Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Bookinfo pods in crashloop when istio mtls is enabled #331

Open
2 tasks done
bharath-avesha opened this issue Feb 2, 2024 · 5 comments
Open
2 tasks done

Bug: Bookinfo pods in crashloop when istio mtls is enabled #331

bharath-avesha opened this issue Feb 2, 2024 · 5 comments
Assignees
@kon3m
Labels
bug Something isn't working

Comments

@bharath-avesha
Copy link
Contributor

📜 Description

Application pods in the bookinfo namespace connected to a slice go into a crashloop when using istio mtls peer authentication in STRICT mode.

👟 Reproduction steps

  1. Create a slice and add the bookinfo namespace to the applicationNamespace list in the slice configuration.
  2. Deploy the bookinfo app on the worker cluster.
  3. Enable istio peer authentication with STRICT mode. For example:
    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
    name: tls-policy
    namespace: bookinfo
    spec:
    mtls:
    mode: STRICT
  4. Deploy the bookinfo app in the bookinfo namespace. You will observe the app pods going into a crash loop.

👍 Expected behavior

The app pods should not crash.

👎 Actual Behavior

The app pods go into a crash loop.

🐚 Relevant log output

No response

Version

No response

🖥️ What operating system are you seeing the problem on?

No response

✅ Proposed Solution

No response

👀 Have you spent some time to check if this issue has been raised before?

  • I checked and didn't find any similar issue

Code of Conduct

  • I agree to follow this project's Code of Conduct
@bharath-avesha bharath-avesha added the bug Something isn't working label Feb 2, 2024
@kon3m
Copy link
Contributor

kon3m commented Mar 13, 2024

Can i work on this? please assign it to me if no one is working on it.

@narmidm
Copy link
Member

narmidm commented Mar 19, 2024

sure @kon3m. will assign it to you.

@narmidm narmidm assigned kon3m and unassigned bharath-avesha Mar 19, 2024
@kon3m
Copy link
Contributor

kon3m commented Mar 26, 2024

I followed the above steps but unfortunately was not able to reproduce the issue using KinD , is this issue reproducible in KinD @bharath-avesha

@bharath-avesha
Copy link
Contributor Author

@kon3m can you please check if the nsm init and sidecar containers were injected into the pods in the bookinfo namespace? Those containers have to talk to the nsmgr control plane over tcp on port 5000. If the peer authentication is STRICT, istio sidecar in the bookinfo pod will try to enforce mtls on port 5000 and that will cause a failure because there is no istio sidecar in the nsmgr pods.

@kon3m
Copy link
Contributor

kon3m commented Mar 28, 2024
edited
Loading

@bharath-avesha yes they are injected into the pods and the pods are in the running state without any restarts. Please let me know if i am doing anything wrong while trying to reproduce this bug.
Attaching the output of k get pod -o yaml and log of the cmd-nsc-init container
cmd-nsc-init-log.txt
bookinfo-pod-out.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kon3m kon3m

Labels
bug Something isn't working
Projects
KubeSlice Roadmap
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
7 participants
@kon3m @narmidm @mridulgain @Rahul-D78 @bharath-avesha @gourishkb @richiesebastian