我在Kubernetes 1.15.9上运行了Istio 1.4.0。我正在努力实现以下目标,但是我阅读Istio文档的次数越多,我就越会感到困惑。让我以简单的方式讲。
第一件事是,我想为最大服务(如果可能)使用mTLS。
我有一个在9300上公开服务的elasticsearch-master吊舱。我有一个在9200和9300上公开服务的Elasticsearch-data吊舱。当我启用Istio的默认自动mTLS时,这两个吊舱都可以正常工作一个健康的ES集群启动。我认为这是因为ES主节点和数据节点通过端口9300进行通信。而且,我也不想从K8S集群外部访问任何这些ES Pod。
现在,我想启动一个Kibana Pod,其服务在5601上公开。当我在启用Istio的默认自动mTLS的情况下启动Kibana Pod时,它无法启动。因为它无法连接到9200上的elasticsearch-data服务。我遇到各种SSL错误(可能是由于整个mTLS引起的?)。我不知道是否有可能在启用整个Istio的自动mTLS的情况下建立此连接。另外,我想从K8S集群外部访问此Kibana。
感谢您的帮助。 谢谢。
答案 0 :(得分:1)
Kibana仅使用# Input variables: set these values in the variables section of the release pipeline
# AssignmentName - [required] Policy assignment name
# AssignmentDisplayName - [optional] Policy assignment display name
# AssignmentDescription - [optional] Policy assignment description
# PolicyName - [optional] Name of policy definition to assign
# PolicySetName - [optional] Name of policy set definition to assign
# ResourceGroupName - [optional] Name of resource group the policy [set] definition will be applied to
# SubscriptionId - [optional] Id of subscription the policy [set] definition will be applied to
# ManagementGroupName - [optional] Name of management group the policy [set] definition will be applied to
# PolicyParameters - [optional] Policy parameter values in JSON string format
# Notes:
# Refer to https://docs.microsoft.com/en-us/azure/azure-policy/ for documentation on the Powershell cmdlets and the JSON input formats
$assignmentName = "$(AssignmentName)"
$assignmentDisplayName = "$(AssignmentDisplayName)"
$assignmentDescription = "$(AssignmentDescription)"
$policyName = "$(PolicyName)"
$policySetName = "$(PolicySetName)"
$resourceGroupName = "$(ResourceGroupName)"
$subscriptionId = "$(SubscriptionId)"
$managementGroupName = "$(managementGroupName)"
$policyParameters = "$(PolicyParameters)"
if (!$assignmentName)
{
throw "Unable to create policy assignment: required input variable value `$(AssignmentName) was not provided"
}
if (!$policyName -and !$policySetName)
{
throw "Unable to create policy assignment: neither `$(PolicyName) nor `$(PolicySetName) was provided. One or the other must be provided."
}
if ($policyName -and $policySetName)
{
throw "Unable to create policy assignment: `$(PolicyName) '$policyName' and `$(PolicySetName) '$policySetName' were both provided. Either may be provided, but not both."
}
if ($subscriptionId -and $managementGroupName)
{
throw "Unable to create policy assignment: `$(SubscriptionId) '$subscriptionId' and `$(ManagementGroupName) '$managementGroupName' were both provided. Either may be provided, but not both."
}
if ($managementGroupName -and $resourceGroupName)
{
throw "Unable to create policy assignment: `$(ManagementGroupName) '$managementGroupName' and `$(ResourceGroupName) '$resourceGroupName' were both provided. Either may be provided, but not both."
}
if ($managementGroupName)
{
$scope = "/providers/Microsoft.Management/managementGroups/$managementGroupName"
$searchParameters = @{ManagementGroupName=$managementGroupName}
}
else
{
if (!$subscriptionId)
{
$subscription = Get-AzureRmContext | Select-Object -Property Subscription
$subscriptionId = $subscription.Id
}
$scope = "/subscriptions/$subscriptionId"
$searchParameters = @{SubscriptionId=$subscriptionId}
if ($resourceGroupName)
{
$scope += "/resourceGroups/$resourceGroupName"
}
}
$cmdletParameters = @{Name=$assignmentName; Scope=$scope}
if ($assignmentDisplayName)
{
$cmdletParameters += @{DisplayName=$assignmentDisplayName}
}
if ($assignmentDescription)
{
$cmdletParameters += @{Description=$assignmentDescription}
}
if ($policyName)
{
$policyDefinition = Get-AzureRmPolicyDefinition @searchParameters | Where-Object { $_.Name -eq $policyName }
if (!$policyDefinition)
{
throw "Unable to create policy assignment: policy definition $policyName does not exist"
}
$cmdletParameters += @{PolicyDefinition=$policyDefinition}
}
if ($policySetName)
{
$policySetDefinition = Get-AzureRmPolicySetDefinition @searchParameters | Where-Object { $_.Name -eq $policySetName }
if (!$policySetDefinition)
{
throw "Unable to create policy assignment: policy set definition $policySetName does not exist"
}
$cmdletParameters += @{PolicySetDefinition=$policySetDefinition}
}
if ($policyParameters)
{
$cmdletParameters += @{PolicyParameter=$policyParameters}
}
&New-AzureRmPolicyAssignment @cmdletParameters
URL。
但是,为了使Elasticsearch主节点和节点相互通信,我必须将端口http放在Istio的排除列表中。