主页 / server / 问题 / 1150892
Accepted
Wanderer
Asked: 2024-01-05 00:20:54 +0800 CST

用于服务网格进出 pod 的 Istio outboundTrafficPolicy

  • 772

我试图了解当outboundTrafficPolicy模式设置为 REGISTRY_ONLY 时 Istio envoy 代理如何工作。通过下面定义的设置,我预计insidePod 将被阻止访问outsidePod,因为sidecar.istio.inject标签设置"false"为外部 Pod 和"true"内部 Pod。但是,当我执行到insidepod 并发出curl 命令时,我获得了成功。

kubectl -n istio-test exec -it inside-85f794ff76-7x44s -c sleep -- curl  http://outside
<html><body><h1>It works!</h1></body></html>

配置设置

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: outside
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: inside
  clusterIP: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: outside
  template:
    metadata:
      labels:
        app: outside
        version: v1
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - image: httpd
        name: httpd
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inside
  template:
    metadata:
      labels:
        app: inside
        version: v1
        sidecar.istio.io/inject: "true"
    spec:
      containers:
      - image: curlimages/curl
        name: sleep
        command:
        - /bin/sleep
        - infinity
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: inside
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

我期望需要一个ServiceEntry来注册外部 Pod。为什么情况似乎并非如此?

如何阻止从insidepod 到outsidepod 的流量?

kubernetes

2 个回答

  1. Best Answer

    我已经在一个新的集群中安装了 Istio:

    alias k=kubectl
alias i=istioctl

curl -L https://istio.io/downloadIstio | sh -
export PATH="$PATH:/path/to/istio-1.20.1/bin"

i install --set profile=minimal
k create ns istio-test
k label ns/istio-test istio-injection=enabled
k apply -f question.yaml  # your YAML manifest

    你说得对,inside可以打电话outside

    k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl outside
<html><body><h1>It works!</h1></body></html>

    这是因为将 sidecar 对象配置与默认网格设置一起使用,与网格内的 pod 一起运行的 Istio 代理将获取集群内所有命名空间中所有服务的详细信息:

    i pc c inside-6bcff479d-c5dfp -n istio-test
SERVICE FQDN                                 PORT      SUBSET     DIRECTION     TYPE             DESTINATION RULE
                                             80        -          inbound       ORIGINAL_DST     
BlackHoleCluster                             -         -          -             STATIC           
InboundPassthroughClusterIpv4                -         -          -             ORIGINAL_DST     
PassthroughCluster                           -         -          -             ORIGINAL_DST     
agent                                        -         -          -             STATIC           
inside.istio-test.svc.cluster.local          80        -          outbound      ORIGINAL_DST     
istiod.istio-system.svc.cluster.local        443       -          outbound      EDS              
istiod.istio-system.svc.cluster.local        15010     -          outbound      EDS              
istiod.istio-system.svc.cluster.local        15012     -          outbound      EDS              
istiod.istio-system.svc.cluster.local        15014     -          outbound      EDS              
kube-dns.kube-system.svc.cluster.local       53        -          outbound      EDS              
kube-dns.kube-system.svc.cluster.local       9153      -          outbound      EDS              
kubernetes.default.svc.cluster.local         443       -          outbound      EDS              
metrics-server.default.svc.cluster.local     443       -          outbound      EDS              
outside.istio-test.svc.cluster.local         80        -          outbound      EDS              
prometheus_stats                             -         -          -             STATIC           
sds-grpc                                     -         -          -             STATIC           
xds-grpc                                     -         -          -             STATIC           
zipkin                                       -         -          -             STRICT_DNS

    请参阅上面的 EDS 条目。如果您希望更改此设置,您可以使用出口设置来配置 Sidecar 对象:

    apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: inside
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY
  egress:
    - hosts:
        - ~/*

    这使得 Sidecar 无需配置来自任何命名空间的服务:

    i pc c -n istio-test inside-6bcff479d-c5dfp
SERVICE FQDN                      PORT     SUBSET     DIRECTION     TYPE             DESTINATION RULE
                                  80       -          inbound       ORIGINAL_DST     
BlackHoleCluster                  -        -          -             STATIC           
InboundPassthroughClusterIpv4     -        -          -             ORIGINAL_DST     
PassthroughCluster                -        -          -             ORIGINAL_DST     
agent                             -        -          -             STATIC           
prometheus_stats                  -        -          -             STATIC           
sds-grpc                          -        -          -             STATIC           
xds-grpc                          -        -          -             STATIC           
zipkin                            -        -          -             STRICT_DNS

    定义outboundTrafficPolicyREGISTRY_ONLY意味着您的 Pod 将无法访问 google.com:

    k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl google.com -I
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56

    添加出口配置将使其无法访问其他 Pod:

    k -n istio-test exec -it inside-6bcff479d-c5dfp -c sleep -- curl outside -I
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56

    REGISTRY_ONLY允许连接到 Istio 代理配置的服务。如果代理配置为访问集群中的所有服务,那么它就会。这些服务本身是否有 Istio 代理并不重要。

    将 Istio Sidecar 对象配置为能够仅访问它们需要访问的服务是一种很好的做法。这不仅有助于安全性,还减少了在所有启用 Istio 的 Pod 之间传播端点更改相关的开销。在更大的集群中,这可能是一件大事。

    • 1

  2. 我认为 stackoverflow 上已经回答了同样的问题,您可以查看此链接

    • 0

相关问题