K
Q

Not able to access a Istio enabled GKE service directly from browser but only through curl

9/25/2019

I deployed a node app on cloud run option (GKE Cluster with Istio enabled). I checked the services running using 'kubectl get services -n istio-system' and It shows

NAME                         TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S) 
istio-ingressgateway         LoadBalancer   10.4.15.63    34.80.18.249    15020:30228/TCP,80:31380/TCP,443:31390/TCP
nodeservice1                 ExternalName   <none>        istio-ingressgateway.istio-system.svc.cluster.local                              
nodeservice1-qdvk6           ClusterIP      10.4.12.102   <none>      80/TCP                                                    
nodeservice1-qdvk6-metrics   ClusterIP      10.4.8.162    <none>  9090/TCP                                                           
nodeservice1-qdvk6-priv      ClusterIP      10.4.14.49    <none>   80/TCP

I am able to access nodeservice1 through curl -v -H "Host: nodeservice1.istio-system.example.com" 34.80.18.249 but if I hit 'http://34.80.18.249:8080' from browser, it doesnt work.

If I dont choose cloud run platform and setup a normal kubernete cluster, then I have option to expose nodeservice1 to expose as LoadBalancer type and is accessible from browser.

Output of curl command:curl -v -H "Host: nodeservice1.istio-system.example.com" 34.80.18.249/restcall

*   Trying 34.80.18.249:80...
* TCP_NODELAY set
* Connected to 34.80.18.249 (34.80.18.249) port 80 (#0)
> GET //restcall HTTP/1.1
> Host: nodeservice1.istio-system.example.com
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< content-security-policy: default-src 'none'
< content-type: text/html; charset=utf-8
< date: Wed, 25 Sep 2019 09:24:15 GMT
< x-content-type-options: nosniff
< x-powered-by: Express
< x-envoy-upstream-service-time: 5349
< server: istio-envoy
< Accept-Ranges: none
< Content-Length: 148
< Via: HTTP/1.1 forward.http.proxy:3128
< Connection: keep-alive
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET //restcall</pre>
</body>
</html>
* Connection #0 to host 34.80.18.249 left intact
-- Roobal Jindal
google-anthos
google-cloud-platform
google-kubernetes-engine
istio

Similar Questions

Keycloak process terminate when connection increased on Kubernetes
Spark for Kubernetes
Docker not found on Jenkins pipeline
kubectl get all returns lots of forbidden error using rancher permission

1 Answer

9/26/2019

Obviously, you don't own example.com.

So you can't expect visiting http://nodeservice1.istio-system.example.com from your browser to work, because you didn't configure the DNS for domain.

When you do curl -H "Host: foo" http://ip, it doesn't need to go through DNS (because you give ip address directly). The Host header you provided (normally provided by the browser, inferred from the URL) is then used by Istio ingress gateway to route the traffic to the correct service.

Assuming you use Knative/Cloud Run, you should consider updating the default domain on Cloud Run on GKE from example.com to something you own, so that you can set DNS records for your subdomains.

Alternatively, you can add a local DNS record to /etc/hosts file that points that hostname to your istio-ingressgateway's External-IP address, and your browser will use the local hack to resolve that hostname to that IP.

-- AhmetB - Google
Source: StackOverflow