Kubernetes Istio-阻止某些IP访问服务_Kubernetes_Istio_Nginx Ingress

Kubernetes Istio-阻止某些IP访问服务

kubernetes

Kubernetes Istio-阻止某些IP访问服务,kubernetes,istio,nginx-ingress,Kubernetes,Istio,Nginx Ingress,我想阻止某些IP列表以访问服务。为此，我使用下面的代码，但它给了我上游连接错误或断开/重置之前的标题。重置原因：连接终止。我做错什么了吗？Istio策略设置正确。我检查了给定的示例代码，该代码运行良好，但我想阻止外部IP yaml apiVersion: config.istio.io/v1alpha2 kind: handler metadata: name: blacklistip spec: compiledAdapter: listchecker params: #

我想阻止某些IP列表以访问服务。为此，我使用下面的代码，但它给了我

上游连接错误或断开/重置之前的标题。重置原因：连接终止

。我做错什么了吗？Istio策略设置正确。我检查了给定的示例代码，该代码运行良好，但我想阻止外部IP

yaml

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: blacklistip
spec:
  compiledAdapter: listchecker
  params:
    # providerUrl: ordinarily black and white lists are maintained
    # externally and fetched asynchronously using the providerUrl.
    overrides: ["xx.xx.xx.xx"]  # overrides provide a static list
    blacklist: true
    entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: clientip
spec:
  compiledTemplate: listentry
  params:
    value: request.headers["x-forwarded-for"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: blacklistip
    instances: [ clientip ]

我检查了istioingressgateway日志：

{"bytes_sent":"95","upstream_cluster":"outbound|3000||api.default.svc.cluster.local","downstream_remote_address":"xx.xx.xx.xx:59762","authority":"api.example.com","path":"/core/csrf","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-","duration":"1","downstream_local_address":"10.2.0.14:443","upstream_transport_failure_reason":"-","route_name":"-","response_code":"503","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36","response_flags":"UC","start_time":"2020-01-15T16:32:21.634Z","method":"GET","request_id":"353149b6-0749-4a1a-9348-4016d20215de","upstream_host":"10.2.0.33:3000","x_forwarded_for":"xx.xx.xx.xx","requested_server_name":"api.example.com","bytes_received":"0","istio_policy_status":"-"}

pod内的Istio代理日志：

{"authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"127.0.0.1:53894","duration":"0","downstream_local_address":"10.2.0.33:3000","upstream_transport_failure_reason":"-","route_name":"-","response_code":"0","user_agent":"-","response_flags":"-","start_time":"2020-01-15T17:21:25.220Z","method":"-","request_id":"-","upstream_host":"127.0.0.1:3000","x_forwarded_for":"-","requested_server_name":"outbound_.3000_._.api.default.svc.cluster.local","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"inbound|3000|https|api.default.svc.cluster.local","downstream_remote_address":"10.2.0.14:37126"}

Istio版本：1.4.2

混音器日志

2020-01-15T22:48:47.633162Z error   evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''
2020-01-15T22:48:47.633192Z error   error creating instance: destination='listentry:whitelistip.default(listchecker)', error='evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers'''
2020-01-15T22:48:47.633204Z error   api Check failed: performing check operation failed: 1 error occurred:
* evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''

对于

x-forwarded-For

，网关需要将该头转发到与应用程序pod一起运行的istio代理侧车

您需要在gateway中进行一些配置以转发。检查哪些问题涉及其他问题，并详细说明如何解决

如果您可以选择使用nginx入口而不是istio入口，那么您可以使用

request.headers[“x-real-ip”]

这是nginx根据应用程序中运行的istio proxy sidecar的

日志以及该错误消息设置的。您是否收到任何错误代码，如503？您是否使用nginx ingress？@ArghyaSadhu：代理日志的更新问题。我正在使用

istio-ingresgateway

。在浏览器中，我只看到

上游连接错误或在标题之前断开/重置。重置原因：连接终止

。另外，当我将此

值：request.headers[“x-forwarded-for”]|“unknown”

替换为

值：source.ip | ip（“0.0.0.0”）

时，它会起作用。但是，我想在我的用例中使用客户机IP。我在

x-forwarded-for

中获得客户机IP，但不知何故它没有被mixer识别。请参阅更新的问题。我添加了混音器日志。“x_forwarded_for”：“-”没有IPA，你可以在

ingressgateway

的日志中看到，但在pod的代理容器中看不到。这意味着两者之间有问题。