如何设置入口策略以允许使用 Istio 的有限 IP?
How to set ingress-policy to allow limited IP with Istio?
根据文档 Authorization on Ingress Gateway,我将入口策略设为这样
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["ALLOWED PUBLIC IP HERE"]
我的 public IP 来自 WhatIsMyIPAddress,在上面的 ipBlocks 中设置它。
应用清单后,当我从浏览器访问我的网站时,它显示 RBAC access denied。
我的应用程序部署在 default 命名空间中,在元数据中使用 namespace: istio-system 是否正确?以及如何查看访问日志进行调试?
设置 IP 过滤器的正确方法是什么?
检查 Istio 的 ingressgateway 日志得到
kubectl logs istio-ingressgateway-111111111111-aaaaa -n istio-system
...
[2021-12-20T05:10:58.600Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.123" "ELB-HealthChecker/2.0" "11111111-aaaa-3333-cccc-555555555555" "10.123.45.123:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.148.45.200:22429 - -
[2021-12-20T05:10:58.601Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.200" "ELB-HealthChecker/2.0" "22222222-bbbb-4444-dddd-666666666666" "10.123.45.200:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.123.45.200:15566 - -
2021-12-20T05:29:09.478225Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
为什么 rbac_access_denied_matched_policy 是 none 在这里?我没有在 K8s 集群中使用 rbac。在这种情况下是否有必要使用它?
Role Based Access Control (RBAC) Filter
编辑
从 Istio 的入口网关获取了新日志
...
2021-12-21T03:36:41.819072Z debug envoy rbac checking request: requestedServerName: , sourceIP: 10.123.45.111:25965, directRemoteIP: 10.123.45.111:25965, remoteIP: 10.123.45.111:25965,localAddress: 10.123.46.222:8443, ssl: uriSanPeerCertificate: , dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', '10.123.45.111:30974'
':path', '/healthz/ready'
':method', 'GET'
':scheme', 'https'
'user-agent', 'ELB-HealthChecker/2.0'
'accept-encoding', 'gzip, compressed'
'x-forwarded-for', '10.123.45.111'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '123412231a-cb12-9732-859e-0213jladfsj9'
'x-envoy-decorator-operation', 'demo-service.default.svc.cluster.local:80/*'
, dynamicMetadata:
2021-12-21T03:36:41.819091Z debug envoy rbac enforced allowed, matched policy none
远程IP地址默认不传给网关。要在 AuthorizationPolicy 中使用外部 IP 地址,您可以更改 Ingress 网关的 externalTrafficPolicy。您可以使用以下内容进行测试:
kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'
如果可行,您应该将它添加到您的 IstioOperator(或创建一个)并在安装 Istio 时应用它。
如果您不想更改 TrafficPolicy,您可以使用 remoteIpBlocks 而不是 AuthorizationPolicy 中的 ipBlocks 来完成。但是我自己还没有尝试过,供参考:
https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#ip-based-allow-list-and-deny-list
根据文档 Authorization on Ingress Gateway,我将入口策略设为这样
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["ALLOWED PUBLIC IP HERE"]
我的 public IP 来自 WhatIsMyIPAddress,在上面的 ipBlocks 中设置它。
应用清单后,当我从浏览器访问我的网站时,它显示 RBAC access denied。
我的应用程序部署在 default 命名空间中,在元数据中使用 namespace: istio-system 是否正确?以及如何查看访问日志进行调试?
设置 IP 过滤器的正确方法是什么?
检查 Istio 的 ingressgateway 日志得到
kubectl logs istio-ingressgateway-111111111111-aaaaa -n istio-system
...
[2021-12-20T05:10:58.600Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.123" "ELB-HealthChecker/2.0" "11111111-aaaa-3333-cccc-555555555555" "10.123.45.123:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.148.45.200:22429 - -
[2021-12-20T05:10:58.601Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.200" "ELB-HealthChecker/2.0" "22222222-bbbb-4444-dddd-666666666666" "10.123.45.200:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.123.45.200:15566 - -
2021-12-20T05:29:09.478225Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
为什么 rbac_access_denied_matched_policy 是 none 在这里?我没有在 K8s 集群中使用 rbac。在这种情况下是否有必要使用它?
Role Based Access Control (RBAC) Filter
编辑
从 Istio 的入口网关获取了新日志
...
2021-12-21T03:36:41.819072Z debug envoy rbac checking request: requestedServerName: , sourceIP: 10.123.45.111:25965, directRemoteIP: 10.123.45.111:25965, remoteIP: 10.123.45.111:25965,localAddress: 10.123.46.222:8443, ssl: uriSanPeerCertificate: , dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', '10.123.45.111:30974'
':path', '/healthz/ready'
':method', 'GET'
':scheme', 'https'
'user-agent', 'ELB-HealthChecker/2.0'
'accept-encoding', 'gzip, compressed'
'x-forwarded-for', '10.123.45.111'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '123412231a-cb12-9732-859e-0213jladfsj9'
'x-envoy-decorator-operation', 'demo-service.default.svc.cluster.local:80/*'
, dynamicMetadata:
2021-12-21T03:36:41.819091Z debug envoy rbac enforced allowed, matched policy none
远程IP地址默认不传给网关。要在 AuthorizationPolicy 中使用外部 IP 地址,您可以更改 Ingress 网关的 externalTrafficPolicy。您可以使用以下内容进行测试:
kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'
如果可行,您应该将它添加到您的 IstioOperator(或创建一个)并在安装 Istio 时应用它。
如果您不想更改 TrafficPolicy,您可以使用 remoteIpBlocks 而不是 AuthorizationPolicy 中的 ipBlocks 来完成。但是我自己还没有尝试过,供参考:
https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#ip-based-allow-list-and-deny-list