备考ICA----Istio实验16---HTTP流量授权
1. 环境准备
bash
kubectl apply -f istio/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio/samples/bookinfo/networking/bookinfo-gateway.yaml访问测试
bash
curl -I http://192.168.126.220/productpage
2. 开启mtls
mtls/mtls-default.yaml
yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT部署生效
bash
kubectl apply -f mtls/mtls-default.yaml3. 拒绝请求
default名称空间,拒绝所有请求
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default配置生效
bash
kubectl apply -f mtls/allow-nothing.yaml访问测试
bash
curl -I http://192.168.126.220/productpage
此时访问被拒绝.返回码403
4. 允许请求
4.1 productpage允许请求
允许以get方式访问productpage
auth/productpage-viewer.yaml
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]部署生效
bash
kubectl apply -f auth/productpage-viewer.yaml 访问测试
4.2 details允许请求
创建details-viewer允许从productpage访问到details
bash
kubectl get pods productpage-v1-675fc69cf-xlg4x -o yaml|grep -i serviceaccount
cluster.local 本地集群
ns/default 命名空间
sa/bookinfo-productpage sa账号
auth/details-viewer.yaml
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: details-viewer
namespace: default
spec:
selector:
matchLabels:
app: details
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
to:
- operation:
methods: ["GET"]部署生效
bash
kubectl apply -f auth/details-viewer.yaml浏览器再次访问
4.3 reviews允许请求
创建reviews-viewer允许从productpage访问到reviews
auth/reviews-viewer.yaml
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: reviews-viewer
namespace: default
spec:
selector:
matchLabels:
app: reviews
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
to:
- operation:
methods: ["GET"]部署生效
bash
kubectl apply -f auth/reviews-viewer.yaml此时reviews已经可以正常显示,但ratings还是有问题.
4.4 ratings允许请求
创建ratings-viewer允许从productpage访问到ratings
auth/ratings-viewer.yaml
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: ratings-viewer
namespace: default
spec:
selector:
matchLabels:
app: ratings
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
to:
- operation:
methods: ["GET"]部署生效
bash
kubectl apply -f auth/ratings-viewer.yaml再次访问,现在所有页面都能正常展示了
至此备考ICA----Istio实验16---HTTP流量授权实验完成