安装bookinfo示例总是没有注入sidecar

for-mat · 2019年10月17日

[root@master100 ~]# kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io istio-sidecar-injector -o yamlapiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  creationTimestamp: "2019-10-16T10:42:42Z"
  generation: 2
  labels:
    app: sidecarInjectorWebhook
    chart: sidecarInjectorWebhook
    heritage: Tiller
    release: istio
  name: istio-sidecar-injector
  resourceVersion: "9551721"
  selfLink: /apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/istio-sidecar-injector
  uid: ae3fa913-f001-11e9-9015-52560ade2365
webhooks:
- clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzakNDQWNhZ0F3SUJBZ0lSQU1LTUpLL051MGJON0Ezb1ZYQlFLeE13RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQ2hNTlkyeDFjM1JsY2k1c2IyTmhiREFlRncweE9URXdNVFl4TURReU5ETmFGdzB5TURFdwpNVFV4TURReU5ETmFNQmd4RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFpCeUgzSmNKMVh1WlFtQVVyZG41OXNlSlNzSkNGZzJEdWdyMHYKNUlVaFpldzVSaHJaWVcvalllTnFOWXhIdzVBektZYUZLa0xadWhrcmR5dStMR0hkM0lVQjZvVWhORVVjZ2xxbwozQ1ZhTkpnU1ljQU9DblM5ZUZLcDBIYmI1WUUyS0xCUSsrWmQ5YVhOQjF0MElsUGMxZmJYMjFsWUZBRExTUnR4Cnc3ZG5VV3R2RFFqdWhRVnZjS1lkNUNsbEFxbEpEWWlnUEJ0TktFUG0zcW4wcU5GdVNUTzZJMXlZelNrZ3VRZ1cKMm1UTERHZzVIU1J4RGR4aVh6dXdBY241SWlSVGI2VnBtNENZK2Mwcmk4bURQa2pXdWNGYVdGNWhQMncxWkQ5Vwp6eHk3OHVGV0xWUW9DeXl4TjlKcCtsM1BjVi9JTHlsVURqdlJEcnZiU1RiQnZ3SGxBZ01CQUFHakl6QWhNQTRHCkExVWREd0VCL3dRRUF3SUNCREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUIKQVFCYURxZ01yOXk5eWVzcUFacHJZN1lSU0RJTXNhRUowM0s4QnhPM2poMUw0d3l1MlJRVXM0T0hVZ0FaRXZUNgpaL2lEUSt2NW5EVnc5c0RZY1UwOHNCSHp3SXowODkrTmJoUUVsN2RqdnJuU3lEZXhOeE0yM3l5Z2ZXOXpxU2duCjUyeUZFcWVYNmgvZjRINDgvVUF4Rmg4YkpvNUJhS3llOWZSSVN1NXd2SExYUjcrREgzMS80dzJGZTZaTE40N04KT3hLN1BkTGFKaSsvNDJncVdlaTZaRitqRFFlSUxydThnRlUvb0hseC9ROFBSakNkaHgrRXlncU9ZQWZNWXNrZgptZUVRNS9aRHBJazFmWVZmQkt1ZTlyWWRFSTR1QkQvemNGNjdJcW9semNSdUV1R1dKSmRtUXYveFRLWFZwSzl6CmxWQ3gyS0xrWnk4MUpVRzViTTQ1aERqdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    service:
      name: istio-sidecar-injector
      namespace: istio-system
      path: /inject
  failurePolicy: Fail
  name: sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
    - key: kubesphere.io/workspace
      operator: Exists
    - key: istio-injection
      operator: NotIn
      values:
      - disabled
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
  sideEffects: Unknown

Jeff · 2019年10月17日

策略配置看着是对的，再贴下下面这个命令的执行结果吧

kubectl -n [namespace] get deployment productpage-v1 -o yaml

for-mat · 2019年10月17日

Jeff

[root@master100 ~]# kubectl -n test-namespace get deployment productpage-v1 -o yaml  
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    creator: admin
    deployment.kubernetes.io/revision: "1"
    kubesphere.io/isElasticReplicas: "false"
    servicemesh.kubesphere.io/enabled: "true"
  creationTimestamp: "2019-10-17T03:29:35Z"
  generation: 1
  labels:
    app: productpage
    app.kubernetes.io/name: bookinfo
    app.kubernetes.io/version: v1
    version: v1
  name: productpage-v1
  namespace: test-namespace
  ownerReferences:
  - apiVersion: app.k8s.io/v1beta1
    blockOwnerDeletion: true
    controller: false
    kind: Application
    name: bookinfo
    uid: 57b01a89-f08e-11e9-93ab-52560ade2364
  resourceVersion: "9687755"
  selfLink: /apis/extensions/v1beta1/namespaces/test-namespace/deployments/productpage-v1
  uid: 57b037eb-f08e-11e9-93ab-52560ade2364
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: productpage
      app.kubernetes.io/name: bookinfo
      app.kubernetes.io/version: v1
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
      creationTimestamp: null
      labels:
        app: productpage
        app.kubernetes.io/name: bookinfo
        app.kubernetes.io/version: v1
        version: v1
    spec:
      containers:
      - image: kubesphere/examples-bookinfo-productpage-v1:1.13.0
        imagePullPolicy: IfNotPresent
        name: productpage
        ports:
        - containerPort: 9080
          name: http-web
          protocol: TCP
        resources:
          limits:
            cpu: "1"
            memory: 1000Mi
          requests:
            cpu: 10m
            memory: 10Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: default
      serviceAccountName: default
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2019-10-17T03:29:56Z"
    lastUpdateTime: "2019-10-17T03:29:56Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2019-10-17T03:29:35Z"
    lastUpdateTime: "2019-10-17T03:29:56Z"
    message: ReplicaSet "productpage-v1-579dfbcddd" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

Jeff · 2019年10月17日

这个配置看着也是对的，你的电脑能够远程么，我看下，可以把登录方式发到 kubesphere@yunify.com

for-mat · 2019年10月17日

没法远程。。

我到这一步，都是正常的，这里也显示了istio-proxy，创建后是就绪的，但是查看pod状态，就没有这个istio-proxy了

for-mat · 2019年10月17日

不行我再手动部署istio官方的实例试试

Jeff · 2019年10月17日

for-mat 执行下这个命令看下，ns是否打上label了

kubectl get ns test-namespace -o yaml

for-mat · 2019年10月17日

Jeff label是我看istio文档后手动打的

[root@master100 ~]# kubectl get ns test-namespace -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    creator: admin
    openpitrix_runtime: runtime-BVzjOO3LRJQA
  creationTimestamp: "2019-10-16T11:22:14Z"
  finalizers:
  - finalizers.kubesphere.io/namespaces
  labels:
    istio-injection: enabled
    kubesphere.io/workspace: test-workspace
  name: test-namespace
  ownerReferences:
  - apiVersion: tenant.kubesphere.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Workspace
    name: test-workspace
    uid: 233958f4-f007-11e9-93ab-52560ade2364
  resourceVersion: "9674211"
  selfLink: /api/v1/namespaces/test-namespace
  uid: 3486cf19-f007-11e9-9044-52560ade2365
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

Jeff · 2019年10月17日

for-mat 把这个label去掉 istio-injection: enabled，重新部署应用试下

for-mat · 2019年10月17日

Jeff 去掉试了还是不行，另外我照着istio官方文档操作了下
也没有注入sidecar，我检查了apiserver启动项
–admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
也开启了自动sidecar注入，但就是不生效。
我的k8s是1.13.10
奇了怪了，我再手动试试。。。

for-mat · 2019年10月17日

Jeff 大佬，istio-sidecar-injector的configmap没有values
[root@master100 bin]# ./istioctl kube-inject -f ../samples/sleep/sleep.yaml | kubectl apply -f -
Error: missing configuration map key “values” in “istio-sidecar-injector”
error: no objects passed to apply

Jeff · 2019年10月17日

for-mat 你的环境是默认安装的么，还是在已有的k8s上安装的？最好能有个环境我看下

for-mat · 2019年10月17日

我滴妈呀，终于解决了
1、我是已有k8s集群上搭的kubesphere
kube-apiserver的启动参数中，要有–admission-control=MutatingAdmissionWebhook，开启自动注入
2、MutatingWebhookConfiguration配置有问题
kubectl -n istio-system edit MutatingWebhookConfiguration istio-sidecar-injector
下面两个参数改成In和enabled
operator: In
values:
- enabled
3、给用到的namespace打标签
kubectl label namespace test-namespace istio-injection=enabled
4、感谢大佬帮忙

for-mat · 2019年10月17日

不知道是不是默认都会这样，我装了两次是都不行。也可能是因为我自己搭的集群

Jeff · 2019年10月17日

for-mat ️

安装bookinfo示例总是没有注入sidecar

for-matK零S

JeffK零SK壹S

for-matK零S

JeffK零SK壹S

for-matK零S

for-matK零S

JeffK零SK壹S

for-matK零S

JeffK零SK壹S

for-matK零S

for-matK零S

JeffK零SK壹S

for-matK零S

for-matK零S

JeffK零SK壹S