gpt4 book ai didi

kubernetes - Istio mTLS仅在某些服务之间工作,即使tls-check打印每个人的状态都可以

转载 作者:行者123 更新时间:2023-12-02 11:56:43 25 4
gpt4 key购买 nike

我试图在我已经使用过istio边车的网格中启用mTLS。
我遇到的问题是,我只能将工作连接提高到一点,然后它无法连接。

这是由于我失败的mTLS实现(简化)而立即设置服务的方式:

Istio IngressGateway-> NGINX pod-> API网关->服务A-> [数据库]->服务B

首先要注意的是,我使用NGINX Pod作为负载均衡器来将请求发送到API网关或前端页面。我试着在没有istio IngressGateway的情况下保持该状态,但无法使其正常工作。然后,我尝试使用Istio IngressGateway并通过VirtualService直接连接到API网关,但对我来说还是失败。因此,我暂时将其保留下来,因为这是我的请求成功到达API网关的唯一方法。

要注意的另一件事是,服务A首先连接到网格外部的数据库,然后向网格内部且启用了mTLS的服务B发出请求。

NGINX,API网关,服务A和服务B在启用了mTLS的网格内,并且“istioctl authn tls-check” 显示状态为OK。

NGINX和API网关位于名为“gateway” 的命名空间中,数据库位于“auth” 中,服务A和Service B位于另一个名为“api” 的命名空间中。

Istio IngressGateway现在位于 namespace “istio-system” 中。

因此,问题在于,如果我将 STRICT 模式设置为网关 namespace ,并且将 PERMISSIVE 设置为api,则一切正常,但是一旦我将 STRICT 设置为api,我就会看到请求进入服务A,但是发送失败向服务B发送500的请求。

这是我在服务A Pane 中的istio-proxy容器中看到的失败时的输出:

api/serviceA[istio-proxy]: [2019-09-02T12:59:55.366Z] "- - -" 0 - "-" "-" 1939 0 2 - "-" "-" "-" "-" "10.20.208.248:4567" outbound|4567||database.auth.svc.cluster.local 10.20.128.44:35366 10.20.208.248:4567 
10.20.128.44:35364 -
api/serviceA[istio-proxy]: [2019-09-02T12:59:55.326Z] "POST /api/my-call HTTP/1.1" 500 - "-" "-" 74 90 60 24 "10.90.0.22, 127.0.0.1, 127.0.0.1" "PostmanRuntime/7.15.0" "14d93a85-192d-4aa7-aa45-1501a71d4924" "serviceA.api.svc.cluster.local:9090" "127.0.0.1:9090" inbound|9090|http-serviceA|serviceA.api.svc.cluster.local - 10.20.128.44:9090 127.0.0.1:0 outbound_.9090_._.serviceA.api.svc.cluster.local

但是在ServiceB中没有消息。

当前,我没有全局的MeshPolicy,并且正在为每个命名空间设置Policy和DestinationRule

政策:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: gateway
spec:
peers:
- mtls:
mode: STRICT

---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: auth
spec:
peers:
- mtls:
mode: STRICT


---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: api
spec:
peers:
- mtls:
mode: STRICT

DestinationRule:
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "mutual-gateway"
namespace: "gateway"
spec:
host: "*.gateway.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "mutual-api"
namespace: "api"
spec:
host: "*.api.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "mutual-auth"
namespace: "auth"
spec:
host: "*.auth.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

然后我有一些DestinationRule来禁用数据库的mTLS(我想在同一 namespace 中使用mTLS启用其他服务)和Kubernetes API
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "myDatabase"
namespace: "auth"
spec:
host: "database.auth.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "k8s-api-server"
namespace: default
spec:
host: "kubernetes.default.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE

然后,我将自己的IngressGateway设置为:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingress-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- my-api.example.com
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- my-api.example.com

最后,我的VirtualServices:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ingress-nginx
namespace: gateway
spec:
hosts:
- my-api.example.com
gateways:
- ingress-gateway.istio-system
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: ingress.gateway.svc.cluster.local # this is NGINX pod
corsPolicy:
allowOrigin:
- my-api.example.com
allowMethods:
- POST
- GET
- DELETE
- PATCH
- OPTIONS
allowCredentials: true
allowHeaders:
- "*"
maxAge: "24h"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: api-gateway
namespace: gateway
spec:
hosts:
- my-api.example.com
- api-gateway.gateway.svc.cluster.local
gateways:
- mesh
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: api-gateway.gateway.svc.cluster.local
corsPolicy:
allowOrigin:
- my-api.example.com
allowMethods:
- POST
- GET
- DELETE
- PATCH
- OPTIONS
allowCredentials: true
allowHeaders:
- "*"
maxAge: "24h"

我不明白的一件事是为什么我必须为我的API网关创建VirtualService,以及为什么必须在网关块中使用“网格”。如果删除此块,则不会在API网关中收到我的请求,但是,如果我这样做了,它就会起作用,并且我的请求甚至到达下一个服务(服务A),而不是下一个服务。

谢谢您的帮助。我真的很坚持这一点。

ServiceA的侦听器转储:
ADDRESS           PORT      TYPE
10.20.128.44 9090 HTTP
10.20.253.21 443 TCP
10.20.255.77 80 TCP
10.20.240.26 443 TCP
0.0.0.0 7199 TCP
10.20.213.65 15011 TCP
0.0.0.0 7000 TCP
10.20.192.1 443 TCP
0.0.0.0 4568 TCP
0.0.0.0 4444 TCP
10.20.255.245 3306 TCP
0.0.0.0 7001 TCP
0.0.0.0 9160 TCP
10.20.218.226 443 TCP
10.20.239.14 42422 TCP
10.20.192.10 53 TCP
0.0.0.0 4567 TCP
10.20.225.206 443 TCP
10.20.225.166 443 TCP
10.20.207.244 5473 TCP
10.20.202.47 44134 TCP
10.20.227.251 3306 TCP
0.0.0.0 9042 TCP
10.20.207.141 3306 TCP
0.0.0.0 15014 TCP
0.0.0.0 9090 TCP
0.0.0.0 9091 TCP
0.0.0.0 9901 TCP
0.0.0.0 15010 TCP
0.0.0.0 15004 TCP
0.0.0.0 8060 TCP
0.0.0.0 8080 TCP
0.0.0.0 20001 TCP
0.0.0.0 80 TCP
0.0.0.0 10589 TCP
10.20.128.44 15020 TCP
0.0.0.0 15001 TCP
0.0.0.0 9000 TCP
10.20.219.237 9090 TCP
10.20.233.60 80 TCP
10.20.200.156 9100 TCP
10.20.204.239 9093 TCP
0.0.0.0 10055 TCP
0.0.0.0 10054 TCP
0.0.0.0 10251 TCP
0.0.0.0 10252 TCP
0.0.0.0 9093 TCP
0.0.0.0 6783 TCP
0.0.0.0 10250 TCP
10.20.217.136 443 TCP
0.0.0.0 15090 HTTP

以json格式转储群集: https://pastebin.com/73zmAPWg

转储json格式的侦听器: https://pastebin.com/Pk7ddPJ2

从serviceA容器到serviceB的Curl命令:
/opt/app # curl -X POST -v "http://serviceB.api.svc.cluster.local:4567/session/xxxxxxxx=?parameters=hi"
* Trying 10.20.228.217...
* TCP_NODELAY set
* Connected to serviceB.api.svc.cluster.local (10.20.228.217) port 4567 (#0)
> POST /session/xxxxxxxx=?parameters=hi HTTP/1.1
> Host: serviceB.api.svc.cluster.local:4567
> User-Agent: curl/7.61.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host serviceB.api.svc.cluster.local left intact
curl: (52) Empty reply from server

如果我禁用了mTLS,则请求通过Curl从serviceA到达serviceB

最佳答案

调试Istio服务网格的一般提示:

  • 检查the requirements for services and pods
  • 尝试执行与Istio tasks列表类似的任务。查看该任务是否有效,并找到与您的任务的区别。
  • 请遵循Istio troubleshooting section中的指示。
  • 关于kubernetes - Istio mTLS仅在某些服务之间工作,即使tls-check打印每个人的状态都可以,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57716088/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com