This topic provides answers to some commonly asked questions about Istio.
What do I do if the services in a cluster cannot access external URLs?
Symptom
Services in a cluster cannot access external URLs.
Cause
By default, pods on a cluster where an Istio mesh is deployed use iptables to forward all outbound traffic to sidecars in a transparent manner. The sidecars can only handle the traffic destined for addresses within the cluster.
Solution
- Define ServiceEntry to call external services.
- Configure Istio to allow access to a specific range of IP addresses.
For more information, see Control egress traffic.
What do I do if Tiller is in an earlier version?
Symptom
Can't install release with errors: rpc error: code = Unknown desc = Chart incompatible with Tiller v2.7.0
Cause
Tiller is in an earlier version. You must upgrade Tiller to a later version.
Solution
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.11.0 --upgrade
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.10.0 --upgrade
What do I do if custom resource definitions (CRDs) are in an earlier version?
Symptom
Can't install release with errors: rpc error: code = Unknown desc = apiVersion "networking.istio.io/v1alpha3" in ack-istio/charts/pilot/templates/gateway.yaml is not available
Cause
Solution
- Download the latest version of Istio. For more information, see Download a release.
- Run the following command to install the latest CRDs:
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
- If
cert-manager
is enabled, run the following command to install the CRD:kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
What do I do if Istio cannot be installed when I log on as a RAM user?
Symptom
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1beta1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition"
Cause
The RAM user does not have the permission to install Istio.
Solution
- Use an Alibaba Cloud account to log on to a cluster.
- Grant the RAM user the required permissions. For example, you can grant the RAM user the custom role cluster-admin. For more information, see Assign RBAC roles to a RAM user.
What do I do if CRDs are not removed after I uninstall Istio?
Symptom
CRDs are not removed after you uninstall Istio.
Cause
The system does not remove CRDs when you uninstall Istio. You must run a command to delete CRDs.
Solution
- If you use Helm 2.9.0 or earlier, run the following command to delete Job resources:
kubectl -n istio-system delete job --all
- Run the following command to delete CRDs:
kubectl delete crd `kubectl get crd | grep -E 'istio.io|certmanager.k8s.io' | awk '{print $1}'`
What do I do if custom resources are not removed after I uninstall Istio?
Symptom
Custom resources are not removed after you uninstall Istio.
Cause
When you uninstall Istio, you delete only CRDs. You must run commands to delete custom resources.
Solution
- Run the
kubectl edit istio -n istio-system istio-config
command. - In the finalizers field, delete
-istio-operator.finializer.alibabacloud.com
.