Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.7k views
in Technique[技术] by (71.8m points)

kubernetes - Admission review request fails when switching webhook service to ipFamily=IPv6 in dual-stack cluster

I have been trying to make the Istio control plane deploy as IPv6 service in my v1.18.2 k8s dual-stack cluster. Istio currently does not support this, but as far as I can tell there is no reason why it should not work.

As part of the application startup, istiod tries to test the validating webhook by dry-run creating an invalid resource and expecting a callback from an apiserver, which it would then reject. Unfortunately, the moment that I add the ipFamily: IPv6 field to the istiod service spec, the validating webhook starts failing, or rather timing out, and no callback is received by the application.

I have made sure that the istiod /validate endpoint is reachable from other pods in both the IPv4 and IPv6 cases. It appears that only the apiservers are unable(?) to connect to the webhook service when it is IPv6.

The apiserver logs repeat the following lines in that case, as istiod continues trying to create the invalid CR:

$ k logs -n kube-system -lcomponent=kube-apiserver -f
I0122 14:47:28.493919       1 trace.go:116] Trace[1294786590]: "Call validating webhook" configuration:istiod-istio-system,webhook:validation.istio.io,resource:networking.istio.io/v1alpha3, Resource=gateways,subresource:,operation:CREATE,UID:47fc868c-ba8f-4c11-838e-d6fa805f0bad (started: 2021-01-22 14:46:58.492968374 +0000 UTC m=+254615.394818866) (total time: 30.000780641s):
Trace[1294786590]: [30.000780641s] [30.000780641s] END
W0122 14:47:28.494133       1 dispatcher.go:128] Failed calling webhook, failing open validation.istio.io: failed calling webhook "validation.istio.io": Post https://istiod.istio-system.svc:443/validate?timeout=30s: context deadline exceeded
E0122 14:47:28.494271       1 dispatcher.go:129] failed calling webhook "validation.istio.io": Post https://istiod.istio-system.svc:443/validate?timeout=30s: context deadline exceeded
I0122 14:47:28.514005       1 trace.go:116] Trace[1064104022]: "Create" url:/apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways,user-agent:pilot-discovery/v0.0.0 (linux/amd64) kubernetes/$Format,client:10.117.142.10 (started: 2021-01-22 14:46:58.48938819 +0000 UTC m=+254615.391238690) (total time: 30.024481551s):
Trace[1064104022]: [30.023708536s] [30.022993263s] Object stored in database

Can anyone think of reasons why the admissionReview requests might time out when the webhook service is run as IPv6?

Edit: Are admissionReview requests sent from the apiserver pods directly? I just found that, at least in my cluster, the apiserver pods do NOT have both an IPv4 AND IPv6 address. That would of course make sending IPv6 requests problematic.

All pods that I deploy usually get an address of either IP family. Is it expected to be different for apiserver, or am I looking at a possible/probable misconfiguration?

$ k get pods -n kube-system -lcomponent=kube-apiserver -o jsonpath={.items[*].status.podIPs}
[{"ip":"10.117.142.5"}] [{"ip":"10.117.142.6"}] [{"ip":"10.117.142.7"}]
question from:https://stackoverflow.com/questions/65849811/admission-review-request-fails-when-switching-webhook-service-to-ipfamily-ipv6-i

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...