szhengli commented on issue #10507: URL: https://github.com/apache/dubbo/issues/10507#issuecomment-1229370253
> k8s apiserver 的是因为 dubbo shade 没有导出相关代码,需要独立依赖,[apache/dubbo-samples#504](https://github.com/apache/dubbo-samples/pull/504) 已经修复了,可以重新拉下代码试下 >  > > 安装 Istio 的时候需要开启 [first-party-jwt 支持](https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens)(使用 istioctl 工具安装的时候加上 --set values.global.jwtPolicy=first-party-jwt 参数),否则将导致客户端认证失败的问题。 istio first-party-jwt 安装有问题。 网上说 k8s 1.21之后 first-party-jwt with k8s 1.21+ logic is too restrictive #34293 Kubernetes Version: v1.22.11 , istioctl install --set profile=demo --set values.global.jwtPolicy=first-party-jwt -y 部署之后 istiod pod 报错 error ads Failed to authenticate client from 10.42.0.251:47904: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, token audiences ["https://kubernetes.default.svc.cluster.local"; "rke2"] is invalid for the target audiences ["istio-ca"]] 。 网上说 k8s 1.21之后 first-party-jwt with k8s 1.21+ logic is too restrictive #34293 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
