The istio-1.5.0 install with default profile on k8s-1.15, the istiod does fail to startup. Because the access permission of istio-token is wrong, check the istiod, the permission of istio-token file is istio-proxy, but there is no read and write permission.
filemode: -rw------ , can not be access by istio-proxy ,only for root user.
func (s *eterver) EnableCA() bool {
if s.kubeClient == nil {
// No k8s - no self-signed certs.
// TODO: implement it using a local directory, for non-k8s env.
log.Warn("kubeclient is nil; disable the CA functionality")
return false
}
/*because istio-proxy has no privilige to access the file, that mad the istiod can't start up*/
if _, err := ioutil.ReadFile(s.jwtPath); err != nil {
// for debug we may want to override this by setting trustedIssuer explicitly.
// If TOKEN_ISSUER is set, we ignore the lack of mounted JWT token, it means user is using
// an external OIDC provider to validate the tokens, and istiod lack of a JWT doesn't indicate a problem.
if features.JwtPolicy.Get() == jwt.JWTPolicyThirdPartyJWT && trustedIssuer.Get() == "" {
log.Warnf("istiod running without access to K8S tokens (jwt path %v); disable the CA functionality", s.jwtPath)
return false
}
}
return true
}
Try to modify the permissions of the token file in the pilot code, and find that the file is readonly and cannot be modified, but readonly=false has been configured in the configuration file:
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: false
- mountPath: /var/run/ingress_gateway
name: ingressgatewaysdsudspath
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: false
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: false
Other related configuration items are as follows:
securityContext:
capabilities:
drop:
- ALL
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
Can anyone give some advice or help?
