我正在尝试了解当outboundTrafficPolicy模式设置为 REGISTRY_ONLY 时 Istio envoy 代理如何工作。使用下面定义的设置,我预计insidepod 将被阻止访问outsidepod,因为sidecar.istio.inject标签设置"false"为外部 pod 和"true"内部 pod。但是,当我执行insidepod 并发出 curl 命令时,我得到了成功。
kubectl -n istio-test exec -it inside-85f794ff76-7x44s -c sleep -- curl http://outside
<html><body><h1>It works!</h1></body></html>
配置设置
---
apiVersion: v1
kind: Service
metadata:
labels:
app: outside
name: outside
namespace: istio-test
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: outside
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: inside
name: inside
namespace: istio-test
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: inside
clusterIP: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: outside
name: outside
namespace: istio-test
spec:
replicas: 1
selector:
matchLabels:
app: outside
template:
metadata:
labels:
app: outside
version: v1
sidecar.istio.io/inject: "false"
spec:
containers:
- image: httpd
name: httpd
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: inside
name: inside
namespace: istio-test
spec:
replicas: 1
selector:
matchLabels:
app: inside
template:
metadata:
labels:
app: inside
version: v1
sidecar.istio.io/inject: "true"
spec:
containers:
- image: curlimages/curl
name: sleep
command:
- /bin/sleep
- infinity
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-test
spec:
workloadSelector:
labels:
app: inside
outboundTrafficPolicy:
mode: REGISTRY_ONLY
我原本以为需要ServiceEntry注册外部 pod。为什么事实并非如此?
我怎样才能阻止从insidepod 到outsidepod 的流量?
答案1
我已经在一个新的集群中安装了 Istio:
alias k=kubectl
alias i=istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH="$PATH:/path/to/istio-1.20.1/bin"
i install --set profile=minimal
k create ns istio-test
k label ns/istio-test istio-injection=enabled
k apply -f question.yaml # your YAML manifest
您说得对,inside可以调用outside:
k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl outside
<html><body><h1>It works!</h1></body></html>
这是因为使用 sidecar 对象配置与默认网格设置,与网格中的 pod 一起运行的 Istio 代理将获取集群中所有命名空间中所有服务的详细信息:
i pc c inside-6bcff479d-c5dfp -n istio-test
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
inside.istio-test.svc.cluster.local 80 - outbound ORIGINAL_DST
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
metrics-server.default.svc.cluster.local 443 - outbound EDS
outside.istio-test.svc.cluster.local 80 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
只需查看上面的 EDS 条目即可。如果您想要更改此设置,可以使用出口设置配置 Sidecar 对象:
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-test
spec:
workloadSelector:
labels:
app: inside
outboundTrafficPolicy:
mode: REGISTRY_ONLY
egress:
- hosts:
- ~/*
这使得 Sidecar 未配置任何来自任何命名空间的服务:
i pc c -n istio-test inside-6bcff479d-c5dfp
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
定义outboundTrafficPolicy为REGISTRY_ONLY意味着你的 pod 将无法访问 google.com:
k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl google.com -I
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56
添加出口配置也会使其无法访问其他 pod:
k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl outside -I
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56
REGISTRY_ONLY允许连接到 Istio 代理配置的服务。如果代理配置为访问集群中的所有服务,它将允许访问。这些服务本身是否具有 Istio 代理并不重要。
将 Istio Sidecar 对象配置为仅能够访问其需要访问的服务是一种很好的做法。这不仅有助于提高安全性,而且还减少了在所有启用 Istio 的 pod 中传播端点更改相关的开销。在更大的集群中,这可能是一件大事。
答案2
我认为这个问题在 stackoverflow 上有同样的答案,你可以查看这个关联。