Kubernetes Istio-阻止某些IP访问服务
我想阻止某些IP列表以访问服务。为此,我使用下面的代码,但它给了我Kubernetes Istio-阻止某些IP访问服务,kubernetes,istio,nginx-ingress,Kubernetes,Istio,Nginx Ingress,我想阻止某些IP列表以访问服务。为此,我使用下面的代码,但它给了我上游连接错误或断开/重置之前的标题。重置原因:连接终止。我做错什么了吗?Istio策略设置正确。我检查了给定的示例代码,该代码运行良好,但我想阻止外部IP yaml apiVersion: config.istio.io/v1alpha2 kind: handler metadata: name: blacklistip spec: compiledAdapter: listchecker params: #
上游连接错误或断开/重置之前的标题。重置原因:连接终止
。我做错什么了吗?Istio策略设置正确。我检查了给定的示例代码,该代码运行良好,但我想阻止外部IP
yaml
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: blacklistip
spec:
compiledAdapter: listchecker
params:
# providerUrl: ordinarily black and white lists are maintained
# externally and fetched asynchronously using the providerUrl.
overrides: ["xx.xx.xx.xx"] # overrides provide a static list
blacklist: true
entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: clientip
spec:
compiledTemplate: listentry
params:
value: request.headers["x-forwarded-for"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkip
spec:
match: source.labels["istio"] == "ingressgateway"
actions:
- handler: blacklistip
instances: [ clientip ]
我检查了istioingressgateway日志:
{"bytes_sent":"95","upstream_cluster":"outbound|3000||api.default.svc.cluster.local","downstream_remote_address":"xx.xx.xx.xx:59762","authority":"api.example.com","path":"/core/csrf","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-","duration":"1","downstream_local_address":"10.2.0.14:443","upstream_transport_failure_reason":"-","route_name":"-","response_code":"503","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36","response_flags":"UC","start_time":"2020-01-15T16:32:21.634Z","method":"GET","request_id":"353149b6-0749-4a1a-9348-4016d20215de","upstream_host":"10.2.0.33:3000","x_forwarded_for":"xx.xx.xx.xx","requested_server_name":"api.example.com","bytes_received":"0","istio_policy_status":"-"}
pod内的Istio代理日志:
{"authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"127.0.0.1:53894","duration":"0","downstream_local_address":"10.2.0.33:3000","upstream_transport_failure_reason":"-","route_name":"-","response_code":"0","user_agent":"-","response_flags":"-","start_time":"2020-01-15T17:21:25.220Z","method":"-","request_id":"-","upstream_host":"127.0.0.1:3000","x_forwarded_for":"-","requested_server_name":"outbound_.3000_._.api.default.svc.cluster.local","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"inbound|3000|https|api.default.svc.cluster.local","downstream_remote_address":"10.2.0.14:37126"}
Istio版本:1.4.2
混音器日志
2020-01-15T22:48:47.633162Z error evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''
2020-01-15T22:48:47.633192Z error error creating instance: destination='listentry:whitelistip.default(listchecker)', error='evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers'''
2020-01-15T22:48:47.633204Z error api Check failed: performing check operation failed: 1 error occurred:
* evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''
对于
x-forwarded-For
,网关需要将该头转发到与应用程序pod一起运行的istio代理侧车
您需要在gateway中进行一些配置以转发。检查哪些问题涉及其他问题,并详细说明如何解决
如果您可以选择使用nginx入口而不是istio入口,那么您可以使用
request.headers[“x-real-ip”]
这是nginx根据应用程序中运行的istio proxy sidecar的日志以及该错误消息设置的。您是否收到任何错误代码,如503?您是否使用nginx ingress?@ArghyaSadhu:代理日志的更新问题。我正在使用istio-ingresgateway
。在浏览器中,我只看到上游连接错误或在标题之前断开/重置。重置原因:连接终止
。另外,当我将此值:request.headers[“x-forwarded-for”]|“unknown”
替换为值:source.ip | ip(“0.0.0.0”)
时,它会起作用。但是,我想在我的用例中使用客户机IP。我在x-forwarded-for
中获得客户机IP,但不知何故它没有被mixer识别。请参阅更新的问题。我添加了混音器日志。“x_forwarded_for”:“-”没有IPA,你可以在ingressgateway
的日志中看到,但在pod的代理容器中看不到。这意味着两者之间有问题。