Skip to content

Issue trying ambient mode on an ipv4-only k8s cluster #1131

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#1163
Closed
Issue trying ambient mode on an ipv4-only k8s cluster#1131
#1163
Labels
help wantedIndicates a PR/Issue that needs community help
@aek-dsk

Description

@aek-dsk
aek-dsk
opened on Jun 11, 2024

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use Istio

Bug Description

Trying ambient mode on the k8s cluster with ipv4 only results in a failing installation via Helm of ztunnel pods (crashing) producing the following error in the logs:

2024-06-04T10:35:38.591582Z info ztunnel version: version.BuildInfo{Version:"909bf991d01edc4db51265bc633acfe303555ef5", GitRevision:"909bf991d01edc4db51265bc633acfe303555ef5", RustVersion:"1.77.2", BuildProfile:"release", BuildStatus:"Clean", GitTag:"1.22.0-beta.1-6-g909bf99", IstioVersion:"unknown"}
2024-06-04T10:35:38.591778Z info ztunnel running with config: proxy: true
dnsProxy: false
windowSize: 4194304
connectionWindowSize: 4194304
frameSize: 1048576
poolMaxStreamsPerConn: 100
poolUnusedReleaseTimeout:
secs: 300
nanos: 0
socks5Addr: null
adminAddr: 127.0.0.1:15000
statsAddr: '[::]:15020'
readinessAddr: '[::]:15021'
inboundAddr: '[::]:15008'
inboundPlaintextAddr: '[::]:15006'
outboundAddr: '[::]:15001'
dnsProxyAddr: 127.0.0.1:15053
network: ''
localNode: f74ac986-14da-431f-91b0-9bd7f0fdb6e8
proxyMode: Shared
localIp: 11.32.10.9
clusterId: Kubernetes
clusterDomain: cluster.local
caAddress: https://istiod.ccp-istio-system.svc:15012
caRootCert: !File ./var/run/secrets/istio/root-cert.pem
xdsAddress: https://istiod.ccp-istio-system.svc:15012
xdsRootCert: !File ./var/run/secrets/istio/root-cert.pem
secretTtl:
secs: 86400
nanos: 0
xdsOnDemand: false
fakeCa: false
selfTerminationDeadline:
secs: 5
nanos: 0
proxyMetadata:
DNS_AUTO_ALLOCATE: 'false'
ISTIO_VERSION: 1.22.0
CLUSTER_ID: Kubernetes
DNS_CAPTURE: 'false'
ENABLE_HBONE: 'true'
DNS_PROXY_ADDR: 127.0.0.1:15053
numWorkerThreads: 2
enableOriginalSource: null
proxyArgs: proxy ztunnel
dnsResolverCfg:
domain: null
search:

  • ccp-istio-system.svc.cluster.local
  • svc.cluster.local
  • cluster.local
    name_servers:
  • socket_addr: 10.100.192.2:53
    protocol: udp
    tls_dns_name: null
    trust_negative_responses: false
    bind_addr: null
  • socket_addr: 10.100.192.2:53
    protocol: tcp
    tls_dns_name: null
    trust_negative_responses: false
    bind_addr: null
    dnsResolverOpts:
    ndots: 5
    timeout:
    secs: 5
    nanos: 0
    attempts: 2
    rotate: false
    check_names: true
    edns0: false
    validate: false
    ip_strategy: Ipv4thenIpv6
    cache_size: 32
    use_hosts_file: true
    Error: readiness server starts

Caused by:
Address family not supported by protocol (os error 97)
positive_min_ttl: null
negative_min_ttl: null
positive_max_ttl: null
negative_max_ttl: null
num_concurrent_reqs: 2
preserve_intermediates: true
try_tcp_on_error: false
server_ordering_strategy: QueryStatistics
recursion_desired: true
authentic_data: false
shuffle_dns_servers: false
inpodEnabled: true
inpodUds: /var/run/ztunnel/ztunnel.sock
inpodPortReuse: true
inpodMark: 1337

2024-06-04T10:35:38.592025Z debug rustls::webpki::anchors add_parsable_certificates processed 1 valid and 0 invalid certs
2024-06-04T10:35:38.594727Z info readiness Task 'proxy' complete (3.528422ms), still awaiting 1 tasks
2024-06-04T10:35:38.594744Z info readiness Task 'state manager' complete (3.547623ms), marking server ready

Expected behavior:
Successful installation of the istio ambient mode.

Happy to provide additional information if needed.

Version

~$ istioctl version --istioNamespace=ccp-istio-system
2024-06-11T13:08:32.158200Z	error	klog	an error occurred forwarding 53952 -> 15014: error forwarding port 15014 to pod 0ae2ab77ab30cfa4ae893f2a017df61d7e66a43671d17381430a64820cfa5405, uid : network namespace for sandbox "0ae2ab77ab30cfa4ae893f2a017df61d7e66a43671d17381430a64820cfa5405" is closed
2024-06-11T13:08:32.158624Z	error	port forward failed: lost connection to pod
2 errors occurred:
	* error port-forwarding into ccp-istio-system.istiod-78fb865f7-6rcws: failure running port forward process: Get "http://localhost:53952//version": EOF
	* failure running port forward process: Get "http://localhost:53952//version": EOF


2024-06-11T13:08:32.306583Z	error	klog	an error occurred forwarding 53957 -> 15014: error forwarding port 15014 to pod 0ae2ab77ab30cfa4ae893f2a017df61d7e66a43671d17381430a64820cfa5405, uid : network namespace for sandbox "0ae2ab77ab30cfa4ae893f2a017df61d7e66a43671d17381430a64820cfa5405" is closed
2024-06-11T13:08:32.308146Z	error	port forward failed: lost connection to pod
1.22.0

without using "distroless" version:

~$ istioctl version --istioNamespace=ccp-istio-system
client version: 1.22.0
control plane version: 1.22.0
data plane version: 1.22.0 (65 proxies)

~$ kubectl version
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.25.16+vmware.1
WARNING: version difference between client (1.29) and server (1.25) exceeds the supported minor version skew of +/-1

Additional Information

No response

Metadata

Assignees

No one assigned

    Labels

    help wantedIndicates a PR/Issue that needs community help

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions