我为我们的 mailhog kubernetes 服务应用了这样的 AuthorizationPolicy,该服务在 80 上发布 HTTP 端口,在 25 上发布 SMTP,以便仅对授权用户重新访问其 HTTP 服务。
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
labels:
argocd.argoproj.io/instance: ephemeral-devops
name: oauth-mailhog-jwt
namespace: devops
spec:
action: ALLOW
rules:
- to:
- operation:
ports:
- "25"
- to:
- operation:
paths:
- /*
when:
- key: request.auth.claims[groups]
values:
- devops
- devs
selector:
matchLabels:
app: mailhog
对于 HTTP 连接,它的工作方式与应有的方式相同,但它也会阻塞端口 25。 应用此功能后,从内部集群应用程序到 SMTP 端口的连接将被拒绝:
# telnet mailhog-service 25
Trying 10.73.115.185...
Connected to mailhog-service.
Escape character is '^]'.
HELO
Connection closed by foreign host.
没有这个政策,一切都正常。我如何从应用此策略中排除此 SMTP 端口?
这里的问题是端口。我们不在 AuthorizationPolicies 中使用服务端口,而是使用 Pod 端口,因为它们绑定到 Pod 而不是服务。所以应该这样配置:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
labels:
argocd.argoproj.io/instance: ephemeral-devops
name: oauth-mailhog-jwt
namespace: devops
spec:
action: ALLOW
rules:
- to:
- operation:
ports:
- "25" <--- this should be SMTP port exposed by Pod not from Service
- to:
- operation:
paths:
- /*
when:
- key: request.auth.claims[groups]
values:
- devops
- devs
selector:
matchLabels:
app: mailhog