InvalidExternalControlPlaneConfig

3 分鐘閱讀

訊息名稱	InvalidExternalControlPlaneConfig
訊息代碼	IST0163
描述	外部控制平面上入口閘道的位址無效
層級	警告

當外部控制平面上入口閘道提供的位址無效時，會發生此訊息。位址可能因為幾個原因而無效，包括：主機名稱位址格式錯誤、主機名稱無法透過 DNS 查詢解析為 IP 位址，或主機名稱解析為零個 IP 位址。

範例

您將收到此訊息

Warning [IST0163] (MutatingWebhookConfiguration istio-sidecar-injector-external-istiod testing.yml:28) The hostname () that was provided for the webhook (rev.namespace.sidecar-injector.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.
Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname () that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.

當您的叢集具有以下遺失 webhook URL 的 ValidatingWebhookConfiguration 和 MutatingWebhookConfiguration（為清楚起見縮短）時

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istio-validator-external-istiod
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url:
  name: rev.validation.istio.io

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istiod-default-validator
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com:15017/validate
  failurePolicy: Ignore
  name: validation.istio.io

---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: istio-sidecar-injector-external-istiod
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url:
  failurePolicy: Fail
  name: rev.namespace.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: rev.object.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: namespace.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: object.sidecar-injector.istio.io

您將收到此訊息

Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname (https://thisisnotarealdomainname.com:15017/validate) that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster cannot be resolved via a DNS lookup. Traffic may not flow properly.

當您的叢集具有以下 ValidatingWebhookConfiguration 和 MutatingWebhookConfiguration（為清楚起見縮短），而這些設定正在使用無法在 DNS 查詢期間解析的主機名稱時

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istio-validator-external-istiod
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://thisisnotarealdomainname.com:15017/validate
  name: rev.validation.istio.io

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istiod-default-validator
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com:15017/validate
  failurePolicy: Ignore
  name: validation.istio.io

---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: istio-sidecar-injector-external-istiod
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: rev.namespace.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: rev.object.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: namespace.sidecar-injector.istio.io
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    url: https://test.com/inject/cluster/your-cluster-name/net/network1
  failurePolicy: Fail
  name: object.sidecar-injector.istio.io

如何解決

有多種方法可以解決這些無效的設定，具體取決於設定無效的原因。

如果您的 Webhook 設定中沒有定義任何 URL，新增使用主機名稱的有效 URL 將可解決此警告訊息。相關操作說明請參閱此處。

如果您的主機名稱無法透過 DNS 查詢解析為 IP 位址，您可以嘗試在您的本機電腦上執行 dig <您的主機名稱> 來查看是否發生 DNS 解析。如果您的本機電腦可以透過 DNS 查詢解析主機名稱，您的叢集可能無法解析。任何阻擋 DNS 流量的安全規則都可能導致解析失敗。新的 DNS 記錄可能需要長達 72 小時才能在網路上傳播，具體時間取決於您的 DNS 提供商和特定設定。

如果您的主機名稱解析為零個 IP 位址，請檢查 Webhook URL 是否使用正確的主機名稱，以及您的 DNS 提供商是否正確地為您的主機名稱至少設定了一個 IP 位址以進行解析。