安全管理
部署TLS网关
创建tls证书secret
kubectl create secret generic istio-ingressgateway-certs \
--from-file /etc/istio/ingressgateway-certs/mykey.key \
--from-file /etc/istio/ingressgateway-certs/mycrt.crt -n istio-system
gateway配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygw
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "aa.xiebo.pro"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "aa.xiebo.pro"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/mycrt.crt
privateKey: /etc/istio/ingressgateway-certs/mykey.key
#kubectl get deployments.apps -n istio-system istio-ingressgateway -o yaml可以看到默认secret挂载路径
部署多域名TLS网关
多域名证书secret配置
kubectl create secret generic istio-ingressgateway-certs \
--from-file /etc/istio/ingressgateway-certs/mycrt.crt \
--from-file /etc/istio/ingressgateway-certs/mykey.key \
--from-file /etc/istio/ingressgateway-certs/mycrt22.crt \
--from-file /etc/istio/ingressgateway-certs/mykey22.key -n istio-system
gateway配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygw
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "aa.xiebo.pro"
- "bb.xiebo.pro"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "aa.xiebo.pro"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/mycrt.crt
privateKey: /etc/istio/ingressgateway-certs/mykey.key
- port:
number: 443
name: https-aa
protocol: HTTPS
hosts:
- "bb.xiebo.pro"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/mycrt2.crt
privateKey: /etc/istio/ingressgateway-certs/mykey2.key
mTLS认证 PeerAuthentication
-
mTLS (mutual TLS,双向TLS): 让客户端和服务器端通信的时候都必须进行TLS认证,默认情况下,在网格内部默认启用了mTLS了。
-
PERMISSIVE:工作负载接受双向TLS和纯文本流量。
当没有Sidecar的工作负载无法使用双向TLS时,此模式适合用在迁移过程。
通过使用sidecar注入迁移工作负载后,应该将模式切换为STRICT。
-
STRICT:工作负载仅接受双向TLS通信。
-
示例
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
#不在网格内的pod无法访问
针对pod设置mtls
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
#选定含特定标签的pod
selector:
matchLabels:
run: pod1
mtls:
mode: STRICT
#针对端口设置,此处为80端口不使用mtls
portLevelMtls:
80:
mode: DISABLE
授权管理AuthorizationPolicy
授权管理类似于网络策略,用于配置客户端的访问许可
拒绝优先级 > 允许优先级
拒绝所有
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-all
spec:
{}
允许访问特定pod
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-pod1
namespace: ns1
spec:
selector:
matchLabels:
run: pod1
action: ALLOW
rules:
- {}
其他条件限制
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-pod1-policy
namespace: ns1
spec:
selector:
matchLabels:
run: pod1
action: ALLOW
rules:
- from:
#允许特定命名空间访问
#- source:
# namespaces:
# - "ns1"
#允许使用特定SA允许的pod访问
- source:
principals: ["cluster.local/ns/ns1/sa/default"]
#限定http methods
#- to:
#- operation:
# methods: ["GET"]
# hosts:
# - "svc1"
基于IP的限制
#允许或拒绝IP
rules:
- from:
- source:
ipBlocks: #允许
#notIpBlocks: #禁止
- "10.244.0.0/16"
#拒绝X-Forwarded-For为特定IP的访问,即访问到ingress的客户端IP
rules:
- from:
- source:
remoteIpBlocks: #这里是拒绝的意思
- "192.168.26.23"
使用when限定http header
rules:
- to:
- operation:
methods: ["GET","POST"]
hosts:
- "svc1"
- when:
- key: request.headers[test]
values:
- "test"
#when与from是或的关系