Kubernetes version: 1.17.14-gke.400
I am having trouble creating pods with istio setup, I am getting a timeout error from the sidecar injector.
I setup istio (1.8.1) with this command:
istioctl install --set profile=minimal \
--set values.cni.cniBinDir=/home/kubernetes/bin \
--set 'values.cni.excludeNamespaces[0]'=kube-system \
--set 'values.cni.excludeNamespaces[1]'=istio-system \
--set 'values.cni.excludeNamespaces[2]'=backend \
--set components.cni.enabled=true \
--set components.cni.namespace=kube-systemThen when I try to deploy the sleep sample I get one of these two errors
kubectl apply -f samples/sleep/sleep.yaml
Error creating: Internal error occurred: failed calling webhook "sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=30s: context deadline exceededor
Error creating: Internal error occurred: failed calling webhook "sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=30s: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)I do have network policies enabled, but I don't have any setup in kube-system of istio-system. Also, when I curl that endpoint I get a 400 error.
My issue turned out to be that I needed to update the firewall rule to add port 15017 even though I do not have a private cluster: https://istio.io/latest/docs/setup/platform-setup/gke/
There is a known issue with the upgrade from GKE 1.16 to 1.17. Any custom resources you created in the istio-system namespace are deleted during an upgrade to 1.17. These resources must be manually recreated. We recommend not upgrading clusters with the Istio add-on to 1.17 until the fix is rolled out. The issue only occurs during upgrades, so new clusters are not affected. Check this release notes for more details.