istio: (I believe) The startup time of istio-proxy causes some communications issues for up to 30s with the kubernetes API

Hey, I’m not sure if there’s a huge amount you can do about this one…

If you read through https://github.com/kubernetes/ingress-nginx/issues/1968 - you will see that the nginx-ingress-controller attempts to query the kubernetes api (kubernetes.default.svc.cluster.local) for the version almost immediately when it boots, and it retries for around 30 seconds before its’ actually able to successfully get a response.

The nginx-ingress-controller connects first time when it is started without istio-proxy.

We worked around this by adding a retry/delay into the controller to give istio-proxy time to “boot”, but it feels like something we shouldn’t really need to be doing?

Could this be because istio-proxy is taking a while to sync the config that says mtlsExcludedServices: kubernetes.default.svc.cluster.local?

Thoughts?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 23 (23 by maintainers)

Most upvoted comments

Hey @nmittler - looks good, thanks and the -n flag resolves the need for me to manually remove the iptables rule (yay). Look forward to 0.8.0 to test it out.

+1
Stono on Apr 3, 2018

@Stono In #4569 I added a new option to the startup script -x to allow you to exclude outbound IPs. We now use this in our nginx test to add an exclusion for kube master. If you’re doing manual injection, you can provide this value to istioctl via the --excludeIPRanges flag.

This will all be in 0.8.0, so give it a try when it’s released. Cheers!

+1
nmittler on Apr 2, 2018
Read more comments on GitHub
← istio: Huge cardinality and complexity jump with telemetry v2
istio: I can't see my service and deployment in istio jaeger dependency graph →