wordpress引用轮播图文件seo商城
环境说明
rootless模式下测试istio Ambient功能
四层鉴权策略
这里四层指的是网络通信模型的第四层,主要的传输协议为TCP和UDP。
用于限制服务间的通信,比如下面的策略应用于带有 app: productpage 标签的 Pod, 并且仅允许来自服务帐户 cluster.local/ns/default/sa/bookinfo-gateway-istio 的调用。
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:selector:matchLabels:app: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/bookinfo-gateway-istio策略应用前,通过内部pod直接访问productpage服务,可以直接访问到:
ks-managed-kubectl-admin:/# kubectl get svc productpage
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
productpage ClusterIP 10.96.28.91 <none> 9080/TCP 17h
ks-managed-kubectl-admin:/# curl 10.96.28.91:9080 -I
HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.12.1
Date: Fri, 18 Oct 2024 01:42:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2080
Connection: close
应用策略,并测试访问:
ks-managed-kubectl-admin:/# kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:selector:matchLabels:app: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/bookinfo-gateway-istio
EOFauthorizationpolicy.security.istio.io/productpage-viewer created
ks-managed-kubectl-admin:/# # 直接访问productpage服务,连接被拒绝
ks-managed-kubectl-admin:/# curl 10.96.28.91:9080 -I
curl: (56) Recv failure: Connection reset by peerks-managed-kubectl-admin:/# kubectl get svc bookinfo-gateway-istio
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
bookinfo-gateway-istio NodePort 10.96.223.150 <none> 15021:30277/TCP,80:30080/TCP 17h# 通过bookinfo-gateway-istio访问是正常的
ks-managed-kubectl-admin:/# curl 10.96.223.150/productpage -I
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 18 Oct 2024 01:44:45 GMT
content-type: text/html; charset=utf-8
content-length: 15070
vary: Cookie
x-envoy-upstream-service-time: 58七层鉴权策略
这里的七层指的是网络通信模型中的应用层,业务服务相互通信主要通过HTTP协议,其它类型暂不讨论。
要实施七层策略,需要为命名空间部署一个 waypoint 代理。 此代理将处理进入命名空间的所有七层流量。
longtds@ubuntu:~$ istioctl waypoint apply --enroll-namespace --wait
waypoint default/waypoint applied
namespace default labeled with "istio.io/use-waypoint: waypoint"longtds@ubuntu:~$ kubectl get all |grep waypoint
pod/waypoint-9c5bcc75-88wt2 1/1 Running 0 46s
service/waypoint ClusterIP 10.96.200.151 <none> 15021/TCP,15008/TCP 46s
deployment.apps/waypoint 1/1 1 1 46s
replicaset.apps/waypoint-9c5bcc75 1 1 1 46s
longtds@ubuntu:~$longtds@ubuntu:~$ kubectl get gtw
NAME CLASS ADDRESS PROGRAMMED AGE
bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 19h
waypoint istio-waypoint 10.96.200.151 True 89s
longtds@ubuntu:~$创建测试客户端:
longtds@ubuntu:~$ kubectl apply -f istio-1.23.2/samples/sleep/sleep.yaml
serviceaccount/sleep created
service/sleep created
deployment.apps/sleep createdlongtds@ubuntu:~$ kubectl get pod |grep sleep
sleep-5fcd8fd6c8-8r68r 1/1 Running 0 67s
longtds@ubuntu:~$ 应用(覆盖之前)策略,明确允许 sleep 服务向 productpage 服务发送 GET 请求,但不能执行其他操作:
longtds@ubuntu:~$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:targetRefs:- kind: Servicegroup: ""name: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/sleepto:- operation:methods: ["GET"]
EOF
authorizationpolicy.security.istio.io/productpage-viewer configured
longtds@ubuntu:~$测试通过sleep访问productpage,GET请求正常返回响应,DELETE被拒绝:
longtds@ubuntu:~$ kubectl exec deploy/sleep -- curl -s -X GET http://productpage:9080/productpage |grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>longtds@ubuntu:~$ kubectl exec deploy/sleep -- curl -s -X DELETE http://productpage:9080/productpage
RBAC: access denied
longtds@ubuntu:~$测试其它服务访问productpage服务,GET和DELETE方法都被拒绝:
longtds@ubuntu:~$ kubectl exec deploy/reviews-v1 -- curl -s -X GET http://productpage:9080/productpage
RBAC: access denied
longtds@ubuntu:~$ kubectl exec deploy/reviews-v1 -- curl -s -X DELETE http://productpage:9080/productpage
RBAC: access denied至此完成基本的四层和七层鉴权测试,后面介绍基于waypoint的流量管理。
总结
在rootless模式下的kind k8s集群,兼容istio ambient鉴权策略设置。