时间戳

首页 > 解决方案 > 使用 RBAC 为上游和下游配置 Istio 入口网关

kubernetes - 使用 RBAC 为上游和下游配置 Istio 入口网关

问题描述

istio 入口网关有问题。我们为进入网格的流量配置了 SIMPLE tls 模式的网关。但我们也希望 istio 入口网关通过 mTLS 与应用程序服务(使用 istio-proxy sidecar)通信。配置虚拟服务,以便将来自白名单主机的请求导航到处理命名空间中的服务。istio 入口 pod 位于 istio-system 中(没有 istio-proxy sidecar)。gateway 和 istio ingress gateway pod 也在 istio-system 中。我们希望将 RBAC 应用于处理命名空间工作负载,如下所示 -

  rules:
  - from:
    - source:
        principals: [
          "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
        ]

处理和 istio 系统的对等身份验证策略是许可模式下的 mTLS。istio-system 中的目标规则-

apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "istio-mutual"
  namespace: "istio-system"
spec:
  host: "*.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

但这没有按预期工作。当从 istio 入口网关 pod 卷曲到处理命名空间中的工作负载时,来自工作负载 pod 的 istio-proxy 容器的日志 -

curl myservice.processing/healthz

    2021-01-28T23:29:47.105404Z debug   envoy rbac  checking connection: requestedServerName: , sourceIP: 10.107.113.175:49912, directRemoteIP: 10.107.113.175:49912,remoteIP: 10.107.113.175:49912, localAddress: 10.107.66.26:8080, ssl: none, dynamicMetadata: 
    [2021-01-28T23:29:47.105Z] "- - -" 0 - "-" "-" 92 0 0 - "-" "-" "-" "-" "127.0.0.1:8080" inbound|80|https-web|myservice.processing.svc.cluster.local 127.0.0.1:39048 10.107.66.26:808010.107.113.175:49912 - -

我们应该如何为下游配置 SIMPLE TLS 和 ISTIO_MUTUAL 以连接网关对象上的上游?istio ingress gateway 也有 mTLS 身份。但在日志中,我看到 ssl: None。我真的不明白为什么。有人遇到过这种问题吗?

编辑的 curl 命令输出

curl -v myservice.processing/actuator/info
*   Trying 172.20.252.59...
* TCP_NODELAY set
* Connected to myservice.processing (172.20.252.59) port 80 (#0)
> GET /actuator/info HTTP/1.1
> Host: myservice.processing
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host myservice.processing left intact
curl: (52) Empty reply from server

身份验证策略

apiVersion: authentication.istio.io/v1alpha1
  kind: Policy
  metadata: 
    name: default
    namespace: processing
  spec: 
    peers: 
    - mtls: {}

网关.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https-port
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_2
      credentialName: ingress-cert

虚拟服务.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata: 
  name: rate-limiting-gate
  namespace: processing
spec: 
  gateways: 
  - istio-system/istio-gateway
  hosts: 
  - *
  http: 
  - match: 
    - port: 443
    route: 
    - destination: 
        host: rate-limiting-gate
        port: 
          number: 80

协议.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "{{ .Values.service.name }}-authorization-policy"
  namespace: {{ .Release.Namespace | quote }}
spec:
  selector:
    matchLabels:
      service: {{ .Values.service.name }}
  rules:
  - from:
    - source:
        principals: [
        "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
        ]
  - to:
    - operation:
        ports:
        - "9292"

标签: kubernetesistioistio-sidecar

解决方案

推荐阅读