curl - 来自服务器的空回复：在 Openshit 4.9 ServiceMesh v2.1.0 Istio Sidecar Proxy curling to frontend container in the same pod

问题描述

istio-proxy 容器日志

[2021-11-12T22:22:17.663Z]“---”0--rbac_access_denied_matched_policy[none]“-”109 0 0-“-”“-”“-”“-”“127.0.0.1:8080”入站|8080|| 127.0.0.1:34840 10.129.2.236:8080 10.129.2.236:55638 - -

$ oc exec $(oc get po -l app=frontend -oname -n ns) -n ns -c istio-proxy -- curl -k -L -v http://frontend-container-host-name:8080
* Rebuilt URL to: http://frontend-container-host-name:8080/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.131.2.97...
* TCP_NODELAY set
* Connected to frontend-container-host-name (10.131.2.97) port 8080 (#0)
> GET / HTTP/1.1
> Host: frontend-container-host-name:8080
> User-Agent: curl/7.61.1
> Accept: */*
>
* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host frontend-container-host-name left intact
curl: (52) Empty reply from server
command terminated with exit code 52

当从 istio-proxy sidecar 卷曲到前端应用程序的同一个 pod 中时，结果为空。当直接在前端容器中卷曲时，结果符合预期（html 结果）。

Istio 网关定义或其他地方缺少什么？

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-ingress-internal-dev
  namespace: istio-ingress-internal
spec:
  selector:
    app: istio-ingress-internal # refers to label on top-level gateway definition in service mesh control plane
  servers:
    - port:
        number: 80
        name: frontend
        protocol: HTTP
      hosts:
        - '*'
      tls:
        httpsRedirect: true 
    - port:
        number: 443
        name: https-frontend
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: credential
      hosts:
        - '*'
---

缺少授权策略？(rbac_access_denied_matched_policy)

感谢您的任何提示。迈克尔

标签： curlopenshiftistioservicemeshsidecar