szhengli commented on issue #10507:
URL: https://github.com/apache/dubbo/issues/10507#issuecomment-1229370253

   > k8s apiserver 的是因为 dubbo shade 
没有导出相关代码,需要独立依赖,[apache/dubbo-samples#504](https://github.com/apache/dubbo-samples/pull/504)
 已经修复了,可以重新拉下代码试下
   
   
   
   > 
![image](https://user-images.githubusercontent.com/9292748/187032185-5128930e-c4ca-4ec2-9493-0f150b363ba5.png)
   > 
   > 安装 Istio 的时候需要开启 [first-party-jwt 
支持](https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens)(使用
 istioctl 工具安装的时候加上 --set values.global.jwtPolicy=first-party-jwt 
参数),否则将导致客户端认证失败的问题。
   
   istio  first-party-jwt 安装有问题。 网上说 k8s 1.21之后  first-party-jwt with k8s 1.21+ 
logic is too restrictive #34293
   Kubernetes Version: v1.22.11 ,
     istioctl install --set profile=demo --set 
values.global.jwtPolicy=first-party-jwt -y  部署之后  istiod pod 报错
   
     error ads Failed to authenticate client from 10.42.0.251:47904: 
Authenticator ClientCertAuthenticator: no verified chain is found; 
Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster 
"Kubernetes": the service account authentication returns an error: [invalid 
bearer token, token audiences ["https://kubernetes.default.svc.cluster.local"; 
"rke2"] is invalid for the target audiences ["istio-ca"]]  。
    网上说 k8s 1.21之后  first-party-jwt with k8s 1.21+ logic is too restrictive 
#34293


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to