sidecar 容器因 iptables 启动失败
- Pod 创建失败,卡在
Init:Eroor阶段
- Describe Pod,发现是 istio-init 容器卡在初始化阶段
- 查看对应日志,发现 istio 的容器启动权限不足
# kubectl logs kafka-zookeeper-0 --all-containers
Environment:
------------
ENVOY_PORT=
ISTIO_INBOUND_INTERCEPTION_MODE=
ISTIO_INBOUND_TPROXY_MARK=
ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
ISTIO_INBOUND_PORTS=
ISTIO_LOCAL_EXCLUDE_PORTS=
ISTIO_SERVICE_CIDR=
ISTIO_SERVICE_EXCLUDE_CIDR=
Variables:
----------
PROXY_PORT=15001
INBOUND_CAPTURE_PORT=15001
PROXY_UID=1337
INBOUND_INTERCEPTION_MODE=REDIRECT
INBOUND_TPROXY_MARK=1337
INBOUND_TPROXY_ROUTE_TABLE=133
INBOUND_PORTS_INCLUDE=2181,3888,2888
INBOUND_PORTS_EXCLUDE=15020
OUTBOUND_IP_RANGES_INCLUDE=*
OUTBOUND_IP_RANGES_EXCLUDE=
KUBEVIRT_INTERFACES=
ENABLE_INBOUND_IPV6=
+ iptables -t nat -N ISTIO_REDIRECT
iptables v1.6.0: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
+ dump
+ iptables-save
iptables-save v1.6.0: Cannot initialize: Permission denied (you must be root)
Error from server (BadRequest): container "zookeeper" in pod "kafka-zookeeper-0" is waiting to start: PodInitializing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
- 按照 GitHub 上的提示,修改 ConfigMap/istio-sidecar-injector 中容器运行的权限,然后重建 deployment/istio-sidecar-injector ,报错显示 初始化 iptables 失败
重建容器,提示其中一个 Error
metricbeat-metricbeat-qd4zs 1/2 Error 1 5s
1