Istio-ingressgateway pods tries to come up before Istiod pods and fails with image pull error

smutkule · July 7, 2023, 5:27am

Istio-ingressgateway pods tries to come up before Istiod pod and fails with image pull error.

Error Output:

$ k get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-58f67444d8-8ntm8 1/1 ImagePullError 0 4h13m
istiod-7b76584b5b-7mcr4 1/1 Running 0 12h

kubectl describe pod output:

Normal Scheduled 54m default-scheduler Successfully assigned istio-system/istio-ingressgateway-58f67444d8-kdpvw to aks-workersxxxxxxxxxxxxxx
Normal Pulling 53m (x4 over 54m) kubelet Pulling image “auto”
Warning Failed 53m (x4 over 54m) kubelet Failed to pull image “auto”: rpc error: code = Unknown desc = failed to pull and unpack image “Docker”: failed to resolve reference “Docker”: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Warning Failed 53m (x4 over 54m) kubelet Error: ErrImagePull
Warning Failed 53m (x6 over 54m) kubelet Error: ImagePullBackOff
Normal BackOff 4m47s (x222 over 54m) kubelet Back-off pulling image “auto”

istio-ingressgateway pod logs:
Error from server (BadRequest): container “istio-proxy” in pod “istio-ingressgateway-58f67444d8-kdpvw” is waiting to start: trying and failing to pull image

Expectations:
istio-ingressgateway pod should wait until istiod pod is up.

peterj · July 13, 2023, 2:38pm

This seems to be an error with pulling the image, not necessarily an issue with which pod comes up before the other.

How are you installing Istio?

smutkule · July 14, 2023, 5:37am

This issue gets resolved if I delete the istio-ingressgateway pod after the istiod pod is Up.
so which means istio-ingressgateway pod needs something from istiod pod to come up.

we are using helm charts to install the istio.

peterj · July 14, 2023, 3:48pm

Can you check if there are any errors in istiod pod? Also, where are you running your cluster?

alissonreinaldo92 · July 27, 2023, 4:16am

I had the same exact issue with the istio-system pod, when installing Istio using Helm charts.

alisson@alisson-ubuntu:~/repos/devops$ kubectl get pods
NAME                            READY   STATUS             RESTARTS   AGE
istio-system-7bc9d7fb64-bxdnk   0/1     ImagePullBackOff   0          2m21s
istiod-977466b69-gnwtt          1/1     Running            0          2m21s

alisson@alisson-ubuntu:~/repos/devops$ kubectl logs istio-system-7bc9d7fb64-bxdnk
Error from server (BadRequest): container "istio-proxy" in pod "istio-system-7bc9d7fb64-bxdnk" is waiting to start: trying and failing to pull image

Then after deleting the istio-system pod, a new one was able to run just fine.

Yuval · December 11, 2023, 3:11pm

thea “auto” image is a place holder for the istio mutating webhhok. Once istiod is up the mutating webhook replaces the “auto” image with envoy that corresponds to the istiod version

Topic		Replies	Views
Istiod installation fails	18	21500	December 18, 2023
Upgrade to 1.5.4 and ingressgateway Networking	0	713	June 25, 2020
Istio-proxy container fails after hub set to private repository Config	0	901	February 15, 2022
Istio 1.10.4 ingress and egress pods are not ready Networking release	0	434	September 21, 2021
Error: Istio installation failed, incomplete or does not match "istio-new.yaml" - deployment "istio-ingressgateway" exceeded its progress deadline Networking	6	3625	April 12, 2020

Istio-ingressgateway pods tries to come up before Istiod pods and fails with image pull error

Related Topics