Istio-Securiy【十】
[root@xksmaster1 04-Egress-Gateway]# kubectl api-versions
admissionregistration.k8s.io/v1
apiextensions.k8s.io/v1
apiregistration.k8s.io/v1
apps/v1
authentication.k8s.io/v1
authorization.k8s.io/v1
autoscaling/v1
autoscaling/v2
batch/v1
certificates.k8s.io/v1
coordination.k8s.io/v1
crd.projectcalico.org/v1
discovery.k8s.io/v1
events.k8s.io/v1
extensions.istio.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta2
flowcontrol.apiserver.k8s.io/v1beta3
install.istio.io/v1alpha1
kuboard.cn/v1
networking.istio.io/v1alpha3
networking.istio.io/v1beta1
networking.k8s.io/v1
node.k8s.io/v1
policy/v1
rbac.authorization.k8s.io/v1
scheduling.k8s.io/v1
security.istio.io/v1
security.istio.io/v1beta1
storage.k8s.io/v1
storage.k8s.io/v1beta1
telemetry.istio.io/v1alpha1
v1
[root@xksmaster1 04-Egress-Gateway]# kubectl api-versions --api-group=security.istio.io
error: unknown flag: --api-group
See 'kubectl api-versions --help' for usage.
[root@xksmaster1 04-Egress-Gateway]# kubectl api-resources --api-group=security.istio.io
NAME SHORTNAMES APIVERSION NAMESPACED KIND
authorizationpolicies security.istio.io/v1 true AuthorizationPolicy
peerauthentications pa security.istio.io/v1beta1 true PeerAuthentication
requestauthentications ra security.istio.io/v1 true RequestAuthentication身份标识和证书管理流程
其他内容
服务网格:
安全:
认证:进程间认证(链路加密)、最终用户认证
鉴权:RBAC/ABAC
进程间认证:
X.509
simple tls:Client认证Server
mutual tls = mTLS: 双向认证
链路加密
工作负载Sidecar:
x.509, subject
ID
SPIFFE:
node attention
workload attention
SPIRE/Citedal
API Server:
Node Resource (kubelet): node attention
Pod Resource: workload attention
SPIFFIE://trust_domain/namespaces/<namespace>/ServiceAccounts/<SERVICEACCOUNT>
trust_domain: cluster.local
<namespace>: Pod所在的名称空间
<SERVICEACCOUNT>: 运行Pod的SA的名称
证书生成:
Citedal:内置CA
SDS xDS API
Service:
Listener: Port
Route
Cluster: 关联到的endpoint
Endpoint
Envoy:
Client: TLS发起,配置在Cluster
DestinationRule CRD
Service: TLS终止,配置在Listener
PeerAuthentication CRD
Server端通过PeerAuthentication配置TLS策略,Client端通过DestinationRule配置如何遵循Server端策略
二者的之间的交集TLS的启用结果
最终用户认证
JWT: Json Web Token
Server端通过RequestAuthentication CRD配置JWT认证策略,Client端通过附带一个Token来完成认证
由双方公信的一个Token签发的服务端(认证服务器)负责生成Token
鉴权:
AuthorizationPolicy CRD
Server端 RequestAuthentication CRD 和/或 PeerAuthentication CRD配置认证策略
认证完成后,Server获取到用户的身份
RA: UserName
PA: Subject CN
通过AuthorizationPolicy CRD来配置鉴权策略,最终要结合用户的身份来完成
配置逻辑:基于目标的用户身份定义许可权限
配置方式:
RBAC:Envoy内置支持
ABAC (extauthz):配置使用外部的鉴权服务,将鉴权机制委托给外部的第三方;此时真正的鉴权策略是配置外部服务上的;
OPA: OpenPolicyAgent
Gateway CRD:
较为常用的配置:
启用单向TLS,服务端(Gateway)要配置好数字证书,该数字证书不会由Citedal自动签发;
启用JWT认证,服务器端通常应该自动处理客户端未完成认证时的情形(返回服务端专有的认证服务界面给客户端)
认证策略的生效机制:
PeerAuthentication:
用旧废新,同一级别存在多个策略时,最早创建的生效;
多个级别都有策略时,优先级根据生效范围由小而大搜索:selector --> namespace --> root namespace
最终只会生效一个;
RequestAuthentication:
组合策略:合并生效
最终生效的是:所有级别,及每个级别下的所有策略的合并结果
建议:每个名称空间级别只配置一个策略示例1-同一名称空间下 default 都在服务网格 Permissive 支持MTLS:
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# ll
total 12
-rw-r--r-- 1 root root 153 Aug 20 2022 01-namespace-default-peerauthn.yaml
-rw-r--r-- 1 root root 197 Aug 20 2022 02-demoapp-peerauthn.yaml
-rw-r--r-- 1 root root 307 Aug 20 2022 03-destinationrule-demoapp-mtls.yaml
#default空间下 所有服务支持 TLS或者铭文
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 01-namespace-default-peerauthn.yaml
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: PERMISSIVE
---
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 02-demoapp-peerauthn.yaml
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
mtls:
mode: STRICT
---
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 03-destinationrule-demoapp-mtls.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demoapp
spec:
host: demoapp
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
tls:
mode: ISTIO_MUTUAL
subsets:
- name: v10
labels:
version: v1.0
- name: v11
labels:
version: v1.1
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl apply -f 01-namespace-default-peerauthn.yaml
peerauthentication.security.istio.io/default created
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl get pa
NAME MODE AGE
default PERMISSIVE 4s
#PEMISSIVE 表示客户端支持tls server也是tls 如果客户端不是tls就是明文交互
#测试 default空间下 sleep客户端 访问 demoapp服务 是否tls 通信
[root@xksmaster1 ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
sleep-bc9998558-bl49z 2/2 Running 4 (4d4h ago) 9d 10.244.182.2 xksnode1 <none> <none>
#因为sleep 在xksnode1上 所以查看node1上的 cali7816ffac6c2 tcpdump进行抓取
[root@xksnode1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.244.182.2 0.0.0.0 255.255.255.255 UH 0 0 0 cali7816ffac6c2
[root@xksnode1 ~]# tcpdump -i cali7816ffac6c2 -nn -X tcp port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cali7816ffac6c2, link-type EN10MB (Ethernet), capture size 262144 bytes
15:21:27.282017 IP 10.244.182.2.58438 > 10.244.207.68.8080: Flags [P.], seq 3230555563:3230556715, ack 2578782444, win 380, options [nop,nop,TS val 361608293 ecr 361585307], length 1152: HTTP
0x0000: 4500 04b4 c364 4000 4006 d7b0 0af4 b602 E....d@.@.......
0x0010: 0af4 cf44 e446 1f90 c08e 5dab 99b5 18ec ...D.F....].....
0x0020: 8018 017c 9fd5 0000 0101 080a 158d b465 ...|...........e
0x0030: 158d 5a9b 1703 0304 7b89 a17f a32f 73bb ..Z.....{..../s.
0x0040: 9da2 ed85 973d b6fe e82f 0015 86fa 95a9 .....=.../......
0x0050: a7f3 dc48 89bf c83c eadd 5a29 1a24 da86 ...H...<..Z).$..
0x0060: b2c6 03c3 053a 752c a6a0 616d 9bdd b28c .....:u,..am....
0x0070: c7e0 d7a3 ce98 6556 3ec8 750f 9909 1477 ......eV>.u....w
0x0080: 6587 626d ac13 e2a8 c5af 6220 f46e e4be e.bm......b..n..
0x0090: 2dfc 55d0 177d 23cc d136 3522 b591 e18b -.U..}#..65"....
0x00a0: cb19 f707 76d4 66ae d26b 08d6 215f 9ac0 ....v.f..k..!_..
0x00b0: a6be 3f39 7d10 233d f147 d5ef ed26 0b5d ..?9}.#=.G...&.]
0x00c0: a281 ea80 eb9a 2460 a3dd 47dc 82d8 4b97 ......$`..G...K.
0x00d0: 735f 1140 0e08 2ade 861e 1deb e37d 491f s_.@..*......}I.
0x00e0: 054b c05c d9b3 ec55 5360 1276 9783 1972 .K.\...US`.v...r
0x00f0: b7fe 396a bcbc bf78 5c79 4572 b910 e50d ..9j...x\yEr....
0x0100: fcb8 3995 f549 5296 e698 f2bd 5dea a983 ..9..IR.....]...
0x0110: 3679 a847 5a1e 4048 3274 b55c f359 7bdc 6y.GZ.@H2t.\.Y{.
0x0120: 6f04 e749 b4d2 e409 099d 4fcc a05c 5eda o..I......O..\^.
0x0130: 695c b564 435a e3cc cc4f c533 873c 3c23 i\.dCZ...O.3.<<#
0x0140: 9de3 3c14 f102 ff25 3407 9fd4 fdc3 583f ..<....%4.....X?
0x0150: 4460 66a8 e961 e27c d071 ec8c 1bf7 ca9b D`f..a.|.q......
0x0160: 08e6 2803 0058 f41c 14af aeb0 e623 9e1d ..(..X.......#..
0x0170: 9024 8d21 8ffc 3f15 d717 95a5 93e8 cf45 .$.!..?........E
0x0180: f0f2 6a27 1478 c053 fdef e95a 8784 99c5 ..j'.x.S...Z....
0x0190: 75fc f178 03b3 c1dd d8ba 5748 dbd2 5776 u..x......WH..Wv
0x01a0: 4a9c 9905 d733 a445 f5e2 1907 87c3 37e3 J....3.E......7.
0x01b0: 0b2b 1853 7e75 5b63 6e85 ac35 e71f b064 .+.S~u[cn..5...d
0x01c0: 8ce2 a8cc 557c 57b3 a565 ce73 f3d3 6a6f ....U|W..e.s..jo
0x01d0: f77b 35c7 dd68 84d7 1ebe 53ea 25f3 f4c4 .{5..h....S.%...
0x01e0: 8475 001a 3b0a a9e7 65f8 3722 ad67 97e9 .u..;...e.7".g..
0x01f0: 3209 007b 388c 3bce 8628 7adb f21e af4b 2..{8.;..(z....K
0x0200: 4f91 059c 566d 69c8 2de0 2b1a cfb6 1b38 O...Vmi.-.+....8
0x0210: 3443 bc94 9326 61b5 006c b84c 4909 1bc9 4C...&a..l.LI...
0x0220: 953d 62fa 5f05 7509 6779 db24 ed80 bf47 .=b._.u.gy.$...G
0x0230: 6056 53ed 8307 0b92 5d9c 391d e2e9 00b8 `VS.....].9.....
0x0240: f3e3 e4ae 29b7 9767 1c3d 873e 6df7 387a ....)..g.=.>m.8z
0x0250: 0a90 9d91 e425 0cb6 4222 c356 028d b60c .....%..B".V....
0x0260: a511 aed3 1165 7afb be2d ad48 b691 e6b3 .....ez..-.H....
0x0270: d6be 5abf 6f8b fe30 51c6 c0e7 7e7e ed15 ..Z.o..0Q...~~..
0x0280: 3ab4 49e4 4118 67ff 2464 7a40 30f7 85e8 :.I.A.g.$dz@0...
0x0290: 433a 0911 8907 c068 b424 5b7b a2e0 3f14 C:.....h.$[{..?.
0x02a0: 9666 e4c1 f153 4d98 de46 32ec b9d6 a56b .f...SM..F2....k
0x02b0: 1684 f547 2749 36cd b82f eb87 2b29 5bba ...G'I6../..+)[.
0x02c0: 43a4 3040 38ad 9965 2d5a 1811 cbb9 3d93 C.0@8..e-Z....=.
0x02d0: 71fc c2aa 3fe2 ac2b 63d1 4a87 7353 6458 q...?..+c.J.sSdX
0x02e0: 5f13 6aab c897 ff89 2cd1 4a88 0aef 1a80 _.j.....,.J.....
0x02f0: 05af a639 13e6 a2a8 a813 8d51 6628 dd85 ...9.......Qf(..
0x0300: 6263 e4c9 5ced 13da 816f a18b cec7 ee2b bc..\....o.....+
0x0310: 0b1e 518c a509 a279 867f a11c 7f55 af35 ..Q....y.....U.5
0x0320: 82be 4e6b c145 093a 8f95 c8d7 a0af 79b8 ..Nk.E.:......y.
0x0330: a2bd 00d0 2fac b81a 9809 6e9d 2b0f 97c1 ..../.....n.+...
0x0340: 6702 6412 e160 30c1 c67d 9297 657f 94ef g.d..`0..}..e...
0x0350: 9769 e815 7464 0a3d 9341 9cc6 cd77 4d08 .i..td.=.A...wM.
0x0360: 86cc 9ba0 4d8c 4100 670f 303e 161b 7381 ....M.A.g.0>..s.
0x0370: 4b23 e503 a732 6e6b 16f4 d1c3 24ca 3785 K#...2nk....$.7.
0x0380: cc49 7842 9357 d4d8 6a7d 8bcc 6faa a97c .IxB.W..j}..o..|
0x0390: 15bf 1e28 590a 97df 4ef4 7dd3 2dc1 be0f ...(Y...N.}.-...
0x03a0: c212 d82f ff4f aecd b3ba 0ce0 c463 45d1 .../.O.......cE.
0x03b0: 458b 66dd b5c5 dd59 9e6e caba 044b 7393 E.f....Y.n...Ks.
0x03c0: b94c 82ef 8eac d577 435c 5cf4 df55 f6a2 .L.....wC\\..U..
0x03d0: 0f98 05f1 4da2 c477 04f0 94ff dc4a d85e ....M..w.....J.^
0x03e0: 0931 b58c 78d1 a343 ad1c 86d8 892a 4d5e .1..x..C.....*M^
0x03f0: a968 ea86 833f c3f0 1da4 87c3 074c 24b2 .h...?.......L$.
0x0400: c337 8ea6 ef08 5dec e1fe 1543 34bc c993 .7....]....C4...
0x0410: 42d6 8033 7219 6be6 75ef 9264 a763 fb09 B..3r.k.u..d.c..
0x0420: 3990 91b2 cf88 4aa9 7565 f926 813b 579a 9.....J.ue.&.;W.
0x0430: 8895 bd25 6976 52e2 2e23 48c1 7275 7111 ...%ivR..#H.ruq.
0x0440: 1613 617a 64d6 a3a6 32fa 816a 94a3 26a5 ..azd...2..j..&.
0x0450: fcc5 adae 158f e449 9817 e87a f06e e8f8 .......I...z.n..
0x0460: 289a bde6 54f6 16e5 291f fea6 0a06 b076 (...T...)......v
0x0470: fa05 fce9 367a cd0d a93c eac5 28b8 5103 ....6z...<..(.Q.
0x0480: 65ea 7156 ec53 5a72 bf36 0493 bea0 65a7 e.qV.SZr.6....e.
0x0490: 7395 c4de f8ca 4f1f 99e1 7d3b 234a 1a0c s.....O...};#J..
0x04a0: 92fd 4df0 4061 30a6 6303 8d14 5d01 bae5 ..M.@a0.c...]...
0x04b0: d0b5 5a0f ..Z.
15:21:27.284551 IP 10.244.207.68.8080 > 10.244.182.2.58438: Flags [P.], seq 1:1154, ack 1152, win 352, options [nop,nop,TS val 361606603 ecr 361608293], length 1153: HTTP
0x0000: 4500 04b5 8c00 4000 3e06 1114 0af4 cf44 E.....@.>......D
0x0010: 0af4 b602 1f90 e446 99b5 18ec c08e 622b .......F......b+
0x0020: 8018 0160 cfee 0000 0101 080a 158d adcb ...`............
0x0030: 158d b465 1703 0304 7c5e fee5 0788 3caa ...e....|^....<.
0x0040: 0f36 c734 a228 36a9 3e18 f14f 97fe b1a7 .6.4.(6.>..O....
0x0050: e490 4f0e 55e1 2bc3 20af f27b 095c 0fdd ..O.U.+....{.\..
0x0060: 4e7a 7f7a 8a77 9f5d 9b38 bd14 f421 f41c Nz.z.w.].8...!..
0x0070: 8612 3082 43ea caff 5134 0362 5f26 5ba2 ..0.C...Q4.b_&[.
0x0080: f84f ff24 8d7a 7950 e7b2 a766 8574 e5d3 .O.$.zyP...f.t..示例2-不同一名称空间下 demo Permissive 支持铭文:
kubectl create ns demo
[root@xksmaster1 sleep]# cat sleep-demo.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: sleep
namespace: demo
---
apiVersion: v1
kind: Service
metadata:
namespace: demo
name: sleep
labels:
app: sleep
service: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: demo
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels:
app: sleep
spec:
terminationGracePeriodSeconds: 0
serviceAccountName: sleep
containers:
- name: sleep
image: curlimages/curl
command: ["/bin/sleep", "infinity"]
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/sleep/tls
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: sleep-secret
optional: true
---
[root@xksmaster1 sleep]# kubectl apply -f sleep-demo.yaml
[root@xksmaster1 sleep]# kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
client-15598 1/1 Running 0 46m
client-4549 1/1 Running 0 49m
sleep-bc9998558-wdk7b 1/1 Running 0 32m
[root@xksmaster1 sleep]# kubectl get pods -n demo -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
client-15598 1/1 Running 0 46m 10.244.182.12 xksnode1 <none> <none>
client-4549 1/1 Running 0 49m 10.244.207.70 xksnode2 <none> <none>
sleep-bc9998558-wdk7b 1/1 Running 0 32m 10.244.207.73 xksnode2 <none> <none>
#在node2上进行查看
[root@xksnode2 ~]# route -n | grep 10.244.207.73
10.244.207.73 0.0.0.0 255.255.255.255 UH 0 0 0 caliaa5a97d1346
#master1上进行访问
[root@xksmaster1 sleep]# kubectl exec -it sleep-bc9998558-wdk7b -n demo -- /bin/sh
/ $
/ $
/ $ curl demoapp.default:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-xfx88, ServerIP: 10.244.182.1
[root@xksnode2 ~]# tcpdump -i caliaa5a97d1346 -nn -X tcp port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on caliaa5a97d1346, link-type EN10MB (Ethernet), capture size 262144 bytes
16:19:50.665589 IP 10.244.207.73.36034 > 10.98.253.5.8080: Flags [S], seq 2097085422, win 28800, options [mss 1440,sackOK,TS val 365110073 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c d8d7 4000 4006 803f 0af4 cf49 E..<..@.@..?...I
0x0010: 0a62 fd05 8cc2 1f90 7cfe fbee 0000 0000 .b......|.......
0x0020: a002 7080 e1d3 0000 0204 05a0 0402 080a ..p.............
0x0030: 15c3 2339 0000 0000 0103 0307 ..#9........
16:19:50.666051 IP 10.98.253.5.8080 > 10.244.207.73.36034: Flags [S.], seq 962665393, ack 2097085423, win 28560, options [mss 1440,sackOK,TS val 365111675 ecr 365110073,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 3e06 5b17 0a62 fd05 E..<..@.>.[..b..
0x0010: 0af4 cf49 1f90 8cc2 3961 1bb1 7cfe fbef ...I....9a..|...
0x0020: a012 6f90 0441 0000 0204 05a0 0402 080a ..o..A..........
0x0030: 15c3 297b 15c3 2339 0103 0307 ..){..#9....
16:19:50.666093 IP 10.244.207.73.36034 > 10.98.253.5.8080: Flags [.], ack 1, win 225, options [nop,nop,TS val 365110074 ecr 365111675], length 0
0x0000: 4500 0034 d8d8 4000 4006 8046 0af4 cf49 E..4..@.@..F...I
0x0010: 0a62 fd05 8cc2 1f90 7cfe fbef 3961 1bb2 .b......|...9a..
0x0020: 8010 00e1 e1cb 0000 0101 080a 15c3 233a ..............#:
0x0030: 15c3 297b ..){
16:19:50.666185 IP 10.244.207.73.36034 > 10.98.253.5.8080: Flags [P.], seq 1:84, ack 1, win 225, options [nop,nop,TS val 365110074 ecr 365111675], length 83: HTTP: GET / HTTP/1.1
0x0000: 4500 0087 d8d9 4000 4006 7ff2 0af4 cf49 E.....@.@......I
0x0010: 0a62 fd05 8cc2 1f90 7cfe fbef 3961 1bb2 .b......|...9a..
0x0020: 8018 00e1 e21e 0000 0101 080a 15c3 233a ..............#:
0x0030: 15c3 297b 4745 5420 2f20 4854 5450 2f31 ..){GET./.HTTP/1
0x0040: 2e31 0d0a 486f 7374 3a20 6465 6d6f 6170 .1..Host:.demoap
0x0050: 702e 6465 6661 756c 743a 3830 3830 0d0a p.default:8080..
0x0060: 5573 6572 2d41 6765 6e74 3a20 6375 726c User-Agent:.curl
0x0070: 2f38 2e31 2e32 0d0a 4163 6365 7074 3a20 /8.1.2..Accept:.
0x0080: 2a2f 2a0d 0a0d 0a */*....
16:19:50.666622 IP 10.98.253.5.8080 > 10.244.207.73.36034: Flags [.], ack 84, win 224, options [nop,nop,TS val 365111676 ecr 365110074], length 0
0x0000: 4500 0034 32ce 4000 3e06 2851 0a62 fd05 E..42.@.>.(Q.b..
0x0010: 0af4 cf49 1f90 8cc2 3961 1bb2 7cfe fc42 ...I....9a..|..B
0x0020: 8010 00e0 a154 0000 0101 080a 15c3 297c .....T........)|
0x0030: 15c3 233a ..#:
16:19:50.679447 IP 10.98.253.5.8080 > 10.244.207.73.36034: Flags [P.], seq 1:358, ack 84, win 224, options [nop,nop,TS val 365111689 ecr 365110074], length 357: HTTP: HTTP/1.1 200 OK
0x0000: 4500 0199 32cf 4000 3e06 26eb 0a62 fd05 E...2.@.>.&..b..
0x0010: 0af4 cf49 1f90 8cc2 3961 1bb2 7cfe fc42 ...I....9a..|..B
0x0020: 8018 00e0 1e09 0000 0101 080a 15c3 2989 ..............).
0x0030: 15c3 233a 4854 5450 2f31 2e31 2032 3030 ..#:HTTP/1.1.200
0x0040: 204f 4b0d 0a63 6f6e 7465 6e74 2d74 7970 .OK..content-typ
0x0050: 653a 2074 6578 742f 6874 6d6c 3b20 6368 e:.text/html;.ch
0x0060: 6172 7365 743d 7574 662d 380d 0a63 6f6e arset=utf-8..con
0x0070: 7465 6e74 2d6c 656e 6774 683a 2031 3134 tent-length:.114
0x0080: 0d0a 7365 7276 6572 3a20 6973 7469 6f2d ..server:.istio-
0x0090: 656e 766f 790d 0a64 6174 653a 2046 7269 envoy..date:.Fri
0x00a0: 2c20 3039 204a 756e 2032 3032 3320 3038 ,.09.Jun.2023.08
0x00b0: 3a31 393a 3530 2047 4d54 0d0a 782d 656e :19:50.GMT..x-en
0x00c0: 766f 792d 7570 7374 7265 616d 2d73 6572 voy-upstream-ser
0x00d0: 7669 6365 2d74 696d 653a 2033 0d0a 782d vice-time:.3..x-
0x00e0: 656e 766f 792d 6465 636f 7261 746f 722d envoy-decorator-
0x00f0: 6f70 6572 6174 696f 6e3a 2064 656d 6f61 operation:.demoa
0x0100: 7070 2e64 6566 6175 6c74 2e73 7663 2e63 pp.default.svc.c
0x0110: 6c75 7374 6572 2e6c 6f63 616c 3a38 3038 luster.local:808
0x0120: 302f 2a0d 0a0d 0a69 4b75 6265 726e 6574 0/*....iKubernet
0x0130: 6573 2064 656d 6f61 7070 2076 312e 3020 es.demoapp.v1.0.
0x0140: 2121 2043 6c69 656e 7449 503a 2031 3237 !!.ClientIP:.127
0x0150: 2e30 2e30 2e36 2c20 5365 7276 6572 4e61 .0.0.6,.ServerNa
0x0160: 6d65 3a20 6465 6d6f 6170 7076 3130 2d35 me:.demoappv10-5
0x0170: 3437 3537 6634 3864 362d 7866 7838 382c 4757f48d6-xfx88,
0x0180: 2053 6572 7665 7249 503a 2031 302e 3234 .ServerIP:.10.24
0x0190: 342e 3138 322e 3121 0a 4.182.1!.示例三:严格定义 demoapp 服务端必须是mTLS通信
#mode: STRICT 因为严格指明了 和服务端通讯的 客户端必须是 tls 但是demo名称空间下的 sleep 再服务网格外 无法用tls 所以被拒绝了
#必须严格采用 mTLS严格通信 mode:STRICT
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 02-demoapp-peerauthn.yaml
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
mtls:
mode: STRICT
---
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl apply -f 02-demoapp-peerauthn.yaml
peerauthentication.security.istio.io/demoapp created
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl get pa
NAME MODE AGE
default PERMISSIVE 88m
demoapp STRICT 6s
##此时使用namespace:demo 访问 demoapp会被拒绝 因为 客户端不在网格内没有注入ennoy 无法进行tls 所以会被拒绝
[root@xksmaster1 sleep]# kubectl exec -it sleep-bc9998558-wdk7b -n demo -- /bin/sh
/ $ curl demoapp.default:8080
curl: (56) Recv failure: Connection reset by peer
#此时网格内的 客户端 还是可以进行访问
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl exec -it sleep-bc9998558-bl49z -- /bin/sh
/ $ curl demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-msqzp, ServerIP: 10.244.207.66!示例四:
#指明 PA:Permissive 可以铭文和tls
#通过Destination Rule =》 mode: ISTIO_MUTUAL 指明客户端访问demoapp必须建立双向mtls通信
#结果:使用密文通信
#指明 通过Destination Rule =》 mode: ISTIO_MUTUAL demoapp作为服务端 客户端必须建立双向tls通信
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 03-destinationrule-demoapp-mtls.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demoapp
spec:
host: demoapp
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
tls:
mode: ISTIO_MUTUAL
subsets:
- name: v10
labels:
version: v1.0
- name: v11
labels:
version: v1.1
kubectl apply -f
#查看是密文通信
18:22:24.682674 IP 10.244.207.66.8080 > 10.244.182.2.51128: Flags [P.], seq 2164:7031, ack 5281, win 310, options [nop,nop,TS val 372464094 ecr 372465690], length 4867: HTTP
0x0000: 4500 1337 eea0 4000 3e06 9ff3 0af4 cf42 E..7..@.>......B
0x0010: 0af4 b602 1f90 c7b8 cc29 bfbe dc79 de67 .........)...y.g
0x0020: 8018 0136 ae56 0000 0101 080a 1633 59de ...6.V.......3Y.
0x0030: 1633 601a 1703 030e 7d38 0a64 b95f eeb3 .3`.....}8.d._..
0x0040: 2734 958a 9682 ad2a 35f1 9005 3e57 7742 '4.....*5...>WwB
0x0050: edcc 8a8f 02cf 604f 0846 97f7 bdf9 31d4 ......`O.F....1.
0x0060: e2d1 f27e 2a0e 9a31 f7de 119a 0950 63f5 ...~*..1.....Pc.
0x0070: f6ac 868b 9507 16ac d5a3 1458 1a2d 8127 ...........X.-.'
0x0080: 4660 8c54 91bc e986 e77b 0f4c 054a f7b3 F`.T.....{.L.J..
0x0090: fcf8 b478 e293 d6f0 777a ec4a 1be6 08fc ...x....wz.J....
0x00a0: 87f9 2e78 3644 7da8 106b 05ff 6364 29a8 ...x6D}..k..cd).示例五:
#指明 PA:Permissive 可以铭文和tls
#通过Destination Rule =》 mode: DISABLE 客户端访问demoapp时不使用mtls通讯
#结果:铭文通讯
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# kubectl delete -f 02-demoapp-peerauthn.yaml
#mode: DISABLE
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 03-destinationrule-demoapp-mtls.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demoapp
spec:
host: demoapp
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
tls:
#mode: ISTIO_MUTUAL
mode: DISABLE
subsets:
- name: v10
labels:
version: v1.0
- name: v11
labels:
version: v1.1
#此时就是铭文了
18:31:36.977565 IP 10.244.182.1.8080 > 10.244.182.2.42618: Flags [P.], seq 1:1126, ack 1131, win 241, options [nop,nop,TS val 373017988 ecr 373017979], length 1125: HTTP: HTTP/1.1 200 OK
0x0000: 4500 0499 b137 4000 3f06 043c 0af4 b601 E....7@.?..<....
0x0010: 0af4 b602 1f90 a67a 05af 7c4d f2a6 ca44 .......z..|M...D
0x0020: 8018 00f1 8677 0000 0101 080a 163b cd84 .....w.......;..
0x0030: 163b cd7b 4854 5450 2f31 2e31 2032 3030 .;.{HTTP/1.1.200
0x0040: 204f 4b0d 0a63 6f6e 7465 6e74 2d74 7970 .OK..content-typ
0x0050: 653a 2074 6578 742f 6874 6d6c 3b20 6368 e:.text/html;.ch
0x0060: 6172 7365 743d 7574 662d 380d 0a63 6f6e arset=utf-8..con
0x0070: 7465 6e74 2d6c 656e 6774 683a 2031 3134 tent-length:.114
0x0080: 0d0a 7365 7276 6572 3a20 6973 7469 6f2d ..server:.istio-
0x0090: 656e 766f 790d 0a64 6174 653a 2046 7269 envoy..date:.Fri
0x00a0: 2c20 3039 204a 756e 2032 3032 3320 3130 ,.09.Jun.2023.10
0x00b0: 3a33 313a 3336 2047 4d54 0d0a 782d 656e :31:36.GMT..x-en
0x00c0: 766f 792d 7570 7374 7265 616d 2d73 6572 voy-upstream-ser
0x00d0: 7669 6365 2d74 696d 653a 2032 0d0a 782d vice-time:.2..x-
0x00e0: 656e 766f 792d 7065 6572 2d6d 6574 6164 envoy-peer-metad
0x00f0: 6174 613a 2043 6873 4b44 6b46 5155 4639 ata:.ChsKDkFQUF9
0x0100: 4454 3035 5551 556c 4f52 564a 5445 676b DT05UQUlORVJTEgk示例六:
#指明 通过PA =》DISABLE 服务端不用tls
#Destination Rule =》 mode: ISTIO_MUTUAL 虽然指明客户端需要进行tls
结果:访问拒绝 虽然指明客户端需要进行tls,但是服务端不支持tls
#PA mode: DISABLE
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 01-namespace-default-peerauthn.yaml
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: DISABLE
---
#mode: ISTIO_MUTUAL demoapp 指明 客户端需要tls
[root@xksmaster1 01-PeerAuthentication-Policy-Basics]# cat 03-destinationrule-demoapp-mtls.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demoapp
spec:
host: demoapp
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
tls:
mode: ISTIO_MUTUAL
#mode: DISABLE
subsets:
- name: v10
labels:
version: v1.0
- name: v11
labels:
version: v1.1
#访问被拒绝
/ $ curl demoapp:8080
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER/ $总结:
配置PeerAuthentication一个注意事项:
Server端通过PeerAuthentication配置TLS策略,Client端通过DestinationRule配置如何遵循Server端策略
Client端:指的是与demoapp的通信的client,而其DestinationRule的配置需要定义在Server对应的服务上;
sleep <--> demoapp
为某个Service定义TLS策略注意事项:
1、peerauthentication的定义,未必需要使用selector,但要能够生效到目标Service上;
2、destinationrule的定义,要匹配到目标Service上;
