在 k8s-1.15 上使用默认配置文件安装 istio-1.5.0,istiod 确实无法启动。因为 istio-token 的访问权限不对,查看 istiod,istio-token 文件的权限是 istio-proxy,但是没有读写权限。
filemode: -rw----- ,无法通过 istio-proxy 访问,仅适用于 root 用户。
func (s *eterver) EnableCA() bool {
if s.kubeClient == nil {
// No k8s - no self-signed certs.
// TODO: implement it using a local directory, for non-k8s env.
log.Warn("kubeclient is nil; disable the CA functionality")
return false
}
/*because istio-proxy has no privilige to access the file, that mad the istiod can't start up*/
if _, err := ioutil.ReadFile(s.jwtPath); err != nil {
// for debug we may want to override this by setting trustedIssuer explicitly.
// If TOKEN_ISSUER is set, we ignore the lack of mounted JWT token, it means user is using
// an external OIDC provider to validate the tokens, and istiod lack of a JWT doesn't indicate a problem.
if features.JwtPolicy.Get() == jwt.JWTPolicyThirdPartyJWT && trustedIssuer.Get() == "" {
log.Warnf("istiod running without access to K8S tokens (jwt path %v); disable the CA functionality", s.jwtPath)
return false
}
}
return true
}
尝试修改试验代码中token文件的权限,发现该文件是只读的,无法修改,但配置文件中已经配置了readonly=false:
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: false
- mountPath: /var/run/ingress_gateway
name: ingressgatewaysdsudspath
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: false
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: false
其他相关配置项如下:
securityContext:
capabilities:
drop:
- ALL
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
任何人都可以提供一些建议或帮助吗?