This topic provides answers to some commonly asked questions about Istio.

What do I do if the services in a cluster cannot access external URLs?

Symptom

Services in a cluster cannot access external URLs.

Cause

By default, pods on a cluster where an Istio mesh is deployed use iptables to forward all outbound traffic to sidecars in a transparent manner. The sidecars can only handle the traffic destined for addresses within the cluster.

Solution

  • Define ServiceEntry to call external services.
  • Configure Istio to allow access to a specific range of IP addresses.

For more information, see Control egress traffic.

What do I do if Tiller is in an earlier version?

Symptom

The following message appears during Istio installation. 
Can't install release with errors: rpc error: code = Unknown desc = Chart incompatible with Tiller v2.7.0

Cause

Tiller is in an earlier version. You must upgrade Tiller to a later version.

Solution

Run one of the following commands to upgrade Tiller.
Note You must upgrade Tiller to V2.10.0 or later.
Upgrade Tiller to V2.11.0: 
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.11.0 --upgrade
Upgrade Tiller to V2.10.0: 
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.10.0 --upgrade
Note After you upgrade Tiller, we recommend that you upgrade the Helm client. For more information, see Install a client.

What do I do if custom resource definitions (CRDs) are in an earlier version?

Symptom

The following message appears when you create Istio for the first time or upgrade Istio from 1.0: 
Can't install release with errors: rpc error: code = Unknown desc = apiVersion "networking.istio.io/v1alpha3" in ack-istio/charts/pilot/templates/gateway.yaml is not available

Cause

CRDs do not exist or CDRs are in an earlier version.
Note This issue only occurs in Helm 2.10.0 or earlier. The system automatically upgrades CRDs for Helm later than 2.10.0.

Solution

  1. Download the latest version of Istio. For more information, see Download a release.
  2. Run the following command to install the latest CRDs: 
    kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
  3. If cert-manager is enabled, run the following command to install the CRD: 
    kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml

What do I do if Istio cannot be installed when I log on as a RAM user?

Symptom

The following message or a similar one appears during Istio installation: 
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1beta1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition"

Cause

The RAM user does not have the permission to install Istio.

Solution

  • Use an Alibaba Cloud account to log on to a cluster.
  • Grant the RAM user the required permissions. For example, you can grant the RAM user the custom role cluster-admin. For more information, see Assign RBAC roles to a RAM user.

What do I do if CRDs are not removed after I uninstall Istio?

Symptom

CRDs are not removed after you uninstall Istio.

Cause

The system does not remove CRDs when you uninstall Istio. You must run a command to delete CRDs.

Solution

  1. If you use Helm 2.9.0 or earlier, run the following command to delete Job resources: 
    kubectl -n istio-system delete job --all
  2. Run the following command to delete CRDs: 
    kubectl delete crd `kubectl get crd | grep -E 'istio.io|certmanager.k8s.io' | awk '{print $1}'`

What do I do if custom resources are not removed after I uninstall Istio?

Symptom

Custom resources are not removed after you uninstall Istio.

Cause

When you uninstall Istio, you delete only CRDs. You must run commands to delete custom resources.

Solution

  1. Run the kubectl edit istio -n istio-system istio-config command.Delete custom resources 1
  2. In the finalizers field, delete -istio-operator.finializer.alibabacloud.com.Delete custom resources 2