I have installed fresh k8s 1.18.6 on multinode ( 12GB RAM & 4 CPU) on centos-7.8(3.10.0-1127.el7.x86_64) with docker version (19.03.6) & runc version 1.0.0-rc10.
I used calico(3.11.1) network plugin and till here everything worked fine. When i am trying to install istio 1.5.7 on it i am facing issue as below
Issue:
- Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
- error installer Failed to wait for resource: resources not ready after 10m0s: timed out waiting for the condition Deployment/istio-system/istiod
kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE grafana-5f6f8cbf75-lngb7 1/1 Running 0 41s istio-egressgateway-cbd86567c-5x6rk 0/1 ContainerCreating 0 44s istio-ingressgateway-799d5b8875-4ztq8 0/1 ContainerCreating 0 42s istio-tracing-9dd6c4f7c-vv64n 1/1 Running 0 41s istiod-b7d8f955b-mtqgb 0/1 CrashLoopBackOff 5 10m kiali-869c6894c5-pw7sm 1/1 Running 0 41s prometheus-7d697b95b-2rjvn 0/2 ContainerCreating 0 41s
istiod-pod-logs: info No certificates specified, skipping DNS certificate controller info CRD controller watching namespaces "" info Ingress controller watching namespaces "" warn Config Store &{0xc00020c6c0 cluster.local 0xc00026b1e0 0xc000795e00 0xc00079eea0 []} cannot track distribution in aggregate info Adding Kubernetes registry adapter info Service controller watching namespace "" for services, endpoints, nodes and pods, refresh 1m0s info JWT policy is first-party-jwt info Use self-signed certificate as the CA certificate info pkica Failed to get secret (error: Get https://10.96.0.1:443/api/v1/namespaces/istio-system/secrets/istio-ca-secret: dial tcp 10.96.0.1:443: i/o timeout), will create one Error: failed to create discovery service: enableCA: failed to create a self-signed Citadel: failed to create CA due to secret write error error pkica Failed to write secret to CA (error: Post https://10.96.0.1:443/api/v1/namespaces/istio-system/secrets: dial tcp 10.96.0.1:443: i/o timeout). Abort. error failed to create discovery service: enableCA: failed to create a self-signed Citadel: failed to create CA due to secret write error
--set values.global.jwtPolicy=first-party-jwt
when you install istio? There is related part about that in istio documentation. Also worth to note that there is already istio version 1.8.2, consider installing the new version due to the improvements. – Jakub