higress
higress copied to clipboard
Published
20 hours ago •
alibaba
alibaba
使用 TCPRoute 但是 gateway 没有开启相应端口的监听
有个类似的 issue,https://github.com/alibaba/higress/issues/1371 但是我看了下我应该不符合上面这个 case。
相关配置信息
higress-gateway
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "3"
meta.helm.sh/release-name: higress
meta.helm.sh/release-namespace: higress-system
creationTimestamp: "2025-01-17T07:48:42Z"
generation: 4
labels:
app: higress-gateway
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: higress-gateway
app.kubernetes.io/version: 2.0.6
helm.sh/chart: higress-core-2.0.6
higress: higress-system-higress-gateway
name: higress-gateway
namespace: higress-system
resourceVersion: "1354848"
uid: 94b15e05-d147-4698-9c81-c126126db694
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: higress-gateway
higress: higress-system-higress-gateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
kubesphere.io/restartedAt: "2025-01-21T07:17:07.430Z"
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
creationTimestamp: null
labels:
app: higress-gateway
higress: higress-system-higress-gateway
sidecar.istio.io/inject: "false"
spec:
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=all:info
- --serviceCluster=higress-gateway
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: PROXY_XDS_VIA_AGENT
value: "true"
- name: ENABLE_INGRESS_GATEWAY_SDS
value: "false"
- name: JWT_POLICY
value: third-party-jwt
- name: ISTIO_META_HTTP10
value: "1"
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: INSTANCE_NAME
value: higress-gateway
image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/gateway:2.0.6
imagePullPolicy: IfNotPresent
name: higress-gateway
ports:
- containerPort: 15020
name: istio-prom
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: "2"
memory: 2Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /etc/istio/config
name: config
- mountPath: /var/run/secrets/istio
name: higress-ca-root-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/proxy
name: proxy-socket
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
serviceAccount: higress-gateway
serviceAccountName: higress-gateway
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: workload-socket
- emptyDir: {}
name: credential-socket
- emptyDir: {}
name: workload-certs
- name: istio-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
defaultMode: 420
name: higress-ca-root-cert
name: higress-ca-root-cert
- configMap:
defaultMode: 420
name: higress-config
name: config
- emptyDir: {}
name: istio-data
- emptyDir: {}
name: proxy-socket
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
- path: cpu-request
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: requests.cpu
- path: cpu-limit
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: limits.cpu
name: podinfo
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2025-01-17T07:48:47Z"
lastUpdateTime: "2025-01-17T07:48:47Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2025-01-17T07:48:42Z"
lastUpdateTime: "2025-01-21T07:18:49Z"
message: ReplicaSet "higress-gateway-5dff9b7459" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 4
readyReplicas: 1
replicas: 1
updatedReplicas: 1
higress-controller
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "5"
meta.helm.sh/release-name: higress
meta.helm.sh/release-namespace: higress-system
creationTimestamp: "2025-01-17T07:48:42Z"
generation: 5
labels:
app: higress-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: higress-controller
app.kubernetes.io/version: 2.0.6
helm.sh/chart: higress-core-2.0.6
higress: higress-controller
name: higress-controller
namespace: higress-system
resourceVersion: "1338777"
uid: 6d386aea-c769-4816-b1ba-8e2d0c78ed6f
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: higress-controller
higress: higress-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: higress-controller
higress: higress-controller
pod-template-hash: 7d486d8468
spec:
containers:
- args:
- serve
- --gatewaySelectorKey=higress
- --gatewaySelectorValue=higress-system-higress-gateway
- --gatewayHttpPort=80
- --gatewayHttpsPort=443
- --ingressClass=higress
- --enableAutomaticHttps=true
- --automaticHttpsEmail=
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: DOMAIN_SUFFIX
value: cluster.local
- name: GATEWAY_NAME
value: higress-gateway
- name: PILOT_ENABLE_GATEWAY_API
value: "true"
- name: PILOT_ENABLE_ALPHA_GATEWAY_API
value: "true"
image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress:2.0.6-rc.3
imagePullPolicy: IfNotPresent
name: higress-core
ports:
- containerPort: 8888
name: http
protocol: TCP
- containerPort: 8889
name: http-solver
protocol: TCP
- containerPort: 15051
name: grpc
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /ready
port: 8888
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
securityContext: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: log
- args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- 30m
env:
- name: ENABLE_PUSH_ALL_MCP_CLUSTERS
value: "true"
- name: PILOT_ENABLE_LDS_CACHE
value: "true"
- name: PILOT_ENABLE_QUIC_LISTENERS
value: "true"
- name: VALIDATION_WEBHOOK_CONFIG_NAME
- name: ISTIO_DUAL_STACK
value: "false"
- name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
value: "false"
- name: PILOT_ENABLE_ALPN_FILTER
value: "false"
- name: ENABLE_OPTIMIZED_CONFIG_REBUILD
value: "false"
- name: PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
value: "false"
- name: HIGRESS_SYSTEM_NS
value: higress-system
- name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD
value: "10000"
- name: ISTIO_GPRC_MAXRECVMSGSIZE
value: "104857600"
- name: ENBALE_SCOPED_RDS
value: "true"
- name: ON_DEMAND_RDS
value: "false"
- name: HOST_RDS_MERGE_SUBSET
value: "false"
- name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
value: "true"
- name: HIGRESS_CONTROLLER_SVC
value: 127.0.0.1
- name: HIGRESS_CONTROLLER_PORT
value: "15051"
- name: REVISION
value: default
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
- name: PRIORITIZED_LEADER_ELECTION
value: "false"
- name: INJECT_ENABLED
value: "false"
- name: PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY
value: "false"
- name: PILOT_ENABLE_METADATA_EXCHANGE
value: "false"
- name: PILOT_SCOPE_GATEWAY_TO_NAMESPACE
value: "false"
- name: VALIDATION_ENABLED
value: "false"
- name: PILOT_TRACE_SAMPLING
value: "1"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "true"
- name: ISTIOD_ADDR
value: istiod.higress-system.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "false"
- name: CLUSTER_ID
value: Kubernetes
- name: HIGRESS_ENABLE_ISTIO_API
value: "true"
- name: PILOT_ENABLE_GATEWAY_API
value: "false"
- name: PILOT_ENABLE_ALPHA_GATEWAY_API
value: "false"
- name: PILOT_ENABLE_GATEWAY_API_STATUS
value: "false"
- name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
value: "false"
- name: CUSTOM_CA_CERT_NAME
value: higress-ca-root-cert
image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot:2.0.6-rc.3
imagePullPolicy: IfNotPresent
name: discovery
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /ready
port: 8080
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 5
resources:
requests:
cpu: 500m
memory: 2Gi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/istio/config
name: config
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /var/run/secrets/istio-dns
name: local-certs
- mountPath: /etc/cacerts
name: cacerts
readOnly: true
- mountPath: /var/run/secrets/remote
name: istio-kubeconfig
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: higress-controller
serviceAccountName: higress-controller
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: log
- configMap:
defaultMode: 420
name: higress-config
name: config
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- name: cacerts
secret:
defaultMode: 420
optional: true
secretName: cacerts
- name: istio-kubeconfig
secret:
defaultMode: 420
optional: true
secretName: istio-kubeconfig
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2025-01-21T05:48:31Z"
lastUpdateTime: "2025-01-21T06:07:01Z"
message: ReplicaSet "higress-controller-5c974d8dd4" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
- lastTransitionTime: "2025-01-21T06:07:06Z"
lastUpdateTime: "2025-01-21T06:07:06Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
observedGeneration: 5
readyReplicas: 1
replicas: 1
updatedReplicas: 1
higress-gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"gateway.networking.k8s.io/v1","kind":"Gateway","metadata":{"annotations":{},"name":"higress-gateway","namespace":"higress-system"},"spec":{"gatewayClassName":"higress-gateway","listeners":[{"allowedRoutes":{"namespaces":{"from":"All"}},"hostname":"*.gateway-api.com","name":"default","port":80,"protocol":"HTTP"},{"allowedRoutes":{"kinds":[{"kind":"TCPRoute"}],"namespaces":{"from":"All"}},"name":"default-tcp","port":9000,"protocol":"TCP"}]}}
creationTimestamp: "2025-01-21T06:14:00Z"
generation: 4
name: higress-gateway
namespace: higress-system
resourceVersion: "1354170"
uid: fca1f6a9-5072-4fd9-a6b8-4a52b99f5d2f
spec:
gatewayClassName: higress-gateway
listeners:
- allowedRoutes:
namespaces:
from: All
hostname: '*.gateway-api.com'
name: default
port: 80
protocol: HTTP
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: TCPRoute
namespaces:
from: All
name: default-tcp
port: 9000
protocol: TCP
status:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Programmed
下面是 gateway pod 的端口监听情况的截图
