Kubernetes 在线精品店扩展
我一直致力于扩展GCP微服务示例,我想向系统添加资源 具体地说,我需要一个Kubernetes 在线精品店扩展,kubernetes,microservices,google-kubernetes-engine,istio,Kubernetes,Microservices,Google Kubernetes Engine,Istio,我一直致力于扩展GCP微服务示例,我想向系统添加资源 具体地说,我需要一个授权策略来阻止所有到cartservice的未列入白名单的流量,并且我希望将从前端到cartservice的流量列入白名单 目前,我可以使用授权策略阻止流量,但我无法按主体或命名空间将流量列入白名单 下面是我的系统设置。(此处未明确说明的内容是上面链接的演示的默认内容) Istio版本: 我运行命令强制执行严格的MTL: gcloud beta容器集群更新--update addons=Istio=ENABLED\--Is
授权策略
来阻止所有到cartservice
的未列入白名单的流量,并且我希望将从前端
到cartservice
的流量列入白名单
目前,我可以使用授权策略
阻止流量,但我无法按主体或命名空间将流量列入白名单
下面是我的系统设置。(此处未明确说明的内容是上面链接的演示的默认内容)
Istio版本:
我运行命令强制执行严格的MTL:
gcloud beta容器集群更新--update addons=Istio=ENABLED\--Istio config=auth=MTLS\u STRICT--zone=us-central1-a
我使用kubectl apply-f
添加了此服务帐户:
为了实现这一点,我在规范
中为前端
部署
添加了一行代码,即:
serviceAccountName:前端serviceaccount
最后,这是我试图使用的授权策略,仅允许来自前端的流量与cartservice
通话:
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]
上面注释掉的主体
是我尝试引用上面定义的服务帐户的所有不同方式,它们和命名空间都不能正常工作-一旦应用了这一点,前端
就无法与cartservice
对话
系统调试调用的结果:
注意,这些都是使用应用于主体的AuthPolicy:[“cluster.local/ns/default/sa/frontend serviceCount”]
生成的
作为参考,在亲自使用OP进行调试之后,我们发现集群在CPU使用方面的规格不足。在调整集群大小以增加CPU(1个vCPU->4个vCPU)时,我们能够使authz
策略正常工作并得到尊重
我们的假设是,由于这个问题,istiod
无法响应请求。我们不知道为什么。您的前端
和车载服务
吊舱怎么说?istioctl分析也会有所帮助。最后,选择器
是一个工作负载选择器-您能否验证cartservice
的相应对象是否具有您设置的标签?首先,我建议安装而不是加载项,它非常快速,版本更新很多,并且有很多更改。关于这个问题,我认为您必须使用规则:-发件人:-来源:主体:[“cluster.local/ns/default/sa/frontend servicecomport”]
而不是规则:-发件人:-来源:名称空间:-“default”
。请看一个例子。@jt97谢谢,我实际上已经测试过了,遗憾的是它仍然不起作用。我根据情况更新了问题。另外,我没有在prem上安装Istio,因为我的理解是GKE只与Istio 1.4*兼容,所以我不明白为什么我会这么做。on-prem发行版为我提供了哪些其他我没有的工具?谢谢(引用版本控制:())@AkshatMahajan谢谢。我已经更新了我的帖子,包括这些东西的输出istioctl x authz
似乎是对的?@AkshatMahajan一个问题是,我似乎无法调用istioctl analyze
,因为我相信它不在我使用的Istio版本中?此外,我找不到工作负载,因为调用$kubectl get workload
会导致错误:服务器没有资源类型“workload”
apiVersion: v1
kind: ServiceAccount
metadata:
name: frontend-serviceaccount
---
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]
$ istioctl x authz check frontend-<podID>
Checked 21/40 listeners with node IP 10.4.4.14.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) no (none)
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
virtualInbound[3] none no (PERMISSIVE) no (none) no (none)
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.4.14_8080[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) no (none)
10.4.4.14_8080[1] none no (PERMISSIVE) no (none) no (none)
10.4.4.14_15020 none no (none) no (none) no (none)
$ istioctl x authz check cartservice-69955dd686-wf5bt
Checked 21/40 listeners with node IP 10.4.5.6.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) JWT (ISSUERS) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none) no (none)
0.0.0.0_80[1] none no (none) no (none) no (none)
0.0.0.0_443[0] none no (none) no (none) no (none)
0.0.0.0_443[1] none no (none) no (none) no (none)
0.0.0.0_443[2] none no (none) no (none) no (none)
0.0.0.0_443[3] none no (none) no (none) no (none)
0.0.0.0_3550[0] none no (none) no (none) no (none)
0.0.0.0_3550[1] none no (none) no (none) no (none)
0.0.0.0_5000[0] none no (none) no (none) no (none)
0.0.0.0_5000[1] none no (none) no (none) no (none)
0.0.0.0_5050[0] none no (none) no (none) no (none)
0.0.0.0_5050[1] none no (none) no (none) no (none)
0.0.0.0_7000[0] none no (none) no (none) no (none)
0.0.0.0_7000[1] none no (none) no (none) no (none)
0.0.0.0_7070[0] none no (none) no (none) no (none)
0.0.0.0_7070[1] none no (none) no (none) no (none)
0.0.0.0_8060[0] none no (none) no (none) no (none)
0.0.0.0_8060[1] none no (none) no (none) no (none)
0.0.0.0_8080[0] none no (none) no (none) no (none)
0.0.0.0_8080[1] none no (none) no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none) no (none)
0.0.0.0_9091[0] none no (none) no (none) no (none)
0.0.0.0_9091[1] none no (none) no (none) no (none)
0.0.0.0_9555[0] none no (none) no (none) no (none)
0.0.0.0_9555[1] none no (none) no (none) no (none)
0.0.0.0_9901[0] none no (none) no (none) no (none)
0.0.0.0_9901[1] none no (none) no (none) no (none)
virtualOutbound[0] none no (none) no (none) no (none)
virtualOutbound[1] none no (none) no (none) no (none)
0.0.0.0_15004[0] none no (none) no (none) no (none)
0.0.0.0_15004[1] none no (none) no (none) no (none)
virtualInbound[0] none no (none) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[1] none no (none) no (none) no (none)
virtualInbound[2] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
virtualInbound[3] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
0.0.0.0_15010[0] none no (none) no (none) no (none)
0.0.0.0_15010[1] none no (none) no (none) no (none)
0.0.0.0_15014[0] none no (none) no (none) no (none)
0.0.0.0_15014[1] none no (none) no (none) no (none)
0.0.0.0_50051[0] none no (none) no (none) no (none)
0.0.0.0_50051[1] none no (none) no (none) no (none)
10.4.5.6_7070[0] /etc/certs/cert-chain.pem yes (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_7070[1] none no (PERMISSIVE) no (none) yes (1: ns[default]-policy[allow-cart-and-frontend-comm]-rule[0])
10.4.5.6_15020 none no (none) no (none) no (none)