我在命名空间ns-restriction-demo-2中有一个数据库,并且有一个使用命名空间ns-restriction-demo-1中的那个DB的nodeJs应用程序。
因此,我试图添加授权,即只能通过一个名称空间(ns-restriction-demo-1)访问DB,但是当我启用混合器日志时,我意识到源属性是不同的。
{
"level": "warn",
"time": "0001-01-01T00:00:00.000000Z",
"instance": "newlog.instance.ns-restriction-demo-2",
"destination": "db-demo-2",
"destinationName": "db-demo-2-868c4bb6c7-f5l7c",
"destinationNamespace": "ns-restriction-demo-2",
"destinationPort": 3306,
"destinationPrinciple": "unkown",
"latency": "0s",
"mtls": false,
"requestHost": "unkown",
"responseCode": 0,
"responseSize": 0,
"source": "calico-node",
"sourceName": "calico-node-ljzxl",
"sourceNamespace": "kube-system",
"sourcePrinicple": "unkown",
"sourceServiceAccount": "calico-node",
"sourceservices": "unkown",
"user": "unknown"
}
我使用过的配置
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: newlog
namespace: ns-restriction-demo-2
spec:
compiledTemplate: logentry
params:
severity: '"warning"'
variables:
sourceName: source.name | "unkown"
sourceNamespace: source.namespace | "unkown"
sourcePrinicple: source.principal | "unkown"
sourceServiceAccount: source.serviceAccount | "unkown"
sourceservices: source.services | "unkown"
destinationPort: destination.port | 0
destinationName: destination.name | "unkown"
destinationNamespace: destination.namespace | "unkown"
destinationPrinciple: destination.principal | "unkown"
requestHost: request.host | "unkown"
source: source.labels["app"] | source.workload.name | "unknown"
user: source.user | "unknown"
mtls: connection.mtls | false
destination: destination.labels["app"] | destination.workload.name | "unknown"
responseCode: response.code | 0
responseSize: response.size | 0
latency: response.duration | "0ms"
monitored_resource_type: '"UNSPECIFIED"'
---
# Configuration for a stdio handler
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: newloghandler
namespace: ns-restriction-demo-2
spec:
compiledAdapter: stdio
params:
severity_levels:
warning: 1 # Params.Level.WARNING
outputAsJson: true
---
# Rule to send logentry instances to a stdio handler
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: newlogstdio
namespace: ns-restriction-demo-2
spec:
match: "true" # match for all requests
actions:
- handler: newloghandler
instances:
- newlog
---
因此,我想向istio的专家提问。
为什么source或sourceName或sourceNamespace与印花布有关?为什么与正在使用该数据库的那个nodeJs应用程序无关?
请帮助我了解我做错了什么或缺少什么吗?
Calico版本
Client Version: v3.5.8
Git commit: 107e128
Cluster Version: v3.6.2
Cluster Type: k8s,bgp,kdd
其他版本
答案 0 :(得分:0)
使用Mixer for TCP Services收集指标不同于HTTP。
对数据库的访问是Istio Mesh内部TCP工作负载的一个示例。
因此,请使用专用的“ tcpaccesslog”模板,而不要使用“登录”模板,该模板的属性映射中包含有效的协议配置:
'protocol: context.protocol | "tcp"'
这有助于Istio正确派生source和sourceName属性。
注意: 如果通过启用了mTLS的TCP连接发送到数据库的请求,则应该具有一些额外的属性: