This topic lists common Istio FAQ and their corresponding solutions.
What do I do if the services in the cluster cannot access external URLs?
The services in the cluster cannot access external URLs.
By default, this is because the pod in the Istio service mesh uses iptables to transparently forward all outbound traffic to the sidecar. The sidecar can only handle the traffic destined for addresses within the cluster.
- Define ServiceEntry to call external services.
- Configure Istio to allow access to a specific range of IP addresses.
For more information, see Control Egress Traffic.
What do I do if Tiller is in an earlier version?
Can't install release with errors: rpc error: code = Unknown desc = Chart incompatible with Tiller v2.7.0
Your current version of Tiller needs to be upgraded.
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.11.0 --upgrade
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.10.0 --upgrade
What do I do if Custom Resource Definitions (CRDs) are in an invalid version?
Can't install release with errors: rpc error: code = Unknown desc = apiVersion "networking.istio.io/v1alpha3" in ack-istio/charts/pilot/templates/gateway.yaml is not available
- Download the latest Istio. For more information, see Download the release.
- Run the following command to install the latest CRDs:
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
- If you have enabled
certmanager, you must run the following command to install the relevant CRDs:
$ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
What do I do if Istio cannot be installed when I log on as a RAM user?
Error from server (Forbidden): error when retrieving current configuration of: Resource: "apiextensions.k8s.io/v1beta1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition"
The RAM user does not have permission to install Istio.
- Log on to Alibaba Cloud by using the primary account.
- Grant the RAM user the required permissions. For example, you can grant the RAM user the cluster-admin custom role. For more information, see Configure RBAC permissions for RAM users.
What do I do if CRDs are not removed after Istio is uninstalled?
CRDs are not removed after Istio is uninstalled.
The system does not remove CRDs when you uninstall Istio.
- If you use Helm later than V2.9.0, perform step 2 directly. If you use Helm 2.9.0
or earlier, you must first run the following command to delete Job resources:
$ kubectl -n istio-system delete job --all
- Run the following command to delete CRDs:
$ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
What do I do if a custom resource is retained after I delete Istio?
After Istio is deleted from a Kubernetes cluster, a custom resource is retained.
You only deleted the CRD.
- Run the
kubectl edit istio -n istio-system istio-configcommand.
- istio-operator.finializer.alibabacloud.comin the finalizers parameter.