在线精品店扩展
Online Boutique Extensions
我一直致力于将 GCP Online Boutique microservices example, and I would like to add Istio AuthorizationPolicy 资源扩展到系统。
具体来说,我想要一个 AuthorizationPolicy 来阻止所有未列入白名单的流量到 cartservice,我想将从 frontend 到 cartservice 的流量列入白名单。
目前,我可以使用 AuthorizationPolicy 阻止流量,但我无法按主体或命名空间将流量列入白名单。
对于上下文,这是我的系统设置。 (这里没有明确说明的是上面链接的演示中的默认值)
Istio 版本:
$ istioctl version
client version: 1.4.6
control plane version: 1.4.6-gke.0
data plane version: 1.4.6-gke.0 (16 proxies)
命令 I 运行 强制执行严格的 mTLS:
gcloud beta container clusters update <cluster-name> --update-addons=Istio=ENABLED \--istio-config=auth=MTLS_STRICT --zone=us-central1-a
我使用 kubectl apply -f 添加了这个 ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: frontend-serviceaccount
---
为了完成这项工作,我在 spec 中添加了一行 frontend Deployment,即:
serviceAccountName: frontend-serviceaccount
最后,这是我尝试使用的 AuthorizationPolicy,它只允许来自 frontend 的流量与 cartservice 对话:
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]
上面注释掉的 Principals 是我尝试引用上面定义的服务帐户的所有不同方式,但它们和命名空间都无法正常工作 - 一旦应用 frontend 无法与 cartservice.
交谈
系统调试调用结果:
请注意,这些是使用为 principals: ["cluster.local/ns/default/sa/frontend-serviceaccount"].
申请的 AuthPolicy 制作的
$ istioctl x authz check frontend-<podID>
Checked 21/40 listeners with node IP 10.4.4.14.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) no (none)
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
virtualInbound[3] none no (PERMISSIVE) no (none) no (none)
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.4.14_8080[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
10.4.4.14_8080[1] none no (PERMISSIVE) no (none) no (none)
10.4.4.14_15020 none no (none) no (none) no (none)
$ istioctl x authz check cartservice-69955dd686-wf5bt
Checked 21/40 listeners with node IP 10.4.5.6.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[3] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.5.6_7070[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_7070[1] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_15020 none no (none) no (none) no (none)
作为参考,在与 OP 亲自调试后,我们发现集群在 CPU 用法方面未指定。在调整集群的大小以获得额外的 CPU(1 vCPU -> 4 vCPUs)时,我们能够使 authz 策略起作用并得到遵守。
我们的假设是 istiod 由于这个问题未能响应请求。我们不知道为什么。
我一直致力于将 GCP Online Boutique microservices example, and I would like to add Istio AuthorizationPolicy 资源扩展到系统。
具体来说,我想要一个 AuthorizationPolicy 来阻止所有未列入白名单的流量到 cartservice,我想将从 frontend 到 cartservice 的流量列入白名单。
目前,我可以使用 AuthorizationPolicy 阻止流量,但我无法按主体或命名空间将流量列入白名单。
对于上下文,这是我的系统设置。 (这里没有明确说明的是上面链接的演示中的默认值)
Istio 版本:
$ istioctl version
client version: 1.4.6
control plane version: 1.4.6-gke.0
data plane version: 1.4.6-gke.0 (16 proxies)
命令 I 运行 强制执行严格的 mTLS:
gcloud beta container clusters update <cluster-name> --update-addons=Istio=ENABLED \--istio-config=auth=MTLS_STRICT --zone=us-central1-a
我使用 kubectl apply -f 添加了这个 ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: frontend-serviceaccount
---
为了完成这项工作,我在 spec 中添加了一行 frontend Deployment,即:
serviceAccountName: frontend-serviceaccount
最后,这是我尝试使用的 AuthorizationPolicy,它只允许来自 frontend 的流量与 cartservice 对话:
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]
上面注释掉的 Principals 是我尝试引用上面定义的服务帐户的所有不同方式,但它们和命名空间都无法正常工作 - 一旦应用 frontend 无法与 cartservice.
系统调试调用结果:
请注意,这些是使用为 principals: ["cluster.local/ns/default/sa/frontend-serviceaccount"].
$ istioctl x authz check frontend-<podID>
Checked 21/40 listeners with node IP 10.4.4.14.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) no (none)
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
virtualInbound[3] none no (PERMISSIVE) no (none) no (none)
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.4.14_8080[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
10.4.4.14_8080[1] none no (PERMISSIVE) no (none) no (none)
10.4.4.14_15020 none no (none) no (none) no (none)
$ istioctl x authz check cartservice-69955dd686-wf5bt
Checked 21/40 listeners with node IP 10.4.5.6.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[3] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.5.6_7070[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_7070[1] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_15020 none no (none) no (none) no (none)
作为参考,在与 OP 亲自调试后,我们发现集群在 CPU 用法方面未指定。在调整集群的大小以获得额外的 CPU(1 vCPU -> 4 vCPUs)时,我们能够使 authz 策略起作用并得到遵守。
我们的假设是 istiod 由于这个问题未能响应请求。我们不知道为什么。