在使用 istio 入口网关时遇到问题。我们在 SIMPLE tls 模式下为进入网格的流量配置了网关。但我们也希望 istio 入口网关使用 mTLS 与应用程序服务(使用 istio-proxy sidecar)进行通信。配置虚拟服务,以便将来自列入白名单的主机的请求导航到处理命名空间中的服务。 istio ingress pod 位于 istio-system(没有 istio-proxy sidecar)中。 gateway 和 istio ingress gateway pod 也在 istio-system 中。我们希望将 RBAC 应用于处理命名空间工作负载,如下所示-
rules:
- from:
- source:
principals: [
"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
]
处理和 istio 系统的对等身份验证策略是许可模式下的 mTLS。 istio-system 中的目标规则-
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "istio-mutual"
namespace: "istio-system"
spec:
host: "*.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
但这并没有按预期工作。 当从 istio 入口网关 pod curl-ed 到处理命名空间中的工作负载时,从工作负载 pod 的 istio-proxy 容器中记录日志-
curl myservice.processing/healthz
2021-01-28T23:29:47.105404Z debug envoy rbac checking connection: requestedServerName: , sourceIP: 10.107.113.175:49912, directRemoteIP: 10.107.113.175:49912,remoteIP: 10.107.113.175:49912, localAddress: 10.107.66.26:8080, ssl: none, dynamicMetadata:
[2021-01-28T23:29:47.105Z] "- - -" 0 - "-" "-" 92 0 0 - "-" "-" "-" "-" "127.0.0.1:8080" inbound|80|https-web|myservice.processing.svc.cluster.local 127.0.0.1:39048 10.107.66.26:808010.107.113.175:49912 - -
我们应该如何为下游配置 SIMPLE TLS 和网关对象上与上游连接的 ISTIO_MUTUAL? istio 入口网关也有 mTLS 身份。但在日志中,我看到 ssl: None。我真的不明白为什么。 有没有人遇到过这种问题?
已编辑 curl 命令输出
curl -v myservice.processing/actuator/info
* Trying 172.20.252.59...
* TCP_NODELAY set
* Connected to myservice.processing (172.20.252.59) port 80 (#0)
> GET /actuator/info HTTP/1.1
> Host: myservice.processing
> User-Agent: curl/7.58.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host myservice.processing left intact
curl: (52) Empty reply from server
身份验证策略
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: processing
spec:
peers:
- mtls: {}
网关.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-port
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
minProtocolVersion: TLSV1_2
credentialName: ingress-cert
虚拟服务.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: rate-limiting-gate
namespace: processing
spec:
gateways:
- istio-system/istio-gateway
hosts:
- *
http:
- match:
- port: 443
route:
- destination:
host: rate-limiting-gate
port:
number: 80
pact.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "{{ .Values.service.name }}-authorization-policy"
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
matchLabels:
service: {{ .Values.service.name }}
rules:
- from:
- source:
principals: [
"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
]
- to:
- operation:
ports:
- "9292"