我正在尝试过滤对外部资源的访问。我已经创建了一个服务条目
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: bbc-ext
spec:
hosts:
- "www.bbc.co.uk"
ports:
- number: 443
name: https
protocol: HTTPS
我正在使用sourceLabel过滤允许访问外部资源的源应用程序。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bbc-ext
spec:
hosts:
- "www.bbc.co.uk"
http:
- match:
- sourceLabels:
envir: "production"
route:
- destination:
host: "www.bbc.co.uk"
weight: 100
- route:
- destination:
host: "www.bbc.co.uk"
fault:
abort:
percent: 100
httpStatus: 400
我的广告连播标记为envir=development,但仍然允许其访问资源。
kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
sleep-d7bfccf65-ws6t6 2/2 Running 0 16m app=sleep,envir=development,pod-template-hash=836977921
但是,当我登录容器并运行curl请求时,它仍然有效。我在这里做什么错了?
kubectl exec -it sleep-d7bfccf65-ws6t6 -c sleep bash
root@sleep-d7bfccf65-ws6t6:/# curl -v -sL https://www.bbc.co.uk -w "%{http_code}\n" -o /dev/null
[...]
< Cache-Control: private, max-age=0, must-revalidate
< Vary: Accept-Encoding, X-CDN, X-BBC-Edge-Scheme
<
{ [data not shown]
* Connection #0 to host www.bbc.co.uk left intact
200
仍然相同。
还注意到同步不适用于路线。
istioctl proxy-status
PROXY CDS LDS EDS RDS PILOT
istio-egressgateway-6cb5b78857-cvqfz.istio-system SYNCED SYNCED SYNCED (100%) NOT SENT istio-pilot-56f6487cdb-qlhzr
istio-ingressgateway-5766b9cc69-64bgd.istio-system SYNCED SYNCED SYNCED (100%) NOT SENT istio-pilot-56f6487cdb-qlhzr
sleep-86f6b99f94-n8l8r.production SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-56f6487cdb-qlhzr
sleep-d7bfccf65-qbs7v.development SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-56f6487cdb-qlhzr