Internal mesh communication is ignoring settings from the virtual service

0

I'm trying to inject an HTTP status 500 fault in the bookinfo example.

I managed to inject a 500 error status when the traffic is coming from the Gateway with:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - bookinfo-gateway

  hosts:

  - '*'

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

$ curl $(minikube ip):30890/api/v1/products

fault filter abort

But, I fails to achieve this for traffic that is coming from other pods:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - mesh

  hosts:

  - productpage

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

# jump into a random pod

$ kubectl exec -ti details-v1-dasa231 -- bash



root@details $ curl productpage:9080/api/v1/products

[{"descriptionHtml": ... <- actual product list, I expect a http 500

• I tried using the FQDN for the host productpage.svc.default.cluster.local but I get the same behavior.



• I checked the proxy status with istioctl proxy-status everything is synced.




• I tested if the istio-proxy is injected into the pods, it is:

Pods:

NAME                             READY   STATUS    RESTARTS   AGE

details-v1-6764bbc7f7-bm9zq      2/2     Running   0          4h

productpage-v1-54b8b9f55-72hfb   2/2     Running   0          4h

ratings-v1-7bc85949-cfpj2        2/2     Running   0          4h

reviews-v1-fdbf674bb-5sk5x       2/2     Running   0          4h

reviews-v2-5bdc5877d6-cb86k      2/2     Running   0          4h

reviews-v3-dd846cc78-lzb5t       2/2     Running   0          4h

I'm completely stuck and not sure what to check next. I feel like I am missing something very obvious.

I would really appreciate any help on this topic.

kubernetes istio

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?
  
  – Nick Rak
  Nov 20 '18 at 16:41
  

  
  
  
  

add a comment | 

0

I'm trying to inject an HTTP status 500 fault in the bookinfo example.

I managed to inject a 500 error status when the traffic is coming from the Gateway with:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - bookinfo-gateway

  hosts:

  - '*'

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

$ curl $(minikube ip):30890/api/v1/products

fault filter abort

But, I fails to achieve this for traffic that is coming from other pods:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - mesh

  hosts:

  - productpage

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

# jump into a random pod

$ kubectl exec -ti details-v1-dasa231 -- bash



root@details $ curl productpage:9080/api/v1/products

[{"descriptionHtml": ... <- actual product list, I expect a http 500

• I tried using the FQDN for the host productpage.svc.default.cluster.local but I get the same behavior.



• I checked the proxy status with istioctl proxy-status everything is synced.




• I tested if the istio-proxy is injected into the pods, it is:

Pods:

NAME                             READY   STATUS    RESTARTS   AGE

details-v1-6764bbc7f7-bm9zq      2/2     Running   0          4h

productpage-v1-54b8b9f55-72hfb   2/2     Running   0          4h

ratings-v1-7bc85949-cfpj2        2/2     Running   0          4h

reviews-v1-fdbf674bb-5sk5x       2/2     Running   0          4h

reviews-v2-5bdc5877d6-cb86k      2/2     Running   0          4h

reviews-v3-dd846cc78-lzb5t       2/2     Running   0          4h

I'm completely stuck and not sure what to check next. I feel like I am missing something very obvious.

I would really appreciate any help on this topic.

kubernetes istio

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?
  
  – Nick Rak
  Nov 20 '18 at 16:41
  

  
  
  
  

add a comment | 

0

0

0

I'm trying to inject an HTTP status 500 fault in the bookinfo example.

I managed to inject a 500 error status when the traffic is coming from the Gateway with:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - bookinfo-gateway

  hosts:

  - '*'

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

$ curl $(minikube ip):30890/api/v1/products

fault filter abort

But, I fails to achieve this for traffic that is coming from other pods:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - mesh

  hosts:

  - productpage

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

# jump into a random pod

$ kubectl exec -ti details-v1-dasa231 -- bash



root@details $ curl productpage:9080/api/v1/products

[{"descriptionHtml": ... <- actual product list, I expect a http 500

• I tried using the FQDN for the host productpage.svc.default.cluster.local but I get the same behavior.



• I checked the proxy status with istioctl proxy-status everything is synced.




• I tested if the istio-proxy is injected into the pods, it is:

Pods:

NAME                             READY   STATUS    RESTARTS   AGE

details-v1-6764bbc7f7-bm9zq      2/2     Running   0          4h

productpage-v1-54b8b9f55-72hfb   2/2     Running   0          4h

ratings-v1-7bc85949-cfpj2        2/2     Running   0          4h

reviews-v1-fdbf674bb-5sk5x       2/2     Running   0          4h

reviews-v2-5bdc5877d6-cb86k      2/2     Running   0          4h

reviews-v3-dd846cc78-lzb5t       2/2     Running   0          4h

I'm completely stuck and not sure what to check next. I feel like I am missing something very obvious.

I would really appreciate any help on this topic.

kubernetes istio

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

I'm trying to inject an HTTP status 500 fault in the bookinfo example.

I managed to inject a 500 error status when the traffic is coming from the Gateway with:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - bookinfo-gateway

  hosts:

  - '*'

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

$ curl $(minikube ip):30890/api/v1/products

fault filter abort

But, I fails to achieve this for traffic that is coming from other pods:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

  namespace: default

spec:

  gateways:

  - mesh

  hosts:

  - productpage

  http:

  - fault:

       abort:

          httpStatus: 500

          percent: 100

    match:

    - uri:

        prefix: /api/v1/products

    route:

    - destination:

        host: productpage

        port:

          number: 9080

Example:

# jump into a random pod

$ kubectl exec -ti details-v1-dasa231 -- bash



root@details $ curl productpage:9080/api/v1/products

[{"descriptionHtml": ... <- actual product list, I expect a http 500

• I tried using the FQDN for the host productpage.svc.default.cluster.local but I get the same behavior.



• I checked the proxy status with istioctl proxy-status everything is synced.




• I tested if the istio-proxy is injected into the pods, it is:

Pods:

NAME                             READY   STATUS    RESTARTS   AGE

details-v1-6764bbc7f7-bm9zq      2/2     Running   0          4h

productpage-v1-54b8b9f55-72hfb   2/2     Running   0          4h

ratings-v1-7bc85949-cfpj2        2/2     Running   0          4h

reviews-v1-fdbf674bb-5sk5x       2/2     Running   0          4h

reviews-v2-5bdc5877d6-cb86k      2/2     Running   0          4h

reviews-v3-dd846cc78-lzb5t       2/2     Running   0          4h

I'm completely stuck and not sure what to check next. I feel like I am missing something very obvious.

I would really appreciate any help on this topic.

kubernetes istio

kubernetes istio

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

share|improve this question

share|improve this question

edited Nov 20 '18 at 6:31

Rico

26.8k94865

edited Nov 20 '18 at 6:31

Rico

26.8k94865

edited Nov 20 '18 at 6:31

Rico

26.8k94865

26.8k94865

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

asked Nov 19 '18 at 23:57

Igor ŠarčevićIgor Šarčević

2,04911014

2,04911014

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?
  
  – Nick Rak
  Nov 20 '18 at 16:41
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?
  
  – Nick Rak
  Nov 20 '18 at 16:41
  

  
  
  
  

you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?

– Nick Rak
Nov 20 '18 at 16:41

you configure external and it works but have you configure something for internal communication? any networking policy? if yes could you provide it?

– Nick Rak
Nov 20 '18 at 16:41

add a comment | 

2 Answers
2

active

oldest

votes

1

The root cause of my issues were an improperly set up includeIPRanges in my minicloud cluster. I set up the 10.0.0.1/24 CIDR, but some services were listening on 10.35.x.x.

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

add a comment | 

0

This should work, and does when I tried. My guess is that you have other conflicting route rules for the productpage service defined.

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53384343%2finternal-mesh-communication-is-ignoring-settings-from-the-virtual-service%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

1

The root cause of my issues were an improperly set up includeIPRanges in my minicloud cluster. I set up the 10.0.0.1/24 CIDR, but some services were listening on 10.35.x.x.

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

add a comment | 

1

The root cause of my issues were an improperly set up includeIPRanges in my minicloud cluster. I set up the 10.0.0.1/24 CIDR, but some services were listening on 10.35.x.x.

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

add a comment | 

1

1

1

The root cause of my issues were an improperly set up includeIPRanges in my minicloud cluster. I set up the 10.0.0.1/24 CIDR, but some services were listening on 10.35.x.x.

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

The root cause of my issues were an improperly set up includeIPRanges in my minicloud cluster. I set up the 10.0.0.1/24 CIDR, but some services were listening on 10.35.x.x.

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

share|improve this answer

share|improve this answer

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

answered Nov 23 '18 at 1:23

Igor ŠarčevićIgor Šarčević

2,04911014

2,04911014

add a comment | 

add a comment | 

0

This should work, and does when I tried. My guess is that you have other conflicting route rules for the productpage service defined.

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

add a comment | 

0

This should work, and does when I tried. My guess is that you have other conflicting route rules for the productpage service defined.

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

add a comment | 

0

0

0

This should work, and does when I tried. My guess is that you have other conflicting route rules for the productpage service defined.

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

This should work, and does when I tried. My guess is that you have other conflicting route rules for the productpage service defined.

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

share|improve this answer

share|improve this answer

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

answered Nov 20 '18 at 19:16

Frank BFrank B

41527

41527

add a comment | 

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53384343%2finternal-mesh-communication-is-ignoring-settings-from-the-virtual-service%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here