需要有关设置授权策略的帮助。使用Istio版本进行本地安装的Kubernetes:1.5.1
没有授权策略时获得200 OK。应用授权策略时返回503响应代码。
Ingressgateway访问日志(有no授权策略时有效)
[2020-05-15T07:08:30.278Z]“ GET / v1 /代理/测试HTTP / 1.1” 200-“-”“-” 0 4 81 79“ 10.40.172.33,10.32.0.1”“ Mozilla / 5.0(Windows NT10.0; Win64; x64)AppleWebKit / 537.36(KHTML,例如Gecko)Chrome / 81.0.4044.138 Safari / 537.36““ a19876b4-12ee-9172-aa93-e405a1a89c6b”“ [REPLACED-SERVERNAME]”“ 10.32.0.150:9091”outbound | 9091 ||| [REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local10.32.0.153:56224 10.32.0.153:80 10.32.0.1:15044--
对应的应用程序pod Istio-proxy日志(在没有授权策略的情况下有效)
[2020-05-15T07:08:30.279Z]“---” 0-“-”“-” 1805 142 60133-“-”“-”“-”“-”“ 127.0.0.1:9091”inbound | 9091 ||| [REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local127.0.0.1:33222 10.32.0.150:9091 10.32.0.153:56224 outbound_.9091 _._。[REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local
实施以下授权政策
$ cat [REPLACED]-auth-policy.yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: [REPLACED]-auth-policy namespace: [REPLACED-NAMESPACENAME] spec: selector:
matchLabels:
app: [REPLACED] action: ALLOW rules:
- to:
- operation:
paths: ["/v1/delegation/test"]
authorizationpolicy.security.istio.io/ [REPLACED] -auth-policy created
Ingressgateway访问日志(当授权策略应用时不起作用)
[2020-05-15T07:12:54.333Z]“ GET / v1 /代理/测试HTTP / 1.1” 503 UC“-”“-” 0 95 9-“ 10.40.172.33,10.32.0.1”“ Mozilla / 5.0(Windows NT10.0; Win64; x64)AppleWebKit / 537.36(KHTML,例如Gecko)Chrome / 81.0.4044.138 Safari / 537.36““ b1177978-3151-9629-b8cf-d97f6dc40fb6”“ [REPLACED-SERVERNAME]”“ 10.32.0.150:9091”outbound | 9091 ||| [REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local10.32.0.153:60850 10.32.0.153:80 10.32.0.1:33145--
对应的应用程序容器Istio代理日志(当授权策略应用时不起作用)
[2020-05-15T06:43:07.789Z]“---” 0-“-”“-” 968 1796 1764128-“-”“-”“-”“-”“ 10.41.88.60:1282” PassthroughCluster 10.32.0.150:5259210.41.88.60:1282 10.32.0.150:52590--[2020-05-15T07:12:54.334Z]“---” 0-“-”“-” 0 0 8-“-”“-”“-” “-”“ 127.0.0.1:9091” inbound | 9091 ||| [REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local127.0.0.1:37848 10.32.0.150:9091 10.32.0.153:60850 outbound_.9091 _._。[REPLACED]。[REPLACED-NAMESPACENAME] .svc.cluster.local-[2020-05-15T06:43:38.749Z]“---” 0-“-”“-” 968 1796 1757489-“-”“-”“-”“-”“ 10.41.88.60:1282” PassthroughCluster10.32.0.150:53270 10.41.88.60:1282 10.32.0.150:53268--
在Kubernetes服务定义中,我必须专门将TCP端口命名为“ http”。命名帖子http允许对_http._tcp.my-service.my-ns进行DNS SRV查询。
https://kubernetes.io/docs/concepts/services-networking/service/#dns
“ Kubernetes还支持命名端口的DNS SRV(服务)记录。如果“ my-service.my-ns”服务的端口名为“ http”且协议设置为TCP,则可以对_http._tcp.my-service.my-ns进行DNS SRV查询以发现端口号代表“ http”以及IP地址。“