Fatal编程技术网
  • kubernetes/
  • Kubernetes 如何在linkerd中禁用MTL?

Kubernetes 如何在linkerd中禁用MTL?

kubernetes

Kubernetes 如何在linkerd中禁用MTL?,kubernetes,linkerd,Kubernetes,Linkerd,我坐在一个只允许https流量的公司防火墙后面,它可以通过MITM证书拦截https流量。不幸的是,Linkedr和大多数其他服务网格在所有pod代理通信之间都启用了MTL。我如何禁用MTL,使LinkedPod不会在我的网络中被阻止 我试过的 有趣的是,使用以下命令收集Linkedr指标是可行的: linkerd metrics -n linkerd $( kubectl --namespace linkerd get pod \ --selector linkerd.io/con

我坐在一个只允许https流量的公司防火墙后面,它可以通过MITM证书拦截https流量。不幸的是,Linkedr和大多数其他服务网格在所有pod代理通信之间都启用了MTL。我如何禁用MTL,使LinkedPod不会在我的网络中被阻止

我试过的 有趣的是,使用以下命令收集Linkedr指标是可行的:

linkerd metrics -n linkerd $(
  kubectl --namespace linkerd get pod \
    --selector linkerd.io/control-plane-component=controller \
    --output name
)
日志 Linkerd仍在使用这些日志在Linkerd命名空间中部署tap

$ kubectl logs -n linkerd linkerd-tap-6c845f67cd-wzzp4 tap
time="2020-09-18T17:14:28Z" level=info msg="running version stable-2.8.1"
time="2020-09-18T17:14:28Z" level=info msg="Using trust domain: cluster.local"
time="2020-09-18T17:14:28Z" level=info msg="waiting for caches to sync"
time="2020-09-18T17:14:28Z" level=info msg="caches synced"
time="2020-09-18T17:14:28Z" level=info msg="starting admin server on :9998"
time="2020-09-18T17:14:28Z" level=info msg="starting APIServer on :8089"
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58856: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58860: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58858: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58864: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58862: EOF
此外,我在kubeapi服务器上得到以下错误

controller.go:114] loading OpenAPI spec for "v1alpha1.tap.linkerd.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error trying to reach service: 'dial tcp 10.108.135.128:443: i/o timeout', Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]
更奇怪的是,我的Linkedr检查显示一切正常:

# linkerd check
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ tap api service is running

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-addons
--------------
√ 'linkerd-config-addons' config map exists

linkerd-grafana
---------------
√ grafana add-on service account exists
√ grafana add-on config map exists
√ grafana pod is running

Status check results are √
我还向一个正常工作的集群添加了一个taefik入口规则,无法访问仪表板:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: web-ingress-auth
  namespace: linkerd
data:
  auth: private value...
  # generated with htpassword
  # then base 64 encoded
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: linkerd
  annotations:
    kubernetes.io/ingress.class: 'traefik'
    ingress.kubernetes.io/custom-request-headers: l5d-dst-override:linkerd-web.linkerd.svc.cluster.local:8084
    traefik.ingress.kubernetes.io/auth-type: basic
    traefik.ingress.kubernetes.io/auth-secret: web-ingress-auth
spec:
  rules:
    - host: linkerd-dashboard.private.com
      http:
        paths:
          - backend:
              serviceName: linkerd-web
              servicePort: 8084
虽然它看起来应该是有效的:

$ kubectl get ing -n linkerd
NAME          CLASS    HOSTS                                ADDRESS         PORTS   AGE
web-ingress   <none>   linkerd-dashboard.private.com        x.x.x.x   80      42m

$kubectl获得ing-n链接
名称类主机地址端口年龄
web ingress linkerd-dashboard.private.com x.x.x 80 42m
很高兴听到你把事情解决了@mikeLundquist

为了回答最初的问题,您在安装时指定了以下标志,从而禁用了MTL:

--禁用标识

--禁用轻触

对于helm用户,您可以将
disableIdentity:true
disableTap:true
添加到
代理下的LinkederHelm图表中
对我来说,我的问题是一个行为不当的节点,而不是MTL

$ kubectl get ing -n linkerd
NAME          CLASS    HOSTS                                ADDRESS         PORTS   AGE
web-ingress   <none>   linkerd-dashboard.private.com        x.x.x.x   80      42m