我安装了Istio的Kubernetes。
我试图将外部流量限制为主机(例如checkip.amazonaws.com)。这将应用于命名空间(示例中的konta)中的所有服务。所有的豆荚已经注入了sidecar代理。
我使用了以下配置,但没有成功。
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: quotahandler
namespace: konta
spec:
compiledAdapter: memquota
params:
quotas:
- name: requestcountquota.instance.konta
maxAmount: 5
validDuration: 60s
rateLimitAlgorithm: ROLLING_WINDOW
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: requestcountquota
namespace: konta
spec:
compiledTemplate: quota
params:
dimensions:
#source: "unknown"
source: request.headers["x-forwarded-for"] | "unknown"
#destination:
#destination: destination.labels["app"] | destination.service.name | "unknown"
#destinationVersion: destination.labels["version"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
name: request-count
namespace: konta
spec:
rules:
- quotas:
- charge: 1
quota: requestcountquota
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
name: request-count
namespace: konta
spec:
quotaSpecs:
- name: request-count
namespace: konta
services:
- service: '*' # Uncomment this to bind *all* services to request-count
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: quota
namespace: konta
spec:
# quota only applies if you are not logged in.
# match: match(request.headers["cookie"], "user=*") == false
match: match(destination.service.host, "checkip.amazonaws.com") == true
actions:
- handler: quotahandler
instances:
- requestcountquota
我正在用一个简单的卷发盒进行测试。
kubectl run -i --tty get-ip-address --image=dwdraju/alpine-curl-jq --restart=Never -n konta
和
curl checkip.amazonaws.com
糟糕:我的出口流量没有通过Istio出口网关