istio 出口流量的细粒度策略
Granular policy over istio egress trafic
我有安装了 Istio 的 kubernetes 集群。我有两个 pods,例如 sleep1 和 sleep2(安装了 curl 的容器)。我想配置 istio 以允许从 sleep1 到 www.google.com 的流量并禁止从 sleep2 到 www.google.com.
的流量
所以,我创建了 ServiceEntry:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- www.google.com
- google.com
ports:
- name: http-port
protocol: HTTP
number: 80
resolution: DNS
网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http-port
protocol: HTTP
hosts:
- "*"
两个虚拟服务(mesh->egress, egress->google)
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mesh-to-egress
spec:
hosts:
- www.google.com
- google.com
gateways:
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-to-google-int
spec:
hosts:
- www.google.com
- google.com
gateways:
- istio-egressgateway
http:
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: google.com
port:
number: 80
weight: 100
因此,我可以从两个 pods 卷曲 google。
又是一个问题:我可以允许从 sleep1 到 www.google.com 的流量并禁止从 sleep2 到 www.google.com 的流量吗?我知道这可能与 kubernetes NetworkPolicy 和 black/white 列表 (https://istio.io/docs/tasks/policy-enforcement/denial-and-list/) 有关,但是这两种方法都禁止(允许)特定 ip 的流量,或者我错过了什么?
您可以为 sleep1 和 sleep2 创建不同的服务帐户。那你create an RBAC policy to limit access to the istio-egressgateway policy, so sleep2 will not be able to access any egress traffic through the egress gateway. This should work with forbidding any egress traffic from the cluster, that does not originate from the egress gateway. See https://istio.io/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations.
如果您想允许 sleep2 访问其他服务,但不允许 www.google.com,您可以使用 Mixer 规则和处理程序,请参阅 this blog post。它展示了如何允许特定的 URL 路径指向特定的服务帐户。
我认为您在拒绝选项上的选择可能是正确的。
它也不限于 IP,因为我们可能会看到 Simple Denial and Attribute-based Denial
的基于属性的示例
因此,例如,如果我们为 Sleep2 编写一个简单的拒绝规则 -> www.google.com:
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denySleep2Google
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denySleep2GoogleRequest
spec:
compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denySleep2
spec:
match: destination.service.host == "www.google.com" && source.labels["app"]=="sleep2"
actions:
- handler: denySleep2Google
instances: [ denySleep2GoogleRequest ]
请查看是否有帮助。
此外,"rule" 条目中的 "match" 字段基于围绕属性的 istio 表达式语言。一些词汇可以在this doc.
中找到
我有安装了 Istio 的 kubernetes 集群。我有两个 pods,例如 sleep1 和 sleep2(安装了 curl 的容器)。我想配置 istio 以允许从 sleep1 到 www.google.com 的流量并禁止从 sleep2 到 www.google.com.
的流量所以,我创建了 ServiceEntry:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- www.google.com
- google.com
ports:
- name: http-port
protocol: HTTP
number: 80
resolution: DNS
网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http-port
protocol: HTTP
hosts:
- "*"
两个虚拟服务(mesh->egress, egress->google)
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mesh-to-egress
spec:
hosts:
- www.google.com
- google.com
gateways:
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-to-google-int
spec:
hosts:
- www.google.com
- google.com
gateways:
- istio-egressgateway
http:
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: google.com
port:
number: 80
weight: 100
因此,我可以从两个 pods 卷曲 google。
又是一个问题:我可以允许从 sleep1 到 www.google.com 的流量并禁止从 sleep2 到 www.google.com 的流量吗?我知道这可能与 kubernetes NetworkPolicy 和 black/white 列表 (https://istio.io/docs/tasks/policy-enforcement/denial-and-list/) 有关,但是这两种方法都禁止(允许)特定 ip 的流量,或者我错过了什么?
您可以为 sleep1 和 sleep2 创建不同的服务帐户。那你create an RBAC policy to limit access to the istio-egressgateway policy, so sleep2 will not be able to access any egress traffic through the egress gateway. This should work with forbidding any egress traffic from the cluster, that does not originate from the egress gateway. See https://istio.io/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations.
如果您想允许 sleep2 访问其他服务,但不允许 www.google.com,您可以使用 Mixer 规则和处理程序,请参阅 this blog post。它展示了如何允许特定的 URL 路径指向特定的服务帐户。
我认为您在拒绝选项上的选择可能是正确的。 它也不限于 IP,因为我们可能会看到 Simple Denial and Attribute-based Denial
的基于属性的示例因此,例如,如果我们为 Sleep2 编写一个简单的拒绝规则 -> www.google.com:
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denySleep2Google
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denySleep2GoogleRequest
spec:
compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denySleep2
spec:
match: destination.service.host == "www.google.com" && source.labels["app"]=="sleep2"
actions:
- handler: denySleep2Google
instances: [ denySleep2GoogleRequest ]
请查看是否有帮助。 此外,"rule" 条目中的 "match" 字段基于围绕属性的 istio 表达式语言。一些词汇可以在this doc.
中找到