe-uds

  name: workload-socket

- mountPath: /var/run/secrets/credential-uds

  name: credential-socket

- mountPath: /var/run/secrets/workload-spiffe-credentials

  name: workload-certs

- mountPath: /var/run/secrets/istio

  name: istiod-ca-cert

- mountPath: /var/lib/istio/data

  name: istio-data

- mountPath: /etc/istio/proxy

  name: istio-envoy

- mountPath: /var/run/secrets/tokens

  name: istio-token

- mountPath: /etc/istio/pod

  name: istio-podinfo

- mountPath: /var/run/secrets/kubernetes.io/serviceaccount

  name: kube-api-access-shhnr

  readOnly: true

  recursiveReadOnly: Disabled

phase: Running

podIP: 10.100.95.93

podIPs:

ip: 10.100.95.93

qosClass: Burstable

startTime: “2024-09-25T11:52:17Z”

qingyufei

这是pod的状态