TechQA.

kuma.io demo is failed with status code 503

587 views Asked by At

I have tried kuma.io product which is an open-source project for envoy proxy and security injection to sidecar pod in k8s environment. I installed there is demo after installation with

https://kuma.io/docs/0.5.1/quickstart/kubernetes/

I deployed this demo example to the k8s and forward the port:

kubectl port-forward svc/frontend -n kuma-demo 8080:8080

127.0.0.1:8080

and it gives this error

kuma failed 503

If any idea you have would be very nice! Thanks

And here is the logs of pods init and sidecar containers

kubectl logs kuma-demo-app-94cdcfd8c-d5z4f -c kuma-fe -n kuma-demo
Starting up http-server, serving /dist
Available on:
  http://127.0.0.1:8080
  http://10.240.0.77:8080
Unhandled requests will be served from: http://backend:3001
Hit CTRL-C to stop the server
[Mon Jun 08 2020 14:49:59 GMT+0000 (Coordinated Universal Time)]  "GET /" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:49:59 GMT+0000 (Coordinated Universal Time)]  "GET /js/app.163854c8.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:49:59 GMT+0000 (Coordinated Universal Time)]  "GET /css/app.92b097f8.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:49:59 GMT+0000 (Coordinated Universal Time)]  "GET /js/chunk-vendors.1eee84b8.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:49:59 GMT+0000 (Coordinated Universal Time)]  "GET /css/chunk-vendors.96abecf8.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:50:00 GMT+0000 (Coordinated Universal Time)]  "GET /items?q" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
[Mon Jun 08 2020 14:50:00 GMT+0000 (Coordinated Universal Time)]  "GET /img/kuma-logo.90b6e909.svg" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

second one

kubectl logs kuma-demo-app-94cdcfd8c-d5z4f -c kuma-sidecar -n kuma-demo
2020-06-08T14:31:38.710Z    INFO    Skipping reading config from file
2020-06-08T14:31:38.710Z    INFO    kuma-dp.run effective configuration {"config": "controlPlane:\n  apiServer:\n    url: http://kuma-control-plane.kuma-system:5681\ndataplane:\n  mesh: default\n  name: kuma-demo-app-94cdcfd8c-d5z4f.kuma-demo\n  drainTime: 30s\ndataplaneRuntime:\n  binaryPath: envoy\n  dataplaneTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token\n"}
2020-06-08T14:31:38.721Z    INFO    kuma-dp.run picked a free port for Envoy Admin API to listen on {"port": "9901"}
2020-06-08T14:31:38.721Z    INFO    kuma-dp.run generated Envoy configuration will be stored in a temporary directory   {"dir": "/tmp/kuma-dp-127218165"}
2020-06-08T14:31:38.721Z    INFO    kuma-dp.run starting Kuma DP    {"version": "0.5.1"}
2020-06-08T14:31:38.726Z    INFO    accesslogs-server   starting Access Log Server  {"address": "unix:///tmp/kuma-access-logs-kuma-demo-app-94cdcfd8c-d5z4f.kuma-demo-default.sock"}
2020-06-08T14:31:38.760Z    INFO    kuma-dp.run.envoy   starting Envoy
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:255] initializing epoch 0 (hot restart version=disabled)
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:257] statically linked extensions:
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.filters.network: envoy.client_ssl_auth, envoy.echo, envoy.ext_authz, envoy.filters.network.client_ssl_auth, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.kafka_broker, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.mysql_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.dubbo_proxy.serializers: dubbo.hessian2
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.clusters: envoy.cluster.eds, envoy.cluster.logical_dns, envoy.cluster.original_dst, envoy.cluster.static, envoy.cluster.strict_dns, envoy.clusters.aggregate, envoy.clusters.dynamic_forward_proxy, envoy.clusters.redis
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.thrift_proxy.protocols: auto, binary, binary/non-strict, compact, twitter
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.grpc_credentials: envoy.grpc_credentials.aws_iam, envoy.grpc_credentials.default, envoy.grpc_credentials.file_based_metadata
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, tls
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.health_checkers: envoy.health_checkers.redis
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.dubbo_proxy.route_matchers: default
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.thrift_proxy.transports: auto, framed, header, unframed
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.retry_priorities: envoy.retry_priorities.previous_priorities
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.filters.http: envoy.buffer, envoy.cors, envoy.csrf, envoy.ext_authz, envoy.fault, envoy.filters.http.adaptive_concurrency, envoy.filters.http.aws_lambda, envoy.filters.http.aws_request_signing, envoy.filters.http.buffer, envoy.filters.http.cache, envoy.filters.http.cors, envoy.filters.http.csrf, envoy.filters.http.dynamic_forward_proxy, envoy.filters.http.dynamo, envoy.filters.http.ext_authz, envoy.filters.http.fault, envoy.filters.http.grpc_http1_bridge, envoy.filters.http.grpc_http1_reverse_bridge, envoy.filters.http.grpc_json_transcoder, envoy.filters.http.grpc_stats, envoy.filters.http.grpc_web, envoy.filters.http.gzip, envoy.filters.http.header_to_metadata, envoy.filters.http.health_check, envoy.filters.http.ip_tagging, envoy.filters.http.jwt_authn, envoy.filters.http.lua, envoy.filters.http.on_demand, envoy.filters.http.original_src, envoy.filters.http.ratelimit, envoy.filters.http.rbac, envoy.filters.http.router, envoy.filters.http.squash, envoy.filters.http.tap, envoy.grpc_http1_bridge, envoy.grpc_json_transcoder, envoy.grpc_web, envoy.gzip, envoy.health_check, envoy.http_dynamo_filter, envoy.ip_tagging, envoy.lua, envoy.rate_limit, envoy.router, envoy.squash
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.transport_sockets.upstream: envoy.transport_sockets.alts, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, tls
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.thrift_proxy.filters: envoy.filters.thrift.rate_limit, envoy.filters.thrift.router
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   http_cache_factory: envoy.extensions.http.cache.simple
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.access_loggers: envoy.access_loggers.file, envoy.access_loggers.http_grpc, envoy.access_loggers.tcp_grpc, envoy.file_access_log, envoy.http_grpc_access_log, envoy.tcp_grpc_access_log
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.tracers: envoy.dynamic.ot, envoy.lightstep, envoy.tracers.datadog, envoy.tracers.dynamic_ot, envoy.tracers.lightstep, envoy.tracers.opencensus, envoy.tracers.xray, envoy.tracers.zipkin, envoy.zipkin
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.udp_listeners: raw_udp_listener
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.dubbo_proxy.protocols: dubbo
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.dubbo_proxy.filters: envoy.filters.dubbo.router
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.retry_host_predicates: envoy.retry_host_predicates.omit_canary_hosts, envoy.retry_host_predicates.omit_host_metadata, envoy.retry_host_predicates.previous_hosts
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.resource_monitors: envoy.resource_monitors.fixed_heap, envoy.resource_monitors.injected_resource
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.resolvers: envoy.ip
[2020-06-08 14:31:39.746][14][info][main] [source/server/server.cc:259]   envoy.stats_sinks: envoy.dog_statsd, envoy.metrics_service, envoy.stat_sinks.dog_statsd, envoy.stat_sinks.hystrix, envoy.stat_sinks.metrics_service, envoy.stat_sinks.statsd, envoy.statsd
[2020-06-08 14:31:39.772][14][info][main] [source/server/server.cc:340] admin address: 127.0.0.1:9901
[2020-06-08 14:31:39.774][14][info][main] [source/server/server.cc:459] runtime: layers:
  - name: base
    static_layer:
      {}
  - name: admin
    admin_layer:
      {}
[2020-06-08 14:31:39.775][14][info][config] [source/server/configuration_impl.cc:103] loading tracing configuration
[2020-06-08 14:31:39.775][14][info][config] [source/server/configuration_impl.cc:69] loading 0 static secret(s)
[2020-06-08 14:31:39.775][14][info][config] [source/server/configuration_impl.cc:75] loading 2 cluster(s)
[2020-06-08 14:31:39.837][14][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamAggregatedResources gRPC config stream closed: 14, no healthy upstream
[2020-06-08 14:31:39.837][14][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:54] Unable to establish new stream
[2020-06-08 14:31:39.837][14][info][config] [source/server/configuration_impl.cc:79] loading 0 listener(s)
[2020-06-08 14:31:39.837][14][info][config] [source/server/configuration_impl.cc:129] loading stats sink configuration
[2020-06-08 14:31:39.839][14][info][main] [source/server/server.cc:554] starting main dispatch loop
[2020-06-08 14:31:39.841][14][info][upstream] [source/common/upstream/cluster_manager_impl.cc:167] cm init: initializing cds
[2020-06-08 14:31:40.915][14][info][upstream] [source/common/upstream/cds_api_impl.cc:77] cds: add 7 cluster(s), remove 2 cluster(s)
[2020-06-08 14:31:40.933][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'frontend.kuma-demo.svc:8080'
[2020-06-08 14:31:40.953][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'postgres.kuma-demo.svc:5432'
[2020-06-08 14:31:40.970][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'redis.kuma-demo.svc:6379'
[2020-06-08 14:31:40.981][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'direct_access'
[2020-06-08 14:31:40.990][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'pass_through'
[2020-06-08 14:31:41.000][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'localhost:8080'
[2020-06-08 14:31:41.017][14][info][upstream] [source/common/upstream/cds_api_impl.cc:93] cds: add/update cluster 'backend.kuma-demo.svc:3001'
[2020-06-08 14:31:41.017][14][info][upstream] [source/common/upstream/cluster_manager_impl.cc:145] cm init: initializing secondary clusters
[2020-06-08 14:31:42.378][14][info][upstream] [source/common/upstream/cluster_manager_impl.cc:171] cm init: all clusters initialized
[2020-06-08 14:31:42.378][14][info][main] [source/server/server.cc:533] all clusters initialized. initializing init manager
[2020-06-08 14:31:42.381][14][warning][misc] [source/common/protobuf/utility.cc:198] Using deprecated option 'envoy.api.v2.Listener.use_original_dst' from file listener.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-08 14:31:42.385][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'catch_all'
[2020-06-08 14:31:42.400][14][warning][misc] [bazel-out/k8-opt/bin/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.router' for 'envoy.filters.http.router'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-08 14:31:42.401][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'inbound:10.240.0.77:8080'
[2020-06-08 14:31:42.415][14][warning][misc] [bazel-out/k8-opt/bin/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.router' for 'envoy.filters.http.router'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-08 14:31:42.417][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'outbound:10.0.61.163:3001'
[2020-06-08 14:31:42.431][14][warning][misc] [bazel-out/k8-opt/bin/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.router' for 'envoy.filters.http.router'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-08 14:31:42.432][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'outbound:10.0.35.179:8080'
[2020-06-08 14:31:42.434][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'outbound:10.0.101.120:5432'
[2020-06-08 14:31:42.436][14][info][upstream] [source/server/lds_api.cc:76] lds: add/update listener 'outbound:10.0.83.94:6379'
[2020-06-08 14:31:42.447][14][info][config] [source/server/listener_manager_impl.cc:725] all dependencies initialized. starting workers
[2020-06-08 14:46:42.437][14][info][main] [source/server/drain_manager_impl.cc:68] shutting down parent after drain

third one

kubectl logs kuma-demo-app-94cdcfd8c-d5z4f -c kuma-init -n kuma-demo
    Environment:
    ------------
    ENVOY_PORT=
    ISTIO_INBOUND_INTERCEPTION_MODE=
    ISTIO_INBOUND_TPROXY_MARK=
    ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
    ISTIO_INBOUND_PORTS=
    ISTIO_LOCAL_EXCLUDE_PORTS=
    ISTIO_SERVICE_CIDR=
    ISTIO_SERVICE_EXCLUDE_CIDR=

Variables:
----------
PROXY_PORT=15001
INBOUND_CAPTURE_PORT=15001
PROXY_UID=5678
INBOUND_INTERCEPTION_MODE=REDIRECT
INBOUND_TPROXY_MARK=1337
INBOUND_TPROXY_ROUTE_TABLE=133
INBOUND_PORTS_INCLUDE=*
INBOUND_PORTS_EXCLUDE=
OUTBOUND_IP_RANGES_INCLUDE=*
OUTBOUND_IP_RANGES_EXCLUDE=
KUBEVIRT_INTERFACES=
ENABLE_INBOUND_IPV6=

+ iptables -t nat -N ISTIO_REDIRECT
+ iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port 15001
+ iptables -t nat -N ISTIO_IN_REDIRECT
+ iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001
+ '[' -n '*' ']'
+ '[' REDIRECT = TPROXY ']'
+ table=nat
+ iptables -t nat -N ISTIO_INBOUND
+ iptables -t nat -A PREROUTING -p tcp -j ISTIO_INBOUND
+ '[' '*' == '*' ']'
+ iptables -t nat -A ISTIO_INBOUND -p tcp --dport 22 -j RETURN
+ '[' -n '' ']'
+ '[' REDIRECT = TPROXY ']'
+ iptables -t nat -A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
+ iptables -t nat -N ISTIO_OUTPUT
+ iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT
+ '[' -z '' ']'
+ iptables -t nat -A ISTIO_OUTPUT -o lo '!' -d 127.0.0.1/32 -j ISTIO_REDIRECT
+ for uid in '${PROXY_UID}'
+ iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 5678 -j RETURN
+ for gid in '${PROXY_GID}'
+ iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 5678 -j RETURN
+ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
+ '[' -n '' ']'
+ '[' '*' == '*' ']'
+ iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT
+ set +o nounset
+ '[' -n '' ']'
+ ip6tables -F INPUT
+ ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
+ ip6tables -A INPUT -i lo -d ::1 -j ACCEPT
+ ip6tables -A INPUT -j REJECT
+ dump
+ iptables-save
# Generated by iptables-save v1.6.0 on Mon Jun  8 14:30:01 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jun  8 14:30:01 2020
# Generated by iptables-save v1.6.0 on Mon Jun  8 14:30:01 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 22 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ISTIO_REDIRECT
-A ISTIO_OUTPUT -m owner --uid-owner 5678 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 5678 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT
# Completed on Mon Jun  8 14:30:01 2020
+ ip6tables-save
# Generated by ip6tables-save v1.6.0 on Mon Jun  8 14:30:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -d ::1/128 -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Mon Jun  8 14:30:01 2020
kubernetes devops envoyproxy sidecar kuma
Original Q&A
0

There are 0 answers

Related Questions in KUBERNETES

Related Questions in DEVOPS

Related Questions in ENVOYPROXY

Related Questions in SIDECAR

Related Questions in KUMA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions