Istio origin authentication stops working after cluster maintainance (GKE)

6/4/2020

As the title shows, origin authentication of Istio failed after cluster maintainance last week. I surveyed logs, but I couldn't find the clue to solve the problem.

I'd appreciate if anyone teaches me what the cause is or how to find out the effective logs.

I confirmed that a request to our web server was with a valid JWT, but the response was 401 unauthorized and its message was origin authentication failed . And after recreating pods, origin authentication worked again. Besides, I found out that requests failed after the maintainance of GKE by checking the access logs Therefore, I thought sidecars (envoy) had problems after the maintainance, but couldn't find any envoy's helpful logs.

I installed Istio as GKE add-on, and versions are following. Origin authentication had been working fine for two months.

  • GKE master version: 1.16.8-gke.15
  • Nodepool version: 1.15.9-gke.24

Thank you for reading my question!

-- nmurakami0
google-kubernetes-engine
istio
kubernetes

1 Answer

6/15/2020

The issue was solved recreating the application's pod.

Since there is no way to reproduce the same bahavior from ISTIO side, I recommend you to open a Issue on GCP to investigation.

-- Mr.KoopaKiller
Source: StackOverflow