在 WSL2 上安装 Istio 失败, "FailedMount" for pods
Installing Istio on WSL2 fails with "FailedMount" for pods
我已经使用 kind on WSL2 (Ubuntu distro). I managed to create a cluster successfully. Then I try to install istio using helm following the documentation 设置了一个本地 kubernetes 集群。
一切看起来都很好,直到我使用 kubectl get pods -n istio-system 检查 istio pods 的状态,我得到了响应
istio-egressgateway-645df98b64-tml4k 0/1 ContainerCreating 0 39m
istio-ingressgateway-6c7f679666-lxj8r 0/1 ContainerCreating 0 39m
istiod-657558ff59-fhpgl 0/1 ContainerCreating 0 39m
pods继续保持ContainerCreating状态。因此,我使用 kubectl describe pod -n istio-system istio-egressgateway-645df98b64-tml4k 检查了 pod,我看到了以下带有警告的事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 27m default-scheduler Successfully assigned istio-system/istio-egressgateway-645df98b64-tml4k to msg-local-worker2
Warning FailedMount 25m kubelet Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[istio-token podinfo istio-envoy istio-data egressgateway-ca-certs config-volume egressgateway-certs istio-egressgateway-service-account-token-2k6nv istiod-ca-cert]: timed out waiting for the condition
Warning FailedMount 22m kubelet Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[istio-token istio-envoy istiod-ca-cert config-volume istio-data podinfo egressgateway-certs egressgateway-ca-certs istio-egressgateway-service-account-token-2k6nv]: timed out waiting for the condition
Warning FailedMount 20m (x11 over 27m) kubelet MountVolume.SetUp failed for volume "istio-token" : failed to fetch token: the API server does not have TokenRequest endpoints enabled
Warning FailedMount 20m kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert istio-token], unattached volumes=[istio-envoy podinfo istiod-ca-cert istio-egressgateway-service-account-token-2k6nv istio-token config-volume egressgateway-certs istio-data egressgateway-ca-certs]: timed out waiting for the condition
Warning FailedMount 11m kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert istio-token], unattached volumes=[podinfo istio-egressgateway-service-account-token-2k6nv istio-envoy config-volume istio-data istiod-ca-cert egressgateway-certs egressgateway-ca-certs istio-token]: timed out waiting for the condition
Warning FailedMount 7m2s (x3 over 9m16s) kubelet (combined from similar events): Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[egressgateway-certs istio-envoy istio-token egressgateway-ca-certs istio-egressgateway-service-account-token-2k6nv istio-data istiod-ca-cert config-volume podinfo]: timed out waiting for the condition
Warning FailedMount 38s (x18 over 27m) kubelet MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
通过这个 GitHub issue. I needed to enable service account token volume projection 设法解决了问题。
已找到精确解 here。我将集群配置 (kind-config.yaml) 更改为
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha4
kubeadmConfigPatches:
- |
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
"service-account-issuer": "kubernetes.default.svc"
"service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
nodes:
- role: control-plane
- role: worker
- role: worker
然后使用 kind create cluster --name my-cluster --config ./kind-config.yaml 启动集群。我在这个集群上正常安装了 istio,pods 现在是 运行。
我已经使用 kind on WSL2 (Ubuntu distro). I managed to create a cluster successfully. Then I try to install istio using helm following the documentation 设置了一个本地 kubernetes 集群。
一切看起来都很好,直到我使用 kubectl get pods -n istio-system 检查 istio pods 的状态,我得到了响应
istio-egressgateway-645df98b64-tml4k 0/1 ContainerCreating 0 39m
istio-ingressgateway-6c7f679666-lxj8r 0/1 ContainerCreating 0 39m
istiod-657558ff59-fhpgl 0/1 ContainerCreating 0 39m
pods继续保持ContainerCreating状态。因此,我使用 kubectl describe pod -n istio-system istio-egressgateway-645df98b64-tml4k 检查了 pod,我看到了以下带有警告的事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 27m default-scheduler Successfully assigned istio-system/istio-egressgateway-645df98b64-tml4k to msg-local-worker2
Warning FailedMount 25m kubelet Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[istio-token podinfo istio-envoy istio-data egressgateway-ca-certs config-volume egressgateway-certs istio-egressgateway-service-account-token-2k6nv istiod-ca-cert]: timed out waiting for the condition
Warning FailedMount 22m kubelet Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[istio-token istio-envoy istiod-ca-cert config-volume istio-data podinfo egressgateway-certs egressgateway-ca-certs istio-egressgateway-service-account-token-2k6nv]: timed out waiting for the condition
Warning FailedMount 20m (x11 over 27m) kubelet MountVolume.SetUp failed for volume "istio-token" : failed to fetch token: the API server does not have TokenRequest endpoints enabled
Warning FailedMount 20m kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert istio-token], unattached volumes=[istio-envoy podinfo istiod-ca-cert istio-egressgateway-service-account-token-2k6nv istio-token config-volume egressgateway-certs istio-data egressgateway-ca-certs]: timed out waiting for the condition
Warning FailedMount 11m kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert istio-token], unattached volumes=[podinfo istio-egressgateway-service-account-token-2k6nv istio-envoy config-volume istio-data istiod-ca-cert egressgateway-certs egressgateway-ca-certs istio-token]: timed out waiting for the condition
Warning FailedMount 7m2s (x3 over 9m16s) kubelet (combined from similar events): Unable to attach or mount volumes: unmounted volumes=[istio-token istiod-ca-cert], unattached volumes=[egressgateway-certs istio-envoy istio-token egressgateway-ca-certs istio-egressgateway-service-account-token-2k6nv istio-data istiod-ca-cert config-volume podinfo]: timed out waiting for the condition
Warning FailedMount 38s (x18 over 27m) kubelet MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
通过这个 GitHub issue. I needed to enable service account token volume projection 设法解决了问题。
已找到精确解 here。我将集群配置 (kind-config.yaml) 更改为
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha4
kubeadmConfigPatches:
- |
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
"service-account-issuer": "kubernetes.default.svc"
"service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
nodes:
- role: control-plane
- role: worker
- role: worker
然后使用 kind create cluster --name my-cluster --config ./kind-config.yaml 启动集群。我在这个集群上正常安装了 istio,pods 现在是 运行。