我们正在将outboundTrafficPolicy.mode设置为REGISTRY_ONLY的Istio。我们使用ServiceEntries和Sidecar配置将许多域列入白名单,这些都可以正常工作。
但是,尝试将IP地址列入白名单并使用HTTPS无效。这是我们正在使用的ServiceEntry:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
labels:
app: test
name: test-external-deps
namespace: realistic-doubles
spec:
addresses:
- 54.xx.xx.xx
endpoints:
- address: 54.xx.xx.xx
exportTo:
- .
hosts:
- fakehost3.internal
location: MESH_EXTERNAL
ports:
- name: https
number: 8443
protocol: TLS
resolution: STATIC
当我们将该IP卷曲到Istio之外时,我们会得到很好的响应。但是在网格中,我们得到:
root@trading-api-99f85fdbc-vskdg:/app# curl -v -k https://54.xx.xx.xx:8443
* Expire in 0 ms for 6 (transfer 0x561ea5c1ff50)
* Trying 54.xx.xx.xx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x561ea5c1ff50)
* Connected to 54.xx.xx.xx (54.xx.xx.xx) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 54.xx.xx.xx:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 54.xx.xx.xx:8443
特使访问日志显示了这一点,这似乎与其他被阻止的请求一致:
[2020-07-21T17:27:43.240Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - 54.xx.xx.xx:8443 10.xx.xx.xx:48738 - -
我们如何将该外部IP列入白名单,以使其不会被Envoy阻止?
答案 0 :(得分:1)
我发现了我所缺少的。仅添加ServiceEntry是不够的。我还需要更新Sidecar配置以列出伪造的主机名,如下所示:
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: test
namespace: realistic-doubles
labels:
app: test
spec:
workloadSelector:
labels:
app.kubernetes.io/name: test
egress:
- hosts:
- "./fakehost3.internal"
添加完之后,我就可以从pod中解析静态IP了!