Istio envoy proxy throws uncaught critical exception when sidecar injected with kong ingress controller

raopajay · September 2, 2021, 12:01pm

Istio version : 1.10.3
Kong proxy version: 2.4
Kong ingress controller version: 1.3

Envoy proxy log:

$ kubectl logs -f  kong-kong-7946cfcd87-p59rj  -n kong  -c istio-proxy --previous
2021-09-02T09:43:58.195496Z	info	FLAG: --concurrency="2"
2021-09-02T09:43:58.195554Z	info	FLAG: --domain="kong.svc.cluster.local"
2021-09-02T09:43:58.195567Z	info	FLAG: --help="false"
2021-09-02T09:43:58.195572Z	info	FLAG: --log_as_json="false"
2021-09-02T09:43:58.195575Z	info	FLAG: --log_caller=""
2021-09-02T09:43:58.195578Z	info	FLAG: --log_output_level="default:info"
2021-09-02T09:43:58.195580Z	info	FLAG: --log_rotate=""
2021-09-02T09:43:58.195584Z	info	FLAG: --log_rotate_max_age="30"
2021-09-02T09:43:58.195589Z	info	FLAG: --log_rotate_max_backups="1000"
2021-09-02T09:43:58.195593Z	info	FLAG: --log_rotate_max_size="104857600"
2021-09-02T09:43:58.195598Z	info	FLAG: --log_stacktrace_level="default:none"
2021-09-02T09:43:58.195607Z	info	FLAG: --log_target="[stdout]"
2021-09-02T09:43:58.195612Z	info	FLAG: --meshConfig="./etc/istio/config/mesh"
2021-09-02T09:43:58.195614Z	info	FLAG: --outlierLogPath=""
2021-09-02T09:43:58.195617Z	info	FLAG: --proxyComponentLogLevel="misc:error"
2021-09-02T09:43:58.195620Z	info	FLAG: --proxyLogLevel="warning"
2021-09-02T09:43:58.195623Z	info	FLAG: --serviceCluster="kong-kong.kong"
2021-09-02T09:43:58.195626Z	info	FLAG: --stsPort="0"
2021-09-02T09:43:58.195629Z	info	FLAG: --templateFile=""
2021-09-02T09:43:58.195632Z	info	FLAG: --tokenManagerPlugin="GoogleTokenExchange"
2021-09-02T09:43:58.195635Z	info	Version 1.10.3-61313778e0b785e401c696f5e92f47af069f96d0-Clean
2021-09-02T09:43:58.195767Z	info	Proxy role	ips=[10.200.95.66] type=sidecar id=kong-kong-7946cfcd87-p59rj.kong domain=kong.svc.cluster.local
2021-09-02T09:43:58.195873Z	info	Apply proxy config from env {}

2021-09-02T09:43:58.196822Z	info	Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 2
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
parentShutdownDuration: 60s
proxyAdminPort: 15000
serviceCluster: kong-kong.kong
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
tracing:
  zipkin:
    address: zipkin.istio-system:9411

2021-09-02T09:43:58.196856Z	info	JWT policy is third-party-jwt
2021-09-02T09:43:58.196880Z	info	Pilot SAN: [istiod.istio-system.svc]
2021-09-02T09:43:58.196886Z	info	CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2021-09-02T09:43:58.196938Z	info	Using CA istiod.istio-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2021-09-02T09:43:58.197096Z	info	citadelclient	Citadel client using custom root cert: istiod.istio-system.svc:15012
2021-09-02T09:43:58.228291Z	info	ads	All caches have been synced up in 37.047168ms, marking server ready
2021-09-02T09:43:58.228749Z	info	sds	SDS server for workload certificates started, listening on "./etc/istio/proxy/SDS"
2021-09-02T09:43:58.228775Z	info	xdsproxy	Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes"
2021-09-02T09:43:58.228938Z	info	sds	Start SDS grpc server
2021-09-02T09:43:58.229091Z	info	Opening status port 15020
2021-09-02T09:43:58.234550Z	info	Starting proxy agent
2021-09-02T09:43:58.234691Z	info	Epoch 0 starting
2021-09-02T09:43:58.236994Z	info	Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --service-cluster kong-kong.kong --service-node sidecar~10.200.95.66~kong-kong-7946cfcd87-p59rj.kong~kong.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ	%l	envoy %n	%v -l warning --component-log-level misc:error --concurrency 2]
2021-09-02T09:43:58.363790Z	info	xdsproxy	connected to upstream XDS server: istiod.istio-system.svc:15012
2021-09-02T09:43:58.364162Z	info	cache	generated new workload certificate	latency=135.336082ms ttl=23h59m59.635859243s
2021-09-02T09:43:58.364196Z	info	cache	Root cert has changed, start rotating root cert
2021-09-02T09:43:58.364216Z	info	ads	XDS: Incremental Pushing:0 ConnectedEndpoints:0 Version:
2021-09-02T09:43:58.364294Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.635708981s
2021-09-02T09:43:58.431685Z	info	ads	ADS: new connection for node:sidecar~10.200.95.66~kong-kong-7946cfcd87-p59rj.kong~kong.svc.cluster.local-2
2021-09-02T09:43:58.431776Z	info	ads	ADS: new connection for node:sidecar~10.200.95.66~kong-kong-7946cfcd87-p59rj.kong~kong.svc.cluster.local-1
2021-09-02T09:43:58.431845Z	info	cache	returned workload certificate from cache	ttl=23h59m59.568162082s
2021-09-02T09:43:58.431920Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.568087036s
2021-09-02T09:43:58.432266Z	info	sds	SDS: PUSH	resource=default
2021-09-02T09:43:58.432408Z	info	sds	SDS: PUSH	resource=ROOTCA
2021-09-02T09:44:00.606797Z	info	Initialization took 2.414372404s
2021-09-02T09:44:00.606876Z	info	Envoy proxy is ready
2021-09-02T09:45:21.848191Z	critical	envoy main	std::terminate called! (possible uncaught exception, see trace)
2021-09-02T09:45:21.848228Z	critical	envoy backtrace	Backtrace (use tools/stack_decode.py to get line numbers):
2021-09-02T09:45:21.848234Z	critical	envoy backtrace	Envoy version: 4b528a87271e841bd64daf841a1a384ed4fcac68/1.18.4-dev/Clean/RELEASE/BoringSSL
2021-09-02T09:45:21.859271Z	critical	envoy backtrace	#0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x557ce26fbb86]
2021-09-02T09:45:21.868220Z	critical	envoy backtrace	#1: [0x557ce26fb9e9]
2021-09-02T09:45:21.877503Z	critical	envoy backtrace	#2: std::__terminate() [0x557ce2d97ac3]
2021-09-02T09:45:21.887390Z	critical	envoy backtrace	#3: Envoy::Network::Address::Ipv6Instance::Ipv6Instance() [0x557ce25747e2]
2021-09-02T09:45:21.896393Z	critical	envoy backtrace	#4: Envoy::Network::Utility::parseInternetAddressNoThrow() [0x557ce2566abd]
2021-09-02T09:45:21.905149Z	critical	envoy backtrace	#5: Envoy::Http::Utility::getLastAddressFromXFF() [0x557ce2558478]
2021-09-02T09:45:21.914172Z	critical	envoy backtrace	#6: Envoy::Http::ConnectionManagerUtility::mutateRequestHeaders() [0x557ce2209862]
2021-09-02T09:45:21.922186Z	critical	envoy backtrace	#7: Envoy::Http::ConnectionManagerImpl::ActiveStream::decodeHeaders() [0x557ce21ffd8c]
2021-09-02T09:45:21.931123Z	critical	envoy backtrace	#8: Envoy::Http::Http1::ServerConnectionImpl::onMessageCompleteBase() [0x557ce22362b1]
2021-09-02T09:45:21.940558Z	critical	envoy backtrace	#9: Envoy::Http::Http1::ConnectionImpl::onMessageComplete() [0x557ce22339dd]
2021-09-02T09:45:21.949197Z	critical	envoy backtrace	#10: Envoy::Http::Http1::LegacyHttpParserImpl::Impl::Impl()::{lambda()#3}::__invoke() [0x557ce223bb6f]
2021-09-02T09:45:21.957392Z	critical	envoy backtrace	#11: http_parser_execute [0x557ce257ce5b]
2021-09-02T09:45:21.965670Z	critical	envoy backtrace	#12: Envoy::Http::Http1::LegacyHttpParserImpl::execute() [0x557ce223b58f]
2021-09-02T09:45:21.974314Z	critical	envoy backtrace	#13: Envoy::Http::Http1::ConnectionImpl::dispatchSlice() [0x557ce2231da4]
2021-09-02T09:45:21.984028Z	critical	envoy backtrace	#14: Envoy::Http::Http1::ConnectionImpl::dispatch() [0x557ce223151f]
2021-09-02T09:45:21.993140Z	critical	envoy backtrace	#15: Envoy::Http::Http1::ConnectionImpl::dispatch() [0x557ce2231fe5]
2021-09-02T09:45:22.001238Z	critical	envoy backtrace	#16: Envoy::Http::ConnectionManagerImpl::onData() [0x557ce21fbd4c]
2021-09-02T09:45:22.009099Z	critical	envoy backtrace	#17: Envoy::Network::FilterManagerImpl::onContinueReading() [0x557ce23c7ccf]
2021-09-02T09:45:22.017469Z	critical	envoy backtrace	#18: Envoy::Network::ConnectionImpl::onReadReady() [0x557ce23be579]
2021-09-02T09:45:22.027851Z	critical	envoy backtrace	#19: Envoy::Network::ConnectionImpl::onFileEvent() [0x557ce23bc12f]
2021-09-02T09:45:22.039848Z	critical	envoy backtrace	#20: std::__1::__function::__func<>::operator()() [0x557ce1f12721]
2021-09-02T09:45:22.048877Z	critical	envoy backtrace	#21: Envoy::Event::FileEventImpl::assignEvents()::$_1::__invoke() [0x557ce1f13e8c]
2021-09-02T09:45:22.052364Z	critical	envoy main	std::terminate called! (possible uncaught exception, see trace)
2021-09-02T09:45:22.052467Z	critical	envoy backtrace	Backtrace (use tools/stack_decode.py to get line numbers):
2021-09-02T09:45:22.052500Z	critical	envoy backtrace	Envoy version: 4b528a87271e841bd64daf841a1a384ed4fcac68/1.18.4-dev/Clean/RELEASE/BoringSSL
2021-09-02T09:45:22.058663Z	critical	envoy backtrace	#22: event_process_active_single_queue [0x557ce259b8e8]
2021-09-02T09:45:22.062128Z	critical	envoy backtrace	#0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x557ce26fbb86]
2021-09-02T09:45:22.068841Z	critical	envoy backtrace	#23: event_base_loop [0x557ce259a2be]
2021-09-02T09:45:22.073231Z	critical	envoy backtrace	#1: [0x557ce26fb9e9]
2021-09-02T09:45:22.080677Z	critical	envoy backtrace	#24: Envoy::Server::WorkerImpl::threadRoutine() [0x557ce1f09983]
2021-09-02T09:45:22.082302Z	critical	envoy backtrace	#2: std::__terminate() [0x557ce2d97ac3]
2021-09-02T09:45:22.089604Z	critical	envoy backtrace	#25: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::{lambda()#1}::__invoke() [0x557ce2cdea63]
2021-09-02T09:45:22.089717Z	critical	envoy backtrace	#26: start_thread [0x7f34eb7b16db]
2021-09-02T09:45:22.089776Z	critical	envoy backtrace	Caught Aborted, suspect faulting address 0x53900000010
2021-09-02T09:45:22.089783Z	critical	envoy backtrace	Backtrace (use tools/stack_decode.py to get line numbers):
2021-09-02T09:45:22.089847Z	critical	envoy backtrace	Envoy version: 4b528a87271e841bd64daf841a1a384ed4fcac68/1.18.4-dev/Clean/RELEASE/BoringSSL
2021-09-02T09:45:22.089889Z	critical	envoy backtrace	#0: __restore_rt [0x7f34eb7bc980]
2021-09-02T09:45:22.090915Z	critical	envoy backtrace	#3: Envoy::Network::Address::Ipv6Instance::Ipv6Instance() [0x557ce25747e2]
2021-09-02T09:45:22.098294Z	critical	envoy backtrace	#1: [0x557ce26fb9e9]
2021-09-02T09:45:22.098317Z	critical	envoy backtrace	#2: std::__terminate() [0x557ce2d97ac3]
2021-09-02T09:45:22.098320Z	critical	envoy backtrace	#3: Envoy::Network::Address::Ipv6Instance::Ipv6Instance() [0x557ce25747e2]
2021-09-02T09:45:22.098322Z	critical	envoy backtrace	#4: Envoy::Network::Utility::parseInternetAddressNoThrow() [0x557ce2566abd]
2021-09-02T09:45:22.098324Z	critical	envoy backtrace	#5: Envoy::Http::Utility::getLastAddressFromXFF() [0x557ce2558478]
2021-09-02T09:45:22.098326Z	critical	envoy backtrace	#6: Envoy::Http::ConnectionManagerUtility::mutateRequestHeaders() [0x557ce2209862]
2021-09-02T09:45:22.098328Z	critical	envoy backtrace	#7: Envoy::Http::ConnectionManagerImpl::ActiveStream::decodeHeaders() [0x557ce21ffd8c]
2021-09-02T09:45:22.098330Z	critical	envoy backtrace	#8: Envoy::Http::Http1::ServerConnectionImpl::onMessageCompleteBase() [0x557ce22362b1]
2021-09-02T09:45:22.098331Z	critical	envoy backtrace	#9: Envoy::Http::Http1::ConnectionImpl::onMessageComplete() [0x557ce22339dd]
2021-09-02T09:45:22.098333Z	critical	envoy backtrace	#10: Envoy::Http::Http1::LegacyHttpParserImpl::Impl::Impl()::{lambda()#3}::__invoke() [0x557ce223bb6f]
2021-09-02T09:45:22.098335Z	critical	envoy backtrace	#11: http_parser_execute [0x557ce257ce5b]
2021-09-02T09:45:22.098337Z	critical	envoy backtrace	#12: Envoy::Http::Http1::LegacyHttpParserImpl::execute() [0x557ce223b58f]
2021-09-02T09:45:22.098338Z	critical	envoy backtrace	#13: Envoy::Http::Http1::ConnectionImpl::dispatchSlice() [0x557ce2231da4]
2021-09-02T09:45:22.098340Z	critical	envoy backtrace	#14: Envoy::Http::Http1::ConnectionImpl::dispatch() [0x557ce223151f]
2021-09-02T09:45:22.098341Z	critical	envoy backtrace	#15: Envoy::Http::Http1::ConnectionImpl::dispatch() [0x557ce2231fe5]
2021-09-02T09:45:22.098343Z	critical	envoy backtrace	#16: Envoy::Http::ConnectionManagerImpl::onData() [0x557ce21fbd4c]
2021-09-02T09:45:22.098345Z	critical	envoy backtrace	#17: Envoy::Network::FilterManagerImpl::onContinueReading() [0x557ce23c7ccf]
2021-09-02T09:45:22.098346Z	critical	envoy backtrace	#18: Envoy::Network::ConnectionImpl::onReadReady() [0x557ce23be579]
2021-09-02T09:45:22.098348Z	critical	envoy backtrace	#19: Envoy::Network::ConnectionImpl::onFileEvent() [0x557ce23bc12f]
2021-09-02T09:45:22.098350Z	critical	envoy backtrace	#20: std::__1::__function::__func<>::operator()() [0x557ce1f12721]
2021-09-02T09:45:22.098352Z	critical	envoy backtrace	#21: Envoy::Event::FileEventImpl::assignEvents()::$_1::__invoke() [0x557ce1f13e8c]
2021-09-02T09:45:22.098353Z	critical	envoy backtrace	#22: event_process_active_single_queue [0x557ce259b8e8]
2021-09-02T09:45:22.098355Z	critical	envoy backtrace	#23: event_base_loop [0x557ce259a2be]
2021-09-02T09:45:22.098356Z	critical	envoy backtrace	#24: Envoy::Server::WorkerImpl::threadRoutine() [0x557ce1f09983]
2021-09-02T09:45:22.098358Z	critical	envoy backtrace	#25: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::{lambda()#1}::__invoke() [0x557ce2cdea63]
2021-09-02T09:45:22.098360Z	critical	envoy backtrace	#26: start_thread [0x7f34eb7b16db]
ActiveStream 0x557ce6ca6000, stream_id_: 2919886871986043075&filter_manager_: 
  FilterManager 0x557ce6ca6078, state_.has_continue_headers_: 0
  filter_manager_callbacks_.requestHeaders(): 
    ':authority', 'ozone-dev.in2tive.xyz'
    ':path', '/api/admin/env?id=60ae0c004a20cb41367520fc'
    ':method', 'GET'
    'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'
    'accept', 'application/json'
    'accept-encoding', 'gzip'
    'accept-language', 'en-US,en;q=0.9'
    'authorization', 'e4ac3c8ddf3c8f2d6242766bc4558414451232fc069c4b05eddca416d3f23404'
    'cdn-loop', 'cloudflare'
    'cf-connecting-ip', '2405:201:5007:d08a:90d:6e7b:997a:cce6'
    'cf-ipcountry', 'IN'
    'cf-ray', '6885ce15d9f11b64-HKG'
    'cf-visitor', '{"scheme":"https"}'
    'content-type', 'application/json; charset=utf-8'
    'cookie', '_ga=GA1.3.704294877.1625107447; _gcl_au=1.1.168746253.1627991926; _ga=GA1.2.665868310.1627991926; _gid=GA1.2.942751864.1630295721; _gid=GA1.3.942751864.1630295721'
    'referer', 'https://ozone-dev.in2tive.xyz/'
    'sec-fetch-dest', 'empty'
    'sec-fetch-mode', 'cors'
    'sec-fetch-site', 'same-origin'
    'x-forwarded-for', '2405:201:5007:d08a:90d:6e7b:997a:cce6'
    'x-forwarded-proto', 'https'
    'x-workspace-id', '3'
  filter_manager_callbacks_.requestTrailers():   null
  filter_manager_callbacks_.responseHeaders():   null
  filter_manager_callbacks_.responseTrailers():   null
  &stream_info_: 
    StreamInfoImpl 0x557ce6ca6168, protocol_: 1, response_code_: null, response_code_details_: null, health_check_request_: 0, route_name_: 
    OverridableRemoteSocketAddressSetterStreamInfo 0x557ce6ca6168, remoteAddress(): 10.200.43.86:37890, directRemoteAddress(): 10.200.43.86:37890, localAddress(): 10.200.95.66:8000
Http1::ConnectionImpl 0x557ce6ac1e08, dispatching_: 1, dispatching_slice_already_drained_: 0, reset_stream_called_: 0, handling_upgrade_: 0, deferred_end_stream_headers_: 1, strict_1xx_and_204_headers_: 0, processing_trailers_: 0, buffered_body_.length(): 0, header_parsing_state_: Done, current_header_field_: , current_header_value_: 
, active_request_.request_url_: null
absl::get<RequestHeaderMapPtr>(headers_or_trailers_): null
current_dispatching_buffer_ front_slice length: 987 contents: "GET /api/admin/env?id=60ae0c004a20cb41367520fc HTTP/1.1\r\nHost: ozone-dev.in2tive.xyz\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\r\nAccept: application/json\r\nAccept-Encoding: gzip\r\nAccept-Language: en-US,en;q=0.9\r\nAuthorization: e4ac3c8ddf3c8f2d6242766bc4558414451232fc069c4b05eddca416d3f23404\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip: 2405:201:5007:d08a:90d:6e7b:997a:cce6\r\nCf-Ipcountry: IN\r\nCf-Ray: 6885ce15d9f11b64-HKG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nConnection: keep-alive\r\nContent-Type: application/json; charset=utf-8\r\nCookie: _ga=GA1.3.704294877.1625107447; _gcl_au=1.1.168746253.1627991926; _ga=GA1.2.665868310.1627991926; _gid=GA1.2.942751864.1630295721; _gid=GA1.3.942751864.1630295721\r\nReferer: https://ozone-dev.in2tive.xyz/\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nX-Forwarded-For: 2405:201:5007:d08a:90d:6e7b:997a:cce6\r\nX-Forwarded-Proto: https\r\nX-Workspace-Id: 3\r\n\r\n"
ConnectionImpl 0x557ce54cbb80, connecting_: 0, bind_error_: 0, state(): Open, read_buffer_limit_: 1048576
socket_: 
  ListenSocketImpl 0x557ce6b8f950, transport_protocol_: raw_buffer, server_name_: 
  address_provider_: 
    SocketAddressSetterImpl 0x557ce69d9c38, remote_address_: 10.200.43.86:37890, direct_remote_address_: 10.200.43.86:37890, local_address_: 10.200.95.66:8000
2021-09-02T09:45:22.109478Z	info	ads	ADS: "@" sidecar~10.200.95.66~kong-kong-7946cfcd87-p59rj.kong~kong.svc.cluster.local-1 terminated rpc error: code = Canceled desc = context canceled
2021-09-02T09:45:22.110235Z	error	Epoch 0 exited with error: signal: aborted
2021-09-02T09:45:22.110374Z	info	No more active epochs, terminating```

raopajay · September 2, 2021, 12:05pm

$ kubectl get po kong-kong-7946cfcd87-jzxvk -n kong -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    prometheus.io/path: /stats/prometheus
    prometheus.io/port: "15020"
    prometheus.io/scrape: "true"
    sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null}'
  creationTimestamp: "2021-09-02T08:57:03Z"
  generateName: kong-kong-7946cfcd87-
  labels:
    app.kubernetes.io/component: app
    app.kubernetes.io/instance: kong
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kong
    app.kubernetes.io/version: "2.4"
    helm.sh/chart: kong-2.1.0
    istio.io/rev: default
    pod-template-hash: 7946cfcd87
    security.istio.io/tlsMode: istio
    service.istio.io/canonical-name: kong
    service.istio.io/canonical-revision: "2.4"
  name: kong-kong-7946cfcd87-jzxvk
  namespace: kong
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: kong-kong-7946cfcd87
    uid: bc997e99-90fa-41df-9ad0-418bd7d1c55e
  resourceVersion: "36802574"
  uid: a590eb84-851b-420d-8211-8bc759018679
spec:
  containers:
  - args:
    - /kong-ingress-controller
    env:
    - name: POD_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: CONTROLLER_ELECTION_ID
      value: kong-ingress-controller-leader-kong
    - name: CONTROLLER_INGRESS_CLASS
      value: kong
    - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
      value: "true"
    - name: CONTROLLER_KONG_ADMIN_URL
      value: http://localhost:8001
    - name: CONTROLLER_PUBLISH_SERVICE
      value: kong/kong-kong-proxy
    image: kong/kubernetes-ingress-controller:1.3
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /app-health/ingress-controller/livez
        port: 15020
        scheme: HTTP
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    name: ingress-controller
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /app-health/ingress-controller/readyz
        port: 15020
        scheme: HTTP
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    resources:
      limits:
        cpu: 50m
        memory: 200Mi
      requests:
        cpu: 50m
        memory: 200Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kong-kong-token-jw58l
      readOnly: true
  - env:
    - name: KONG_ADMIN_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_ADMIN_ERROR_LOG
      value: /dev/stderr
    - name: KONG_ADMIN_GUI_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_ADMIN_GUI_ERROR_LOG
      value: /dev/stderr
    - name: KONG_ADMIN_LISTEN
      value: 0.0.0.0:8001
    - name: KONG_CLUSTER_LISTEN
      value: "off"
    - name: KONG_DATABASE
      value: postgres
    - name: KONG_KIC
      value: "on"
    - name: KONG_LUA_PACKAGE_PATH
      value: /opt/?.lua;/opt/?/init.lua;;
    - name: KONG_NGINX_WORKER_PROCESSES
      value: "2"
    - name: KONG_PG_HOST
      value: kong-postgresql
    - name: KONG_PG_PASSWORD
      valueFrom:
        secretKeyRef:
          key: postgresql-password
          name: kong-postgresql
    - name: KONG_PG_PORT
      value: "5432"
    - name: KONG_PLUGINS
      value: bundled
    - name: KONG_PORTAL_API_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_PORTAL_API_ERROR_LOG
      value: /dev/stderr
    - name: KONG_PORT_MAPS
      value: 80:8000
    - name: KONG_PREFIX
      value: /kong_prefix/
    - name: KONG_PROXY_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_PROXY_ERROR_LOG
      value: /dev/stderr
    - name: KONG_PROXY_LISTEN
      value: 0.0.0.0:8000
    - name: KONG_STATUS_LISTEN
      value: 0.0.0.0:8100
    - name: KONG_STREAM_LISTEN
      value: "off"
    - name: KONG_NGINX_DAEMON
      value: "off"
    image: kong:2.4
    imagePullPolicy: IfNotPresent
    lifecycle:
      preStop:
        exec:
          command:
          - /bin/sh
          - -c
          - /bin/sleep 15 && kong quit
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /app-health/proxy/livez
        port: 15020
        scheme: HTTP
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    name: proxy
    ports:
    - containerPort: 8001
      name: admin
      protocol: TCP
    - containerPort: 8000
      name: proxy
      protocol: TCP
    - containerPort: 8100
      name: status
      protocol: TCP
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /app-health/proxy/readyz
        port: 15020
        scheme: HTTP
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    resources:
      limits:
        cpu: 100m
        memory: 500Mi
      requests:
        cpu: 75m
        memory: 350Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /kong_prefix/
      name: kong-kong-prefix-dir
    - mountPath: /tmp
      name: kong-kong-tmp
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kong-kong-token-jw58l
      readOnly: true
  - args:
    - proxy
    - sidecar
    - --domain
    - $(POD_NAMESPACE).svc.cluster.local
    - --serviceCluster
    - kong-kong.kong
    - --proxyLogLevel=warning
    - --proxyComponentLogLevel=misc:error
    - --log_output_level=default:info
    - --concurrency
    - "2"
    env:
    - name: JWT_POLICY
      value: third-party-jwt
    - name: PILOT_CERT_PROVIDER
      value: istiod
    - name: CA_ADDR
      value: istiod.istio-system.svc:15012
    - name: POD_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: INSTANCE_IP
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.podIP
    - name: SERVICE_ACCOUNT
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.serviceAccountName
    - name: HOST_IP
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.hostIP
    - name: CANONICAL_SERVICE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.labels['service.istio.io/canonical-name']
    - name: CANONICAL_REVISION
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.labels['service.istio.io/canonical-revision']
    - name: PROXY_CONFIG
      value: |
        {}
    - name: ISTIO_META_POD_PORTS
      value: |-
        [
            {"name":"admin","containerPort":8001,"protocol":"TCP"}
            ,{"name":"proxy","containerPort":8000,"protocol":"TCP"}
            ,{"name":"status","containerPort":8100,"protocol":"TCP"}
        ]
    - name: ISTIO_META_APP_CONTAINERS
      value: ingress-controller,proxy
    - name: ISTIO_META_CLUSTER_ID
      value: Kubernetes
    - name: ISTIO_META_INTERCEPTION_MODE
      value: REDIRECT
    - name: ISTIO_META_WORKLOAD_NAME
      value: kong-kong
    - name: ISTIO_META_OWNER
      value: kubernetes://apis/apps/v1/namespaces/kong/deployments/kong-kong
    - name: ISTIO_META_MESH_ID
      value: cluster.local
    - name: TRUST_DOMAIN
      value: cluster.local
    - name: ISTIO_KUBE_APP_PROBERS
      value: '{"/app-health/ingress-controller/livez":{"httpGet":{"path":"/healthz","port":10254,"scheme":"HTTP"},"timeoutSeconds":5},"/app-health/ingress-controller/readyz":{"httpGet":{"path":"/healthz","port":10254,"scheme":"HTTP"},"timeoutSeconds":5},"/app-health/proxy/livez":{"httpGet":{"path":"/status","port":8100,"scheme":"HTTP"},"timeoutSeconds":5},"/app-health/proxy/readyz":{"httpGet":{"path":"/status","port":8100,"scheme":"HTTP"},"timeoutSeconds":5}}'
    image: docker.io/istio/proxyv2:1.10.3
    imagePullPolicy: IfNotPresent
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
    readinessProbe:
      failureThreshold: 30
      httpGet:
        path: /healthz/ready
        port: 15021
        scheme: HTTP
      initialDelaySeconds: 1
      periodSeconds: 2
      successThreshold: 1
      timeoutSeconds: 3
    resources:
      limits:
        cpu: "2"
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1337
      runAsNonRoot: true
      runAsUser: 1337
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/istio
      name: istiod-ca-cert
    - mountPath: /var/lib/istio/data
      name: istio-data
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /var/run/secrets/tokens
      name: istio-token
    - mountPath: /etc/istio/pod
      name: istio-podinfo
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kong-kong-token-jw58l
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  initContainers:
  - command:
    - /bin/sh
    - -c
    - until kong start; do echo 'waiting for db'; sleep 1; done; kong stop; rm -fv
      '/kong_prefix//stream_rpc.sock'
    env:
    - name: KONG_ADMIN_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_ADMIN_ERROR_LOG
      value: /dev/stderr
    - name: KONG_ADMIN_GUI_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_ADMIN_GUI_ERROR_LOG
      value: /dev/stderr
    - name: KONG_ADMIN_LISTEN
      value: 0.0.0.0:8001
    - name: KONG_CLUSTER_LISTEN
      value: "off"
    - name: KONG_DATABASE
      value: postgres
    - name: KONG_KIC
      value: "on"
    - name: KONG_LUA_PACKAGE_PATH
      value: /opt/?.lua;/opt/?/init.lua;;
    - name: KONG_NGINX_WORKER_PROCESSES
      value: "2"
    - name: KONG_PG_HOST
      value: kong-postgresql
    - name: KONG_PG_PASSWORD
      valueFrom:
        secretKeyRef:
          key: postgresql-password
          name: kong-postgresql
    - name: KONG_PG_PORT
      value: "5432"
    - name: KONG_PLUGINS
      value: bundled
    - name: KONG_PORTAL_API_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_PORTAL_API_ERROR_LOG
      value: /dev/stderr
    - name: KONG_PORT_MAPS
      value: 80:8000
    - name: KONG_PREFIX
      value: /kong_prefix/
    - name: KONG_PROXY_ACCESS_LOG
      value: /dev/stdout
    - name: KONG_PROXY_ERROR_LOG
      value: /dev/stderr
    - name: KONG_PROXY_LISTEN
      value: 0.0.0.0:8000
    - name: KONG_STATUS_LISTEN
      value: 0.0.0.0:8100
    - name: KONG_STREAM_LISTEN
      value: "off"
    image: kong:2.4
    imagePullPolicy: IfNotPresent
    name: wait-for-db
    resources:
      limits:
        cpu: 500m
        memory: 700Mi
      requests:
        cpu: 200m
        memory: 300Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /kong_prefix/
      name: kong-kong-prefix-dir
    - mountPath: /tmp
      name: kong-kong-tmp
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kong-kong-token-jw58l
      readOnly: true
  - args:
    - istio-iptables
    - -p
    - "15001"
    - -z
    - "15006"
    - -u
    - "1337"
    - -m
    - REDIRECT
    - -i
    - '*'
    - -x
    - ""
    - -b
    - '*'
    - -d
    - 15090,15021,15020
    image: docker.io/istio/proxyv2:1.10.3
    imagePullPolicy: IfNotPresent
    name: istio-init
    resources:
      limits:
        cpu: "2"
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_ADMIN
        - NET_RAW
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kong-kong-token-jw58l
      readOnly: true
  nodeName: 41510885-3654-4067-876f-c1764f887cb2
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1337
  serviceAccount: kong-kong
  serviceAccountName: kong-kong
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - emptyDir:
      medium: Memory
    name: istio-envoy
  - emptyDir: {}
    name: istio-data
  - downwardAPI:
      defaultMode: 420
      items:
      - fieldRef:
          apiVersion: v1
          fieldPath: metadata.labels
        path: labels
      - fieldRef:
          apiVersion: v1
          fieldPath: metadata.annotations
        path: annotations
      - path: cpu-limit
        resourceFieldRef:
          containerName: istio-proxy
          divisor: 1m
          resource: limits.cpu
      - path: cpu-request
        resourceFieldRef:
          containerName: istio-proxy
          divisor: 1m
          resource: requests.cpu
    name: istio-podinfo
  - name: istio-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: istio-ca
          expirationSeconds: 43200
          path: istio-token
  - configMap:
      defaultMode: 420
      name: istio-ca-root-cert
    name: istiod-ca-cert
  - emptyDir: {}
    name: kong-kong-prefix-dir
  - emptyDir: {}
    name: kong-kong-tmp
  - configMap:
      defaultMode: 493
      name: kong-kong-bash-wait-for-postgres
    name: kong-kong-bash-wait-for-postgres
  - name: kong-kong-token-jw58l
    secret:
      defaultMode: 420
      secretName: kong-kong-token-jw58l
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2021-09-02T08:57:09Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2021-09-02T10:14:41Z"
    message: 'containers with unready status: [ingress-controller proxy istio-proxy]'
    reason: ContainersNotReady
    status: "False"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2021-09-02T10:14:41Z"
    message: 'containers with unready status: [ingress-controller proxy istio-proxy]'
    reason: ContainersNotReady
    status: "False"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2021-09-02T08:57:03Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://6573d822ab04f3cd79986f3dc07cf93408cdf27613b34fe4cb4e94ae3507c864
    image: kong/kubernetes-ingress-controller:1.3
    imageID: docker-pullable://kong/kubernetes-ingress-controller@sha256:b1131d6c533516df4c834e6dcbc7f1d6437e015cce06d932bbceca86f5cd79e2
    lastState:
      terminated:
        containerID: docker://438fcd9a4c1dfc0c1d9f9e5b680a058a7ae7fb8d01d657c37904fc43977492d2
        exitCode: 0
        finishedAt: "2021-09-02T10:15:21Z"
        reason: Completed
        startedAt: "2021-09-02T10:14:15Z"
    name: ingress-controller
    ready: false
    restartCount: 6
    started: true
    state:
      running:
        startedAt: "2021-09-02T10:15:21Z"
  - containerID: docker://ecf1012e70647c92e62adb60c2b463bcc702517f11014ffc8053676495e23b93
    image: istio/proxyv2:1.10.3
    imageID: docker-pullable://istio/proxyv2@sha256:a78b7a165744384d95f75d157c34e02d6b4355aaf8fe2a2c75914832bdf764e8
    lastState:
      terminated:
        containerID: docker://ecf1012e70647c92e62adb60c2b463bcc702517f11014ffc8053676495e23b93
        exitCode: 0
        finishedAt: "2021-09-02T10:14:40Z"
        reason: Completed
        startedAt: "2021-09-02T10:13:47Z"
    name: istio-proxy
    ready: false
    restartCount: 10
    started: false
    state:
      waiting:
        message: back-off 2m40s restarting failed container=istio-proxy pod=kong-kong-7946cfcd87-jzxvk_kong(a590eb84-851b-420d-8211-8bc759018679)
        reason: CrashLoopBackOff
  - containerID: docker://99932646b91b0eeeb49e834d8a0b5dc514d45bc111fcaacd496346aad1d3b8fc
    image: kong:2.4
    imageID: docker-pullable://kong@sha256:c9872460e6c9cb05d5ac1f125fff571c00541d4da7438f5eb821e07a56efe752
    lastState:
      terminated:
        containerID: docker://00e48d9cd7f609e5a277dc6e76abc6bd486f200ffa8f14342cc9375d687c26eb
        exitCode: 0
        finishedAt: "2021-09-02T10:15:19Z"
        reason: Completed
        startedAt: "2021-09-02T10:13:46Z"
    name: proxy
    ready: false
    restartCount: 6
    started: true
    state:
      running:
        startedAt: "2021-09-02T10:15:20Z"
  hostIP: 192.168.164.9
  initContainerStatuses:
  - containerID: docker://8f573d2ff49b7d8f0a0e080a5fb65fb9b095270a5c169243fbf87799acb0d151
    image: kong:2.4
    imageID: docker-pullable://kong@sha256:c9872460e6c9cb05d5ac1f125fff571c00541d4da7438f5eb821e07a56efe752
    lastState: {}
    name: wait-for-db
    ready: true
    restartCount: 0
    state:
      terminated:
        containerID: docker://8f573d2ff49b7d8f0a0e080a5fb65fb9b095270a5c169243fbf87799acb0d151
        exitCode: 0
        finishedAt: "2021-09-02T08:57:07Z"
        reason: Completed
        startedAt: "2021-09-02T08:57:05Z"
  - containerID: docker://8e090c5693d955b0581f4258572ca16b0b1942f9a1e5bf8fb22465ebce6a7477
    image: istio/proxyv2:1.10.3
    imageID: docker-pullable://istio/proxyv2@sha256:a78b7a165744384d95f75d157c34e02d6b4355aaf8fe2a2c75914832bdf764e8
    lastState: {}
    name: istio-init
    ready: true
    restartCount: 0
    state:
      terminated:
        containerID: docker://8e090c5693d955b0581f4258572ca16b0b1942f9a1e5bf8fb22465ebce6a7477
        exitCode: 0
        finishedAt: "2021-09-02T08:57:08Z"
        reason: Completed
        startedAt: "2021-09-02T08:57:08Z"
  phase: Running
  podIP: 10.200.43.94
  podIPs:
  - ip: 10.200.43.94
  qosClass: Burstable
  startTime: "2021-09-02T08:57:03Z"

Sebastian_Goh · September 25, 2022, 5:00pm

Hi, what is the issue for this? is there any solution?

Topic		Replies	Views
Unable to route request to Istio virtual services Questions	3	1375	July 20, 2020
Kong Ingress Controller and Istio Service Mesh with STRICT mtls Kubernetes	2	1631	December 15, 2022
Kong + Istio + gRPC: server closed the stream without sending trailers Service Mesh	6	4972	June 11, 2020
Kong Ingress Controller + Istio Service Mesh doesn't support global mTLS? Kubernetes	15	4007	February 22, 2022
Kong Ingress controller is unable to route request to Istio virtual services Service Mesh	14	5338	February 22, 2022

Istio envoy proxy throws uncaught critical exception when sidecar injected with kong ingress controller

Related Topics