修改evony默认策略

  • REGISTRY_ONLY:只有注册过的服务才能访问
  • ALLOW_ANY:对网格内访问网格外不做限制
# 运行以下命令以确认meshConfig.outboundTrafficPolicy.mode设置为ALLOW_ANY或被省略,您应该看到ALLOW_ANY或没有任何输出(默认为ALLOW_ANY)
	kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
	

# 如果你显式地设置了 REGISTRY_ONLY 模式,例如,通过使用更改后的设置重新运行原始的istioctl install命令:
	istioctl install <flags-you-used-to-install-Istio> --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
	istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY

# 将 global.outboundTrafficPolicy.mode 选项从 ALLOW_ANY模式 改为 REGISTRY_ONLY 模式
	istioctl install <flags-you-used-to-install-Istio> \
                   --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY                   
    istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
	istioctl manifest generate --set profile=demo --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY | kubectl apply -f -



# kubectl edit istiooperator installed-state -n istio-system -o yaml  #不好使,安装后了,修改没用
  meshConfig:
    accessLogFile: /dev/stdout
    defaultConfig:
      proxyMetadata: {}
    enablePrometheusMerge: true
    outboundTrafficPolicy:  #添加这个
      mode: REGISTRY_ONLY
# 部署一个sleep测试访问外部情况
[root@k8s-master-1 istio-1.12.6]# istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f -
serviceaccount/sleep created
service/sleep created
deployment.apps/sleep created


# 可以发现修改成REGISTRY_ONLY后,网格内的流量都出不去了
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-5mvrg -c sleep -- curl  -sI http://httpbin.org/hearders
HTTP/1.1 502 Bad Gateway
date: Fri, 29 Apr 2022 04:13:20 GMT
server: envoy
transfer-encoding: chunked

REGISTRY_ONLY网格内默认策略

当将mode修改为:REGISTRY_ONLY后

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: busybox
spec:
  type: ClusterIP
  selector:
    app: httpd
  ports:
  - name: httpd
    port: 80
    targetPort: 80 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpd
  template:
    metadata:
      labels:
        app: httpd
    spec:
      containers:
      - name: busybox
        image: busybox:1.28
        imagePullPolicy: IfNotPresent                                                                                                                                                                                                       
        command: ["/bin/sh","-c","echo 'this is busybox-httpd' > /var/www/index.html;httpd -f -h /var/www"]
        ports:
        - containerPort: 80
EOF
# 查看pod
[root@k8s-master-1 istio-1.12.6]# kubectl get pods 
NAME                       READY   STATUS    RESTARTS   AGE
busybox-5c7ff54796-f6l5m   2/2     Running   0          4s
sleep-786dd8679-vfmtz      2/2     Running   0          14m

# 使用sleep来访问外部服务
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -- curl -sI http://www.baidu.com
Defaulting container name to sleep.
Use 'kubectl describe pod/sleep-786dd8679-vfmtz -n default' to see all of the containers in this pod.
HTTP/1.1 502 Bad Gateway
date: Fri, 29 Apr 2022 11:25:55 GMT
server: envoy
transfer-encoding: chunked


# 使用sleep来访问busybox,可见REGISTRY_ONLY默认运行集群内个个网格之间互相访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -- curl -sI http://busybox.default.svc.cluster.local
Defaulting container name to sleep.
Use 'kubectl describe pod/sleep-786dd8679-vfmtz -n default' to see all of the containers in this pod.
HTTP/1.1 200 OK
content-type: text/html
date: Fri, 29 Apr 2022 11:25:25 GMT
accept-ranges: bytes
last-modified: Fri, 29 Apr 2022 11:23:44 GMT
content-length: 22
x-envoy-upstream-service-time: 0
server: envoy

访问外部HTTP

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80                        # 访问httpbin.org:80
    name: http
    protocol: HTTP
  resolution: DNS                     # 使用DNS解析
  location: MESH_EXTERNAL
EOF
# 可见当定义service entry后,网格内的容器再来访问这些已经定义好的服务,就可访问了
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-5mvrg -c sleep -- curl  -sI http://httpbin.org/headers
HTTP/1.1 200 OK
date: Fri, 29 Apr 2022 04:26:13 GMT
content-type: application/json
content-length: 1192
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 584

访问外部HTTPS

# 访问测试
[root@k8s-master-1 istio-1.12.6]# kubectl exec busybox-5c7ff54796-f6l5m -c busybox -- wget --no-check-certificate https://www.baidu.com
Connecting to www.baidu.com (14.215.177.38:443)
wget: got bad TLS record (len:0) while expecting handshake record
wget: error getting response: Connection reset by peer
command terminated with exit code 1
[root@k8s-master-1 istio-1.12.6]# kubectl apply -f - <<EOF
> apiVersion: networking.istio.io/v1alpha3
> kind: ServiceEntry
> metadata:
>   name: google
> spec:
>   hosts:
>   - www.baidu.com
>   ports:
>   - number: 443
>     name: https
>     protocol: HTTPS
>   resolution: DNS
>   location: MESH_EXTERNAL
> EOF
serviceentry.networking.istio.io/google created
# 添加外部HTTPS方式到网格内
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - www.baidu.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL
EOF
# 访问测试,可见将HTTPS添加到网格内后,即可正常访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec busybox-5c7ff54796-f6l5m -c busybox -- wget --no-check-certificate https://www.baidu.com
Connecting to www.baidu.com (14.215.177.38:443)
index.html           100% |*******************************|  2443   0:00:00 ETA

管理到外部服务的流量

# 测试yaml
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80                        # 访问httpbin.org:80
    name: http
    protocol: HTTP
  resolution: DNS                     # 使用DNS解析
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3  
kind: VirtualService
metadata:
  name: httpbin-ext
spec:
  hosts:
    - httpbin.org
  http:
  - timeout: 3s	    # 设置调用外部服务 httpbin.org 的超时时间为3秒,即我调用外部服务后,如果3秒内未返回结果,即认为超时
    route:
      - destination:
          host: httpbin.org
        weight: 100
EOF
 http://www.httpbin.org/delay/5
# 当前能正常访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -c sleep -- curl -sSI httpbin.org
HTTP/1.1 200 OK
date: Fri, 29 Apr 2022 11:58:22 GMT
content-type: text/html; charset=utf-8
content-length: 9593
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 513

# 设置httpbin延迟5秒后,返回结果,因为时间超过3秒了,故而会认为超时
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -c sleep -- curl -sSI httpbin.org/delay/5
HTTP/1.1 504 Gateway Timeout
content-length: 24
content-type: text/plain
date: Fri, 29 Apr 2022 11:59:52 GMT
server: envoy

直接访问外部服务

  • 如果要让特定范围的 IP 完全绕过 Istio,则可以配置 Envoy sidecars 以防止它们拦截外部请求。要设置绕过 Istio,请更改 global.proxy.includeIPRangesglobal.proxy.excludeIPRanges configuration option,并使用 kubectl apply 命令更新 istio-sidecar-injector 配置。也可以通过设置相应的注解)在pod上进行配置,例如traffic.sidecar.istio.io / includeOutboundIPRangesistio-sidecar-injector 配置的更新,影响的是新部署应用的 pod
  • Envoy 转发流量到外部服务不同,后者使用 ALLOW_ANY 流量策略来让 Istio sidecar 代理将调用传递给未知服务, 该方法完全绕过了 sidecar,从而实质上禁用了指定 IP 的所有 Istio 功能。你不能像 ALLOW_ANY 方法那样为特定的目标增量添加 service entries。 因此,仅当出于性能或其他原因无法使用边车配置外部访问时,才建议使用此配置方法
# 确定具体放行,kubeadm方式安装的
	kubectl describe pod kube-apiserver -n kube-system | grep 'service-cluster-ip-range'

# 二进制安装的
[root@k8s-master-1 istio-1.12.6]# grep "service-cluster-ip" /usr/lib/systemd/system/kube-apiserver.service 
    --service-cluster-ip-range=10.0.0.0/16 \

# 使用平台的 IP 范围更新 istio-sidecar-injector 的配置。比如,如果 IP 范围是 10.0.0.1/24,则使用一下命令
	istioctl install <flags-you-used-to-install-Istio> --set values.global.proxy.includeIPRanges="10.0.0.1/24"
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐