Questions tagged [istio-sidecar]
196 questions
0
votes
1 answer
istio virtualservice rewrite not working properly
I've setup EKS + istio ingress gateway following https://aws.amazon.com/blogs/containers/secure-end-to-end-traffic-on-amazon-eks-using-tls-certificate-in-acm-alb-and-istio/ and it works fine. I want to add uri prefix in virtualservice such that…
ssrulz1
- 1
- 1
0
votes
0 answers
istio sidecar is not restricting pod connections as desired
I want to see how an istio sidecar may restrict a pod's connections (I am learning istio through its references)
so I am working with the bookinfo example, after installing the example (having a Docker Desktop) - I wrote a simple sidecar resource…
Sh.F
- 11
- 3
0
votes
0 answers
RBAC: access denied when request in kubeflow notebooks
I tried the kserve example and faced the problem of RBAC: Access Denied.
add user
$ kubectl -n auth edit cm dex
add example infomation in staticPasswords
- email: my_email@gmail.com
hash: my_ps_hash
userID: "myuserid"
…
TaeUk Noh
- 96
- 5
0
votes
1 answer
How to overwrite namespace default stable tag istio injection with canary tag in deployment
I have Istio 1.12.0 running with a stable tag and I have upgraded my istio version to 1.13.9 with canary tag. The default tag is mapped with 1.12.0 and added to the namespace.
Now I want to overwrite the namespace injection with the canary tag in…
Anup
- 81
- 1
- 14
0
votes
0 answers
Istio sidecar for Pod with hostNetwork enabled
In my k8s cluster there is a Pod (prometheus/node-exporter) that uses hostNetwork to collect metrics from a node. The same Pod sends collected data to Prometheus, which is a part of Istio service mesh. The service mesh requires all traffic to be…
Yiadh TLIJANI
- 61
- 4
0
votes
0 answers
Getting error connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
We have two istio installed in k8s cluster one is 1.8.6 and 1.14.1.
we have injected 1.8.6 istio in namespace-1 and 1.14.1 istio in namespace-2
Running some workloads on both namespace
when i try to make curl request from one pod(namespace-1) to…
saurav
- 1
- 1
0
votes
0 answers
Istio Circuitbreaker - maxconnections limit under connectionpool is for service or pod level
Description:
i have istio service mesh with envoy running as sidecar, a destination service with below configuration in destination rule is deployed.
mainly i was trying to check ciruitbreaker beaviour of envoy/istio.
trafficPolicy:
…
Ankit
- 81
- 2
- 10
0
votes
0 answers
How to get the metrics data of pod-to-pod requests by istio_requests_total?
Here is my network model(injected):
client send requests --> ingressgateway --> service_A --> service_B -->service_C
When I search for the mertics "istio_requests_total" on prometheus, I can only see the data of service_A. I can only get empty…
Rainbird
- 21
- 3
0
votes
1 answer
Istio : HTTPS Traffic between Pods working only if sidecar not injected
Steps i have done :
I have two namespaces one with istio injected and another not
Now deploy simple nginx server using this yaml in both namespace
apiVersion: v1
kind: Service
metadata:
name: software-upgrader
labels:
app:…
Pradeep Padmanaban C
- 618
- 9
- 23
0
votes
0 answers
Istio 1.14.5, sidecar injection fails due invalid certificate
I'm using Istio 1.14.5 in my AWS EKS (1.21.14-eks-fb459a0).
I'm injecting my istio sidecar with:
istioctl kube-inject -f my-deployment.yaml | kubectl apply -f -
But, when I scaleout my deployment to 1 (create ReplicaSet), I'm getting this event in…
Beto Neto
- 3,962
- 7
- 47
- 81
0
votes
0 answers
The socket connect to any port success in istio sidecar pod
In istio-proxy log shows the socket connection was reject
[2022-11-21T12:42:47.825Z] "- - -" 0 UF,URX - - "-" 0 0 10000 - "-" "-" "-" "-" "103.235.46.40:123" PassthroughCluster - 103.235.46.40:123 100.108.44.117:60480
But in the pod the python…
shaojiel
- 1
0
votes
1 answer
How to inject sidecar via deployment that points to new istiod rather than pointing to old istio
We have installed one istio and labeled namespace(default) istio.io/rev=1-8-1 and all services under this namespace are pointed to 1-14-1 istiod. Now i tried to install new istio whose revision is istio.io/rev=1-14-1. I want to test only one…
saurav
- 1
- 1
0
votes
0 answers
with istio is it possible to specify sidecar.istio.io/proxyCPU and other limits within namespace
I use deployment.yaml kind: Deployment and specify sidecar.istio.io/proxyCPU: "100m" and other sidecar annotations in .spec.templace.metadata.annotations. The problem is this requires me to repeat the same in every application and there are too many…
bhantol
- 9,368
- 7
- 44
- 81
0
votes
0 answers
Set ignore_port_in_host_matching or strip_any_host_port in Istio EnvoyFilter
Related with the issue https://github.com/envoyproxy/envoy/issues/23650
EnvoyFilter is used to modify the request's host, and re-route request to other host(or so called cluster).
In lua script, if replaced api is the same port with outbound…
ppzhuo
- 1
0
votes
0 answers
fix different traceId with istio sidecar proxy and spring boot sleuth
Spring boot apps with Sleuth are deployed in pods with istio sidecar injected alongside.
istio virtual service ingresses traffic into the mesh and proxies the request to pods correctly.
Both logs are seen in kibana - one for istio-proxy (sidecar)…
bhantol
- 9,368
- 7
- 44
- 81