在线精品扩展
在线精品扩展
提问于 2020-07-29 19:30:11
我一直在努力扩展GCP 网上精品微服务示例,我想将Istio AuthorizationPolicy资源添加到系统中。
具体来说,我想要一个AuthorizationPolicy来阻止所有未被白化的流量到cartservice,我想要白名单流量从frontend到cartservice。
目前,我能够用AuthorizationPolicy阻塞流量,但不能按主体或名称空间来白名单流量。
对于上下文,这是我的系统设置。(这里没有明确声明的是上面链接的演示中的默认内容)
Istio版本:
$ istioctl version
client version: 1.4.6
control plane version: 1.4.6-gke.0
data plane version: 1.4.6-gke.0 (16 proxies)命令我运行以强制执行严格的mTLS:
gcloud beta container clusters update <cluster-name> --update-addons=Istio=ENABLED \--istio-config=auth=MTLS_STRICT --zone=us-central1-a
我使用ServiceAccount添加了这个kubectl apply -f
apiVersion: v1
kind: ServiceAccount
metadata:
name: frontend-serviceaccount
---为了完成这项工作,我在spec中为frontend Deployment添加了一行,即:
serviceAccountName: frontend-serviceaccount
最后,这是我试图使用的AuthorizationPolicy,仅允许来自frontend的通信量与cartservice通信。
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]上面注释掉的Principals是我试图引用上面定义的服务帐户的所有不同方式,它们和名称空间都不能正常工作--一旦应用了这些方法,frontend就不能与cartservice对话。
系统调试结果调用:注释,这些都是用AuthPolicy应用于principals: ["cluster.local/ns/default/sa/frontend-serviceaccount"]的。
$ istioctl x authz check frontend-<podID>Checked 21/40 listeners with node IP 10.4.4.14.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) no (none)
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
virtualInbound[3] none no (PERMISSIVE) no (none) no (none)
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.4.14_8080[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
10.4.4.14_8080[1] none no (PERMISSIVE) no (none) no (none)
10.4.4.14_15020 none no (none) no (none) no (none)$ istioctl x authz check cartservice-69955dd686-wf5btChecked 21/40 listeners with node IP 10.4.5.6.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[3] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.5.6_7070[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_7070[1] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_15020 none no (none) no (none) no (none)回答 1
Stack Overflow用户
回答已采纳
发布于 2020-08-01 15:14:54
作为参考,在使用OP亲自调试之后,我们发现集群在CPU使用方面没有得到充分的说明。通过调整集群的大小,使其具有额外的CPU (1 vCPU -> 4 vCPU),我们就能够使authz策略正常工作并得到尊重。
我们的假设是,由于这个问题,istiod未能响应请求。我们不知道为什么。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/63161116
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号