Describe the bug
Pod is not created after creating Deployment in a namespace with automatic istio injection enabled. Error below is shown:
Internal error occurred: admission webhook "sidecar-injector.istio.io" denied the request: error converting YAML to JSON: yaml: line 11: did not find expected key
Expected behavior
Pod is created and envoy proxy is injected as a sidecar.
Steps to reproduce the bug
- Create cluster on the Google Kubernetes Engine with RBAC enabled
- Install Helm with service account provided in the Istio Helm installation
- Deploy Istio using Helm with parameters:
helm install --name istio --namespace istio-system --set global.proxy.includeIPRanges="10.12.0.0/14\,10.15.240.0/20" --set global.mtls.enabled=true --set grafana.enabled=true --set prometheus.enabled=true --set tracing.enabled=true --set servicegraph.enabled=true
- Label default namespace with
istio-injection=enabled
- Create deployment, for example,
nginx in default namespace
Version
Kubernetes version: 1.9.7, 1.10.5
Same problem with Istio 0.8.0, 1.0.0-snapshot.1. I have also tried 1.0.0-snapshot with default Docker hub docker.io/istio and tag 1.0.0-snapshot.1, and daily release hub gcr.io/istio-release and tag release-1.0-latest-daily.
Is Istio Auth enabled or not?
NAME: istio
LAST DEPLOYED: Thu Jul 19 10:09:41 2018
NAMESPACE: istio-system
STATUS: DEPLOYED
RESOURCES:
==> v1beta1/ClusterRole
NAME AGE
istio-galley-istio-system 1m
istio-egressgateway-istio-system 1m
istio-ingressgateway-istio-system 1m
istio-grafana-post-install-istio-system 1m
istio-mixer-istio-system 1m
istio-mixer-post-install-istio-system 1m
istio-pilot-istio-system 1m
prometheus-istio-system 1m
istio-citadel-istio-system 1m
istio-security-post-install-istio-system 1m
istio-sidecar-injector-istio-system 1m
==> v1beta1/Deployment
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
istio-galley 1 1 1 1 1m
istio-ingressgateway 1 1 1 1 1m
istio-egressgateway 1 1 1 1 1m
grafana 1 1 1 1 1m
istio-telemetry 1 1 1 1 1m
istio-policy 1 1 1 1 1m
istio-statsd-prom-bridge 1 1 1 1 1m
istio-pilot 1 1 1 0 1m
prometheus 1 1 1 1 1m
istio-citadel 1 1 1 1 1m
servicegraph 1 1 1 1 1m
istio-sidecar-injector 1 1 1 1 1m
istio-tracing 1 1 1 1 1m
==> v1beta1/ValidatingWebhookConfiguration
NAME AGE
istio-galley 1m
==> v1/ConfigMap
NAME DATA AGE
istio-grafana-custom-resources 2 1m
istio-statsd-prom-bridge 1 1m
istio-mixer-custom-resources 2 1m
prometheus 1 1m
istio-security-custom-resources 2 1m
istio 1 1m
istio-sidecar-injector 1 1m
==> v1/ServiceAccount
NAME SECRETS AGE
istio-galley-service-account 1 1m
istio-ingressgateway-service-account 1 1m
istio-egressgateway-service-account 1 1m
istio-grafana-post-install-account 1 1m
istio-mixer-post-install-account 1 1m
istio-mixer-service-account 1 1m
istio-pilot-service-account 1 1m
prometheus 1 1m
istio-security-post-install-account 1 1m
istio-citadel-service-account 1 1m
istio-sidecar-injector-service-account 1 1m
==> v1beta1/CustomResourceDefinition
NAME AGE
rbacconfigs.config.istio.io 1m
templates.config.istio.io 1m
handlers.config.istio.io 1m
memquotas.config.istio.io 1m
rules.config.istio.io 1m
attributemanifests.config.istio.io 1m
servicecontrols.config.istio.io 1m
instances.config.istio.io 1m
circonuses.config.istio.io 1m
edges.config.istio.io 1m
authorizations.config.istio.io 1m
noops.config.istio.io 1m
tracespans.config.istio.io 1m
prometheuses.config.istio.io 1m
checknothings.config.istio.io 1m
kubernetesenvs.config.istio.io 1m
apikeys.config.istio.io 1m
listcheckers.config.istio.io 1m
metrics.config.istio.io 1m
logentries.config.istio.io 1m
redisquotas.config.istio.io 1m
serviceroles.config.istio.io 1m
fluentds.config.istio.io 1m
bypasses.config.istio.io 1m
adapters.config.istio.io 1m
quotas.config.istio.io 1m
statsds.config.istio.io 1m
reportnothings.config.istio.io 1m
servicerolebindings.config.istio.io 1m
signalfxs.config.istio.io 1m
servicecontrolreports.config.istio.io 1m
rbacs.config.istio.io 1m
solarwindses.config.istio.io 1m
opas.config.istio.io 1m
listentries.config.istio.io 1m
stdios.config.istio.io 1m
stackdrivers.config.istio.io 1m
kuberneteses.config.istio.io 1m
deniers.config.istio.io 1m
httpapispecbindings.config.istio.io 1m
meshpolicies.authentication.istio.io 1m
quotaspecbindings.config.istio.io 1m
envoyfilters.networking.istio.io 1m
gateways.networking.istio.io 1m
policies.authentication.istio.io 1m
destinationrules.networking.istio.io 1m
virtualservices.networking.istio.io 1m
serviceentries.networking.istio.io 1m
httpapispecs.config.istio.io 1m
quotaspecs.config.istio.io 1m
==> v1beta1/MutatingWebhookConfiguration
istio-sidecar-injector 1m
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
istio-galley-679594fc66-dcxqx 1/1 Running 0 1m
istio-ingressgateway-57d85584c7-5g86f 1/1 Running 0 1m
istio-egressgateway-6cc6985fd5-66jhf 1/1 Running 0 1m
grafana-74f76bc898-4x9x7 1/1 Running 0 1m
istio-telemetry-74b9897498-wrn48 2/2 Running 0 1m
istio-policy-755b9b68c7-llfht 2/2 Running 0 1m
istio-statsd-prom-bridge-6889648ccf-qtw8k 1/1 Running 0 1m
istio-pilot-7d57bb4b96-mr7jk 1/2 Running 0 1m
prometheus-ffd95f9f6-sf6sb 1/1 Running 0 1m
istio-citadel-5c8d9485c-j2sbt 1/1 Running 0 1m
servicegraph-5cb9cfc7cd-jxw2q 1/1 Running 0 1m
istio-sidecar-injector-fb89fdb8-s6jhk 1/1 Running 0 1m
istio-tracing-ff7787d49-zdztr 1/1 Running 0 1m
==> v1beta1/ClusterRoleBinding
NAME AGE
istio-galley-admin-role-binding-istio-system 1m
istio-ingressgateway-istio-system 1m
istio-egressgateway-istio-system 1m
istio-grafana-post-install-role-binding-istio-system 1m
istio-mixer-admin-role-binding-istio-system 1m
istio-mixer-post-install-role-binding-istio-system 1m
istio-pilot-istio-system 1m
prometheus-istio-system 1m
istio-citadel-istio-system 1m
istio-security-post-install-role-binding-istio-system 1m
istio-sidecar-injector-admin-role-binding-istio-system 1m
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-galley ClusterIP 10.15.245.95 <none> 443/TCP,9093/TCP 1m
istio-ingressgateway LoadBalancer 10.15.248.87 35.240.106.192 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:32109/TCP,8060:30840/TCP 1m
istio-egressgateway ClusterIP 10.15.245.97 <none> 80/TCP,443/TCP 1m
grafana ClusterIP 10.15.250.154 <none> 3000/TCP 1m
istio-policy ClusterIP 10.15.243.59 <none> 9091/TCP,15004/TCP,9093/TCP 1m
istio-telemetry ClusterIP 10.15.251.93 <none> 9091/TCP,15004/TCP,9093/TCP,42422/TCP 1m
istio-statsd-prom-bridge ClusterIP 10.15.253.170 <none> 9102/TCP,9125/UDP 1m
istio-pilot ClusterIP 10.15.246.157 <none> 15003/TCP,15005/TCP,15007/TCP,15010/TCP,15011/TCP,8080/TCP,9093/TCP 1m
prometheus ClusterIP 10.15.249.47 <none> 9090/TCP 1m
istio-citadel ClusterIP 10.15.248.197 <none> 8060/TCP,9093/TCP 1m
servicegraph ClusterIP 10.15.241.109 <none> 8088/TCP 1m
istio-sidecar-injector ClusterIP 10.15.252.186 <none> 443/TCP 1m
zipkin ClusterIP 10.15.253.93 <none> 9411/TCP 1m
tracing ClusterIP 10.15.249.176 <none> 80/TCP 1m
==> v2beta1/HorizontalPodAutoscaler
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
istio-ingressgateway Deployment/istio-ingressgateway <unknown>/55% 1 5 1 1m
istio-egressgateway Deployment/istio-egressgateway <unknown>/55% 1 5 1 1m
Environment
Cloud vendor: Google Cloud Platform
Helm version: 2.9.1
Describe the bug
Pod is not created after creating Deployment in a namespace with automatic istio injection enabled. Error below is shown:
Expected behavior
Pod is created and envoy proxy is injected as a sidecar.
Steps to reproduce the bug
istio-injection=enablednginxin default namespaceVersion
Kubernetes version:
1.9.7,1.10.5Same problem with Istio
0.8.0,1.0.0-snapshot.1. I have also tried1.0.0-snapshotwith default Docker hubdocker.io/istioand tag1.0.0-snapshot.1, and daily release hubgcr.io/istio-releaseand tagrelease-1.0-latest-daily.Is Istio Auth enabled or not?
Environment
Cloud vendor: Google Cloud Platform
Helm version: 2.9.1