在 istio 环境下有 pod 处于 Init:CrashLoopBackOff 状态:

mrz001

创建部署问题时，请参考下面模板，你提供的信息越多，越容易及时获得解答。
你只花一分钟创建的问题，不能指望别人花上半个小时给你解答。
发帖前请点击发表主题右边的预览(👀) 按钮，确保帖子格式正确。

操作系统信息
例如：虚拟机，Fedora 35，8C/16G

Kubernetes版本信息
例如：v1.21.7多节点。

容器运行时
例如，docker
Client:
Version: 20.10.9
API version: 1.41
Go version: go1.16.8
Git commit: c2ea9bc
Built: Sun Oct 10 22:41:20 2021
OS/Arch: linux/amd64
Context: default
Experimental: true

Server:
Engine:
Version: 20.10.9
API version: 1.41 (minimum version 1.12)
Go version: go1.16.8
Git commit: 79ea9d3
Built: Fri Oct 8 00:00:00 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.7
GitCommit:
runc:
Version: 1.0.2
GitCommit: c42bf99-dirty
docker-init:
Version: 0.19.0
GitCommit:

KubeSphere版本信息
例如：v3.0.0。离线安装。已有K8s安装。

问题是什么
在 istio 环境下有 pod 处于 Init:CrashLoopBackOff 状态
再开启istio功能下，部署示例应用bookinfo，看到容器组中的istio-init处于无限重启状态：

istio-init的容器日志如下：日志

Environment:

------------

ENVOY_PORT=

INBOUND_CAPTURE_PORT=

ISTIO_INBOUND_INTERCEPTION_MODE=

ISTIO_INBOUND_TPROXY_MARK=

ISTIO_INBOUND_TPROXY_ROUTE_TABLE=

ISTIO_INBOUND_PORTS=

ISTIO_LOCAL_EXCLUDE_PORTS=

ISTIO_SERVICE_CIDR=

ISTIO_SERVICE_EXCLUDE_CIDR=

Variables:

----------

PROXY_PORT=15001

PROXY_INBOUND_CAPTURE_PORT=15006

PROXY_UID=1337

PROXY_GID=1337

INBOUND_INTERCEPTION_MODE=REDIRECT

INBOUND_TPROXY_MARK=1337

INBOUND_TPROXY_ROUTE_TABLE=133

INBOUND_PORTS_INCLUDE=*

INBOUND_PORTS_EXCLUDE=15020

OUTBOUND_IP_RANGES_INCLUDE=*

OUTBOUND_IP_RANGES_EXCLUDE=

OUTBOUND_PORTS_EXCLUDE=

KUBEVIRT_INTERFACES=

ENABLE_INBOUND_IPV6=

+ iptables -t nat -N ISTIO_REDIRECT

iptables: Chain already exists.

+ dump

+ iptables-save

# Generated by iptables-save v1.6.1 on Fri Dec 24 07:07:15 2021

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:ISTIO_REDIRECT - [0:0]

COMMIT

# Completed on Fri Dec 24 07:07:15 2021

+ ip6tables-save

谷歌后网上说是要把istio-init 的privileged改成true，请大神指教，谢谢。

productpage-v1-8688b47d7c-s6vvk的配置文件如下附录：

================================================
附录
kind: Pod
apiVersion: v1
metadata:
name: productpage-v1-8688b47d7c-s6vvk
generateName: productpage-v1-8688b47d7c-
namespace: project01
labels:
app: productpage
app.kubernetes.io/name: bookinfo
app.kubernetes.io/version: v1
pod-template-hash: 8688b47d7c
security.istio.io/tlsMode: istio
version: v1
annotations:
cni.projectcalico.org/podIP: 10.100.49.105/32
cni.projectcalico.org/podIPs: 10.100.49.105/32
sidecar.istio.io/inject: ‘true’
sidecar.istio.io/status: >-
{“version”:“7d3a4daf8f4b6208c528218b6bf6e38059855b1ab8185a50d223bb8756651fa5”,“initContainers”:[“istio-init”],“containers”:[“istio-proxy”],“volumes”:[“istio-envoy”,“istio-certs”],“imagePullSecrets”:null}
spec:
volumes:
- name: kube-api-access-tsv72
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
defaultMode: 420
- name: istio-envoy
emptyDir:
medium: Memory
- name: istio-certs
secret:
secretName: istio.default
defaultMode: 420
optional: true
initContainers:
- name: istio-init
image: ‘10.200.43.153/istio/proxyv2:1.4.8’
command:
- istio-iptables
- ‘-p’
- ‘15001’
- ‘-z’
- ‘15006’
- ‘-u’
- ‘1337’
- ‘-m’
- REDIRECT
- ‘-i’
- ‘’
- ‘-x’
- ''
- ‘-b’
- ‘’
- ‘-d’
- ‘15020’
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
volumeMounts:
- name: kube-api-access-tsv72
readOnly: true
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
containers:
- name: productpage
image: ‘10.200.43.153/kubesphere/examples-bookinfo-productpage-v1:1.13.0’
ports:
- name: http-web
containerPort: 9080
protocol: TCP
resources:
limits:
cpu: ‘1’
memory: 1000Mi
requests:
cpu: 10m
memory: 10Mi
volumeMounts:
- name: kube-api-access-tsv72
readOnly: true
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
- name: istio-proxy
image: ‘10.200.43.153/istio/proxyv2:1.4.8’
args:
- proxy
- sidecar
- ‘–domain’
- $(POD_NAMESPACE).svc.cluster.local
- ‘–configPath’
- /etc/istio/proxy
- ‘–binaryPath’
- /usr/local/bin/envoy
- ‘–serviceCluster’
- productpage.$(POD_NAMESPACE)
- ‘–drainDuration’
- 45s
- ‘–parentShutdownDuration’
- 1m0s
- ‘–discoveryAddress’
- ‘istio-pilot.istio-system:15010’
- ‘–zipkinAddress’
- ‘jaeger-collector.istio-system.svc:9411’
- ‘–dnsRefreshRate’
- 300s
- ‘–connectTimeout’
- 10s
- ‘–proxyAdminPort’
- ‘15000’
- ‘–concurrency’
- ‘2’
- ‘–controlPlaneAuthPolicy’
- NONE
- ‘–statusPort’
- ‘15020’
- ‘–applicationPorts’
- ‘9080’
ports:
- name: http-envoy-prom
containerPort: 15090
protocol: TCP
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_POD_PORTS
value: |-
[
{“name”:“http-web”,“containerPort”:9080,“protocol”:“TCP”}
]
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: ‘false’
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: ‘9080’
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{“sidecar.istio.io/inject”:“true”}
- name: ISTIO_METAJSON_LABELS
value: >
{“app”:“productpage”,“app.kubernetes.io/name”:“bookinfo”,“app.kubernetes.io/version”:“v1”,“pod-template-hash”:“8688b47d7c”,“version”:“v1”}
- name: ISTIO_META_WORKLOAD_NAME
value: productpage-v1
- name: ISTIO_META_OWNER
value: >-
kubernetes://apis/apps/v1/namespaces/project01/deployments/productpage-v1
resources:
limits:
cpu: ‘2’
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: istio-certs
readOnly: true
mountPath: /etc/certs/
- name: kube-api-access-tsv72
readOnly: true
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readinessProbe:
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
timeoutSeconds: 1
periodSeconds: 2
successThreshold: 1
failureThreshold: 30
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: default
serviceAccount: default
nodeName: yxall02-b5tgjsnlid6l-node-1
securityContext: {}
schedulerName: default-scheduler
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
tolerationSeconds: 300
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 300
priority: 0
enableServiceLinks: true
preemptionPolicy: PreemptLowerPriority