How to install ingress gateway well using istio 1.9.0 in centos7

1

When I installed istio 1.9.0, I find that ingress gateway not to be installed well. It is not ready. Pls help me to resolve it.

My k8s is in centos7 and as below:

[root@master istio-1.9.0]# kubectl get node
NAME           STATUS                     ROLES    AGE    VERSION
192.168.0.10   Ready,SchedulingDisabled   master   2d6h   v1.20.2
192.168.0.11   Ready                      node     2d6h   v1.20.2
192.168.0.12   Ready                      node     2d6h   v1.20.2
192.168.0.13   Ready                      node     2d6h   v1.20.2
192.168.0.14   Ready                      node     2d6h   v1.20.2

I use istioctl to install and meet some error.

[root@master istio-1.9.0]#istioctl install --set profile=demo

This will install the Istio 1.9.0 demo profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✘ Ingress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istio-ingressgateway
- Pruning removed resources                                                    Error: failed to install manifests: errors occurred during operation

kubectl get pod -n istio-system

NAME                                   READY   STATUS    RESTARTS   AGE
istio-egressgateway-65b9c8b54f-srhmk   1/1     Running   0          9m5s
istio-ingressgateway-56d9b7fdb-5sn5v   0/1     Running   0          9m5s
istiod-89dc6db9c-6jcgm                 1/1     Running   0          9m10s

kubectl describe pod -n istio-system istio-ingressgateway-56d9b7fdb-5sn5v

Name:         istio-ingressgateway-56d9b7fdb-5sn5v
Namespace:    istio-system
Priority:     0
Node:         192.168.0.11/192.168.0.11
Start Time:   Wed, 10 Feb 2021 21:22:49 +0800
Labels:       app=istio-ingressgateway
              chart=gateways
              heritage=Tiller
              install.operator.istio.io/owning-resource=unknown
              istio=ingressgateway
              istio.io/rev=default
              operator.istio.io/component=IngressGateways
              pod-template-hash=56d9b7fdb
              release=istio
              service.istio.io/canonical-name=istio-ingressgateway
              service.istio.io/canonical-revision=latest
              sidecar.istio.io/inject=false
Annotations:  prometheus.io/path: /stats/prometheus
              prometheus.io/port: 15020
              prometheus.io/scrape: true
              sidecar.istio.io/inject: false
Status:       Running
IP:           172.20.4.18
IPs:
  IP:           172.20.4.18
Controlled By:  ReplicaSet/istio-ingressgateway-56d9b7fdb
Containers:
  istio-proxy:
    Container ID:  docker://17f446a96893cb1c97c710a18438c0350ade0685dc11e3a668bcfdd1ba52d2bc
    Image:         docker.io/istio/proxyv2:1.9.0
    Image ID:      docker-pullable://istio/proxyv2@sha256:286b821197d7a9233d1d889119f090cd9a9394468d3a312f66ea24f6e16b2294
    Ports:         15021/TCP, 8080/TCP, 8443/TCP, 31400/TCP, 15443/TCP, 15090/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      proxy
      router
      --domain
      $(POD_NAMESPACE).svc.cluster.local
      --proxyLogLevel=warning
      --proxyComponentLogLevel=misc:error
      --log_output_level=default:info
      --serviceCluster
      istio-ingressgateway
    State:          Running
      Started:      Wed, 10 Feb 2021 21:22:49 +0800
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     2
      memory:  1Gi
    Requests:
      cpu:      10m
      memory:   40Mi
    Readiness:  http-get http://:15021/healthz/ready delay=1s timeout=1s period=2s #success=1 #failure=30
    Environment:
      JWT_POLICY:                   third-party-jwt
      PILOT_CERT_PROVIDER:          istiod
      CA_ADDR:                      istiod.istio-system.svc:15012
      NODE_NAME:                     (v1:spec.nodeName)
      POD_NAME:                     istio-ingressgateway-56d9b7fdb-5sn5v (v1:metadata.name)
      POD_NAMESPACE:                istio-system (v1:metadata.namespace)
      INSTANCE_IP:                   (v1:status.podIP)
      HOST_IP:                       (v1:status.hostIP)
      SERVICE_ACCOUNT:               (v1:spec.serviceAccountName)
      CANONICAL_SERVICE:             (v1:metadata.labels['service.istio.io/canonical-name'])
      CANONICAL_REVISION:            (v1:metadata.labels['service.istio.io/canonical-revision'])
      ISTIO_META_WORKLOAD_NAME:     istio-ingressgateway
      ISTIO_META_OWNER:             kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
      ISTIO_META_UNPRIVILEGED_POD:  true
      ISTIO_META_ROUTER_MODE:       standard
      ISTIO_META_CLUSTER_ID:        Kubernetes
    Mounts:
      /etc/istio/config from config-volume (rw)
      /etc/istio/ingressgateway-ca-certs from ingressgateway-ca-certs (ro)
      /etc/istio/ingressgateway-certs from ingressgateway-certs (ro)
      /etc/istio/pod from podinfo (rw)
      /etc/istio/proxy from istio-envoy (rw)
      /var/lib/istio/data from istio-data (rw)
      /var/run/secrets/istio from istiod-ca-cert (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from istio-ingressgateway-service-account-token-n5sbf (ro)
      /var/run/secrets/tokens from istio-token (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  istiod-ca-cert:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      istio-ca-root-cert
    Optional:  false
  podinfo:
    Type:  DownwardAPI (a volume populated by information about the pod)
    Items:
      metadata.labels -> labels
      metadata.annotations -> annotations
      limits.cpu -> cpu-limit
      requests.cpu -> cpu-request
  istio-envoy:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  istio-data:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  istio-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  43200
  config-volume:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      istio
    Optional:  true
  ingressgateway-certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio-ingressgateway-certs
    Optional:    true
  ingressgateway-ca-certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio-ingressgateway-ca-certs
    Optional:    true
  istio-ingressgateway-service-account-token-n5sbf:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio-ingressgateway-service-account-token-n5sbf
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  10m                   default-scheduler  Successfully assigned istio-system/istio-ingressgateway-56d9b7fdb-5sn5v to 192.168.0.11
  Normal   Pulled     10m                   kubelet            Container image "docker.io/istio/proxyv2:1.9.0" already present on machine
  Normal   Created    10m                   kubelet            Created container istio-proxy
  Normal   Started    10m                   kubelet            Started container istio-proxy
  Warning  Unhealthy  9m26s (x22 over 10m)  kubelet            Readiness probe failed: Get "http://172.20.4.18:15021/healthz/ready": dial tcp 172.20.4.18:15021: connect: connection refused
  Warning  Unhealthy  8s (x268 over 9m2s)   kubelet            Readiness probe failed: HTTP probe failed with statuscode: 503

kubectl logs -n istio-system istio-ingressgateway-56d9b7fdb-5sn5v

2021-02-10T13:22:49.997617Z     info    FLAG: --concurrency="0"
2021-02-10T13:22:49.997660Z     info    FLAG: --domain="istio-system.svc.cluster.local"
2021-02-10T13:22:49.997664Z     info    FLAG: --help="false"
2021-02-10T13:22:49.997667Z     info    FLAG: --log_as_json="false"
2021-02-10T13:22:49.997669Z     info    FLAG: --log_caller=""
2021-02-10T13:22:49.997681Z     info    FLAG: --log_output_level="default:info"
2021-02-10T13:22:49.997683Z     info    FLAG: --log_rotate=""
2021-02-10T13:22:49.997685Z     info    FLAG: --log_rotate_max_age="30"
2021-02-10T13:22:49.997688Z     info    FLAG: --log_rotate_max_backups="1000"
2021-02-10T13:22:49.997691Z     info    FLAG: --log_rotate_max_size="104857600"
2021-02-10T13:22:49.997693Z     info    FLAG: --log_stacktrace_level="default:none"
2021-02-10T13:22:49.997707Z     info    FLAG: --log_target="[stdout]"
2021-02-10T13:22:49.997712Z     info    FLAG: --meshConfig="./etc/istio/config/mesh"
2021-02-10T13:22:49.997714Z     info    FLAG: --outlierLogPath=""
2021-02-10T13:22:49.997716Z     info    FLAG: --proxyComponentLogLevel="misc:error"
2021-02-10T13:22:49.997719Z     info    FLAG: --proxyLogLevel="warning"
2021-02-10T13:22:49.997722Z     info    FLAG: --serviceCluster="istio-ingressgateway"
2021-02-10T13:22:49.997725Z     info    FLAG: --stsPort="0"
2021-02-10T13:22:49.997728Z     info    FLAG: --templateFile=""
2021-02-10T13:22:49.997737Z     info    FLAG: --tokenManagerPlugin="GoogleTokenExchange"
2021-02-10T13:22:49.997751Z     info    Version 1.9.0-b63e1966c245924b10a0915a671a656540ed7a45-Clean
2021-02-10T13:22:49.998033Z     info    Apply mesh config from file accessLogFile: /dev/stdout
defaultConfig:
  discoveryAddress: istiod.istio-system.svc:15012
  proxyMetadata: {}
  tracing:
    zipkin:
      address: zipkin.istio-system:9411
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
2021-02-10T13:22:49.999401Z     info    Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 0
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
parentShutdownDuration: 60s
proxyAdminPort: 15000
proxyMetadata: {}
serviceCluster: istio-ingressgateway
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
tracing:
  zipkin:
    address: zipkin.istio-system:9411

2021-02-10T13:22:49.999428Z     info    Proxy role      ips=[172.20.4.18] type=router id=istio-ingressgateway-56d9b7fdb-5sn5v.istio-system domain=istio-system.svc.cluster.local
2021-02-10T13:22:49.999433Z     info    JWT policy is third-party-jwt
2021-02-10T13:22:49.999451Z     info    Pilot SAN: [istiod.istio-system.svc]
2021-02-10T13:22:49.999455Z     info    CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2021-02-10T13:22:49.999512Z     info    Using CA istiod.istio-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2021-02-10T13:22:49.999656Z     info    citadelclient   Citadel client using custom root cert: istiod.istio-system.svc:15012
2021-02-10T13:22:50.052196Z     info    ads     All caches have been synced up in 60.846719ms, marking server ready
2021-02-10T13:22:50.052662Z     info    sds     SDS server for workload certificates started, listening on "./etc/istio/proxy/SDS"
2021-02-10T13:22:50.052692Z     info    xdsproxy        Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes"
2021-02-10T13:22:50.052711Z     info    sds     Start SDS grpc server
2021-02-10T13:22:50.052922Z     info    Starting proxy agent
2021-02-10T13:22:50.053416Z     info    Opening status port 15020
2021-02-10T13:22:50.053509Z     info    Received new config, creating new Envoy epoch 0
2021-02-10T13:22:50.053590Z     info    Epoch 0 starting
2021-02-10T13:22:52.066003Z     info    Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster istio-ingressgateway --service-node router~172.20.4.18~istio-ingressgateway-56d9b7fdb-5sn5v.istio-system~istio-system.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --log-format %Y-%m-%dT%T.%fZ     %l       envoy %n        %v -l warning --component-log-level misc:error]
2021-02-10T13:22:52.103172Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size
2021-02-10T13:22:52.103218Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size
2021-02-10T13:22:52.103614Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size
2021-02-10T13:22:52.103650Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size
2021-02-10T13:23:10.000643Z     warn    ca      ca request failed, starting attempt 1 in 107.3067ms
2021-02-10T13:23:10.108295Z     warn    ca      ca request failed, starting attempt 2 in 181.132123ms
2021-02-10T13:23:10.297099Z     warn    ca      ca request failed, starting attempt 3 in 372.666262ms
2021-02-10T13:23:10.670356Z     warn    ca      ca request failed, starting attempt 4 in 817.16055ms
2021-02-10T13:23:12.150383Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:23:20.045900Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:23:20.046657Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:23:20.705047Z     warn    ca      ca request failed, starting attempt 1 in 95.570152ms
2021-02-10T13:23:20.801305Z     warn    ca      ca request failed, starting attempt 2 in 196.926088ms
2021-02-10T13:23:21.002854Z     warn    ca      ca request failed, starting attempt 3 in 402.446857ms
2021-02-10T13:23:21.406325Z     warn    ca      ca request failed, starting attempt 4 in 760.56648ms
2021-02-10T13:23:40.699388Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:23:41.770736Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:23:42.527011Z     warn    ca      ca request failed, starting attempt 1 in 94.445788ms
2021-02-10T13:23:42.621815Z     warn    ca      ca request failed, starting attempt 2 in 207.243132ms
2021-02-10T13:23:42.829360Z     warn    ca      ca request failed, starting attempt 3 in 379.321207ms
2021-02-10T13:23:43.226298Z     warn    ca      ca request failed, starting attempt 4 in 769.843591ms
2021-02-10T13:23:43.996496Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:23:50.712832Z     warn    ca      ca request failed, starting attempt 1 in 103.653069ms
2021-02-10T13:23:50.713483Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:23:50.817696Z     warn    ca      ca request failed, starting attempt 2 in 219.157174ms
2021-02-10T13:23:51.042762Z     warn    ca      ca request failed, starting attempt 3 in 433.77698ms
2021-02-10T13:23:51.477092Z     warn    ca      ca request failed, starting attempt 4 in 734.533964ms
2021-02-10T13:23:52.212460Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:23:54.045986Z     warn    ca      ca request failed, starting attempt 1 in 96.959079ms
2021-02-10T13:23:54.143492Z     warn    ca      ca request failed, starting attempt 2 in 207.633553ms
2021-02-10T13:23:54.352485Z     warn    ca      ca request failed, starting attempt 3 in 416.872575ms
2021-02-10T13:23:57.352149Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:23:59.345060Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:01.360069Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:03.349459Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:05.350996Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:07.358265Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:09.346218Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:11.344436Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:12.725649Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:24:13.359481Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:14.534477Z     warn    ca      ca request failed, starting attempt 4 in 771.533435ms
2021-02-10T13:24:15.307190Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:24:15.347018Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:17.344953Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:18.916230Z     warn    ca      ca request failed, starting attempt 1 in 103.391505ms
2021-02-10T13:24:19.024420Z     warn    ca      ca request failed, starting attempt 2 in 204.909132ms
2021-02-10T13:24:19.230368Z     warn    ca      ca request failed, starting attempt 3 in 389.575427ms
2021-02-10T13:24:19.347370Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:19.627636Z     warn    ca      ca request failed, starting attempt 4 in 757.891607ms
2021-02-10T13:24:20.386527Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:24:21.349013Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:22.730900Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:24:23.346367Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:24.654682Z     warn    ca      ca request failed, starting attempt 1 in 95.626605ms
2021-02-10T13:24:24.750828Z     warn    ca      ca request failed, starting attempt 2 in 196.412913ms
2021-02-10T13:24:24.952684Z     warn    ca      ca request failed, starting attempt 3 in 394.792997ms
2021-02-10T13:24:25.353579Z     warn    ca      ca request failed, starting attempt 4 in 820.015204ms
2021-02-10T13:24:25.358000Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:26.175162Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:24:27.348604Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:29.344889Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:31.361510Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:32.237040Z     warn    ca      ca request failed, starting attempt 1 in 102.472176ms
2021-02-10T13:24:32.341088Z     warn    ca      ca request failed, starting attempt 2 in 209.167229ms
2021-02-10T13:24:32.550913Z     warn    ca      ca request failed, starting attempt 3 in 426.442713ms
2021-02-10T13:24:32.977831Z     warn    ca      ca request failed, starting attempt 4 in 720.08221ms
2021-02-10T13:24:33.349841Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:33.702607Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 169.254.20.10:53: no such host"
2021-02-10T13:24:35.345881Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:37.354361Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:39.345281Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:41.344715Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:43.345381Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:45.345168Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:47.344087Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:49.346576Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:51.347778Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:53.346060Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:53.812418Z     warn    ca      ca request failed, starting attempt 1 in 101.796683ms
2021-02-10T13:24:53.918612Z     warn    ca      ca request failed, starting attempt 2 in 215.12047ms
2021-02-10T13:24:54.145229Z     warn    ca      ca request failed, starting attempt 3 in 396.675398ms
2021-02-10T13:24:54.542893Z     warn    ca      ca request failed, starting attempt 4 in 816.026495ms
2021-02-10T13:24:55.347684Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:55.364292Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:24:55.736390Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:24:57.350998Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:24:59.346735Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:01.352453Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:02.297679Z     warn    ca      ca request failed, starting attempt 1 in 102.835685ms
2021-02-10T13:25:02.400728Z     warn    ca      ca request failed, starting attempt 2 in 189.898664ms
2021-02-10T13:25:02.591055Z     warn    ca      ca request failed, starting attempt 3 in 373.892467ms
2021-02-10T13:25:02.965734Z     warn    ca      ca request failed, starting attempt 4 in 814.8198ms
2021-02-10T13:25:03.344663Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:03.781097Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:25:05.347731Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:07.347369Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:09.344704Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:11.363259Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:13.355563Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:15.347321Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:17.344652Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:19.345347Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:21.345559Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:23.350154Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:25.350776Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:27.345038Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:27.407813Z     warning envoy config    StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
2021-02-10T13:25:29.345918Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:31.362666Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:33.345475Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2021-02-10T13:25:35.346454Z     warn    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

My k8s cluster supports third_party_token.

[root@master istio-1.9.0]# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
  "name": "serviceaccounts/token",
  "singularName": "",
  "namespaced": true,
  "group": "authentication.k8s.io",
  "version": "v1",
  "kind": "TokenRequest",
  "verbs": [
    "create"
  ]
}
2

My cluster is based on vagrant+virtualbox. After I change virtual machine network to public_network, the issue is resolved. Then I re-install istio, the ingress gateway pod is ok.

3

So sad,I had the same issue.If the pod and the istiod in the same node,the sidecar would be ready,if not ,sidecar proxy would be fail,my error logs as same to your imention!What should I do

4

I had same issue。Do you know how to solve the issue?

5

I guess the issue is caused by k8s network. The old env of istio 1.9 has been destroyed for machine being removed to other place. So recently I built a k8s in aliyun cloud and deployed istio ver 10. I have no problem I mentioned before. If metrics service of k8s is ok, the istio will be deployed well. It is my experience:)

6

I updated the linux kernal to solve the issue.

在 2021-07-28 12:02:14,“李聪 via Discuss Istio” istio@discoursemail.com 写道:

7

@jacky-neo which network bridging you used i am using the similar setup getting same problem i switch the network to public but selecting network bridging as wlp0s20f3 giving the same error

8

[root@master ~]# brctl show
bridge name bridge id STP enabled interfaces
cni0 8000.fe7d2da0436c no veth4a97e5e7
docker0 8000.024222a7d562 no

my k8s use flannel as network