istio: Istio cannot be deployed on IPv6-first DS clusters

Bug Description

Hello everyone, I have noticed that if I deploy Istio on a DS clusters which has IPv6 as default family it will never go ready. In particular, the controller will be ready, but the gateways (and sidecars) will not. This is caused by the readiness probe that will never succeed as shown from kubectl describe:

Readiness probe failed: Get โ€œhttp://[2001:db8:42::15]:15021/healthz/readyโ€: dial tcp [2001:db8:42::15]:15021: connect: connection refused

This behavior does not show up in DS clusters that have IPv4 as default family. I was able to reproduce the behavior with both Istio 1.15.2 and Istio 1.14.4.

Here are some steps to easily reproduce the issue:

  1. Download and Install Kind 0.16.0. It is better to have the latest KinD version as previous older versions may not support IPv6-first DS clusters deployment.
  2. Create a yaml file with the following KinD configuration:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  ipFamily: dual
  podSubnet: "2001:db8:42:0::/56,10.244.0.0/16"
  serviceSubnet: "2001:db8:42:1::/112,10.96.0.0/12"

N.B: The fact that the IPv6 CIDR comes before the IPv4 one will determine the IPv6-first nature of the cluster.

  1. Create the cluster via kind create cluster --config path_to_yaml
  2. Verify that the DS cluster has IPv6 as the default IPFamily
$ kubectl create deployment nginx --image=nginx
$ kubectl get pod nginx_pod_name -o jsonpath='{.status.podIP}'
<You should see an IPv6 address>
  1. Install Istio (master branch) via istioctl install --set profile=demo and the following operator
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
   components:
      pilot:
         k8s:
            env:
               - name: ISTIO_DUAL_STACK
                 value: "true"
   meshConfig:
      defaultConfig:
         proxyMetadata:
            ISTIO_AGENT_DUAL_STACK: "true"
  1. Check that the gateways are not going ready due to the probes failing after waiting for a while.
NAMESPACE            NAME                                         READY   STATUS    RESTARTS   AGE
istio-system         istio-egressgateway-5c7dbb79bf-6kqms         0/1     Running   0          8m45s
istio-system         istio-ingressgateway-577d6c976f-g594v        0/1     Running   0          8m45s
istio-system         istiod-749dd8f9c4-qdcjc                      1/1     Running   0          8m53s

I also tried to manually contact the stats endpoint of the proxies and I also found similar connectivity issues. Let me know if more information is needed

Version

$ istioctl version
client version: 1.15.2
control plane version: 1.15.2
data plane version: 1.15.2 (2 proxies)

Additional Information

ds_ipv6.tar.gz

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 28 (28 by maintainers)

Most upvoted comments

Hello Steve. Sounds good to me ๐Ÿ‘ Thank you

+1
leosarra on Mar 21, 2023

I see the commit got merged, I will close the issue. Thank you Steve ๐Ÿ‘

+1
leosarra on Feb 16, 2023

Thank you @zhlsunshine I will keep this open so that you can link your DS PR once that is open ๐Ÿ‘

+1
leosarra on Oct 19, 2022
Read more comments on GitHub
← istio: Istio breaks Pod's securityContext
istio: istio-cni : istio-iptables.sh no such file or directory →