问题描述
我无法为 Knative 服务启用 Istio 授权以进行服务通信。
采取的步骤:
- 安装了 Istio 并在 STRICT 模式下启用了 mTLS
- 安装 Knative 并启用 mTLS PERMISSIVE [https://knative.dev/docs/serving/istio-authorization/],因为请求可能由基于 TargetBurstCapacity 的激活器转发。
- 创建了两个命名空间 services-test1 和 services-test2
- 在 services-test1 和 services-test2 中启用 istio sidecar 注入并部署了 Hello 服务 ** 忽略代码中使用的 IP,因为我已尝试使用内部负载均衡器 IP。
期望:
- serving-test1 中的服务在访问 services-test2 中的服务时应该拒绝 RBAC 访问
- 反之亦然 #1
实际结果:
- serving-test1 中的服务能够与 services-test2 中的服务通信,反之亦然。
我也尝试使用 host="*.local" 和 tls mode=ISTIO_MUTUAL 添加目标规则,但没有成功。任何帮助表示赞赏。
在下面完成安装和测试脚本。
export ISTIO_VERSION="1.8.2"
curl -L https://istio.io/downloadistio | ISTIO_VERSION=${ISTIO_VERSION} TARGET_ARCH=x86_64 sh -
export PATH="$PATH:istio-${ISTIO_VERSION}/bin"
export ISTIO_HOME=istio-${ISTIO_VERSION}/
cat <<EOF > istio-minimal-operator.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
proxy:
autoInject: enabled
useMCP: false
jwtPolicy: first-party-jwt
meshConfig:
enableAutoMtls: true
addonComponents:
pilot:
enabled: true
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
type: LoadBalancer
loadBalancerIP: "10.173.128.70"
EOF
istioctl install -y -f istio-minimal-operator.yaml
kubectl -n istio-system annotate service istio-ingressgateway cloud.google.com/load-balancer-type=Internal --overwrite
kubectl ${OPERATION:-apply} -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
Metadata:
name: "default"
namespace: istio-system
spec:
mtls:
mode: STRICT
EOF
kubectl create namespace serving-test1
kubectl create namespace serving-test2
kubectl create namespace knative-serving
kubectl label namespace serving-test1 istio-injection=enabled
kubectl label namespace serving-test2 istio-injection=enabled
kubectl label namespace knative-serving istio-injection=enabled
export KNATIVE_VERSION="v0.20.0"
kubectl apply -f https://github.com/knative/serving/releases/download/${KNATIVE_VERSION}/serving-crds.yaml
kubectl apply -f https://github.com/knative/serving/releases/download/${KNATIVE_VERSION}/serving-core.yaml
kubectl apply -f https://github.com/knative/net-istio/releases/download/${KNATIVE_VERSION}/release.yaml
kubectl ${OPERATION:-apply} -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
Metadata:
name: "default"
namespace: "knative-serving"
spec:
mtls:
mode: PERMISSIVE
EOF
cat <<EOF | kubectl ${OPERATION:-apply} -f -
apiVersion: serving.knative.dev/v1
kind: Service
Metadata:
labels:
app: hello
name: hello
namespace: serving-test1
spec:
template:
Metadata:
annotations:
autoscaling.knative.dev/minScale: "1"
spec:
containers:
- env:
- name: TARGET
value: Go Sample v1
image: gcr.io/knative-samples/helloworld-go
name: user-container
---
apiVersion: serving.knative.dev/v1
kind: Service
Metadata:
labels:
app: hello
name: hello
namespace: serving-test2
spec:
template:
Metadata:
annotations:
autoscaling.knative.dev/minScale: "1"
spec:
containers:
- env:
- name: TARGET
value: Go Sample v2
image: gcr.io/knative-samples/helloworld-go
name: user-container
EOF
kubectl -n serving-test1 exec -it $(kubectl -n serving-test1 get pod -o jsonpath='{.items[0].Metadata.name}') -- bash
curl -H "Host: hello.serving-test2.example.com" http://10.173.128.70
curl -H "Host: hello.serving-test2.example.com" http://istio-ingressgateway.istio-system.svc.cluster.local
curl -H "Host: hello.serving-test2.example.com" http://knative-local-gateway.istio-system.svc.cluster.local
curl http://hello.serving-test2.svc.cluster.local
kubectl -n serving-test2 exec -it $(kubectl -n serving-test2 get pod -o jsonpath='{.items[0].Metadata.name}') -- bash
curl -H "Host: hello.serving-test1.example.com" http://10.173.128.70
curl -H "Host: hello.serving-test1.example.com" http://istio-ingressgateway.istio-system.svc.cluster.local
curl -H "Host: hello.serving-test1.example.com" http://knative-local-gateway.istio-system.svc.cluster.local
curl http://hello.serving-test1.svc.cluster.local
kubectl ${OPERATION:-apply} -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
Metadata:
name: "default"
namespace: serving-test1
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: deny-all
namespace: serving-test1
spec:
{}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: allow-serving-tests
namespace: serving-test1
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["serving-test1","knative-serving"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: allowlist-by-paths
namespace: serving-test1
spec:
action: ALLOW
rules:
- to:
- operation:
paths:
- /metrics
- /healthz
---
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
Metadata:
name: "default"
namespace: "serving-test2"
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: deny-all
namespace: serving-test2
spec:
{}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: allow-serving-tests
namespace: serving-test2
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["serving-test2","knative-serving"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: allowlist-by-paths
namespace: serving-test2
spec:
action: ALLOW
rules:
- to:
- operation:
paths:
- /metrics
- /healthz
EOF
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)