istio-1.8.2 离线安装中出现的问题

istio-1.8.2 离线安装中出现的问题

1.出现的istio-ingressgateway与istio-egressgateway的探针检测问题

这个问题国内外经常出现，google，百度都很多，但是没有人最终给一个确切的解决方法，分析很多，具体解决很少。在困扰半个多月，解决问题之后希望记录下来，让大家可以参考。
istio的版本为1.8.2，是这个时间较为新和稳定的一个版本，K8S的版本为1.18也是比较新和稳定的版本，集群环境为K8S上搭建了antrea网络，在此基础上搭建istio环境。以上环境全部为离线安装。后面可能会更新所有的离线安装的步骤。

该问题查看log日志为:（公司内网没有图片，所以只是贴一些打印信息）
Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
failed to create upstream grpc client: rpc error: code = Unavailable desc = connection error: desc = transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on read udp i/o timeout
Error while dialing dial tcp: lookup istiod.istio-system.svc on 192.168.0.2:53: no such host"

describe pod 打印的问题为：
Readiness probe failed: Get http://172.7.1.12:15021/healthz/ready: dial tcp 172.7.1.12:15021: connect: connection refused

其实现在看来问题很明显，Envoy 与 Pilot无法通信，然后根本是istiod.istio-system.svc这个服务无法映射为IP地址，因为集群环境中缺少DNS的Pod。最后一条的192.168.0.2:53是在K8S集群初始设置时便写死的DNS 服务器的IP，由于没有该IP，所以会报出这一系列的问题。
解决方案：添加DNS服务Pod,这里使用coredns

添加服务发现coredns的Pod，该Pod需要四个yaml文件：

rbac.yaml, cm.yaml, dp.yaml, svc.yaml

需要修改的地方已加黑标注，之后即可按照以上顺序使用kubectl apply -f + [文档名称]进行建立。

（1）rbac.yaml文件内容如下:

apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
---

（2）cm.yaml 内容如下：

apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
log
health
ready
kubernetes cluster.local 192.168.0.0/16
forward . 10.230.4.80                                                # 这里需要修改为master IP
cache 30
loop
reload
loadbalance
}

（3）dp.yaml 内容如下：

apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/name: "CoreDNS"
spec:
replicas: 1
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
labels:
k8s-app: coredns
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
containers:
- name: coredns
image: harbor.od.com/coredns/coredns:1.6.2                                   # 这里需要改镜像
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile

（4）svc.yaml 内容如下：

apiVersion: v1
kind: Service
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: coredns
clusterIP: 192.168.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP