istio入门系列之配置安全策略

本章我们来讲讲如何通过istio来给业务pod进行安全的配置。istio的安全配置对于业务是透明的,istio的安全架构如下,主要是在istiod里进行认证和授权。

upload-image

首先我们给demo下的httpbin这个服务配置一个安全策略,这里默认访问策略是拒绝所有访问

1
2
3
4
5
6
7
8
9
10
11
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: demo
spec:
  selector:
    matchLabels:
      app: httpbin
EOF

下面我们通过sleep服务来测试下是否可以访问到httpbin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@VM-0-13-centos istio-1.5.1]# kubectl get pod -n demo
NAME                          READY   STATUS    RESTARTS   AGE
httpbin-5f48f6c76b-q5rvv      2/2     Running   0          6d2h
httpbin-v2-5bd46f68f9-fjp84   2/2     Running   0          47h
sleep-5b7bf56c54-bhsk8        2/2     Running   0          6d2h
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/get
RBAC: access denied[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin-v2.demo:8000/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin-v2.demo:8000", 
    "User-Agent": "curl/7.69.1", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "8fda928356944839", 
    "X-B3-Traceid": "724aa8178d074e838fda928356944839", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Envoy-Decorator-Operation": "httpbin-v2.demo.svc.cluster.local:8000/*", 
    "X-Envoy-Peer-Metadata": "ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwobCgxJTlNUQU5DRV9JUFMSCxoJMTAuMC4xLjMyCt0BCgZMQUJFTFMS0gEqzwEKDgoDYXBwEgcaBXNsZWVwChcKDGlzdGlvLmlvL3JldhIHGgUxLTYtOQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo1YjdiZjU2YzU0CiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KKgofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIHGgVzbGVlcAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCiAKBE5BTUUSGBoWc2xlZXAtNWI3YmY1NmM1NC1iaHNrOAoTCglOQU1FU1BBQ0USBhoEZGVtbwpGCgVPV05FUhI9GjtrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvZGVtby9kZXBsb3ltZW50cy9zbGVlcAoaCg9TRVJWSUNFX0FDQ09VTlQSBxoFc2xlZXAKGAoNV09SS0xPQURfTkFNRRIHGgVzbGVlcA==", 
    "X-Envoy-Peer-Metadata-Id": "sidecar~10.0.1.32~sleep-5b7bf56c54-bhsk8.demo~demo.svc.cluster.local"
  }, 
  "origin": "127.0.0.1", 
  "url": "http://httpbin-v2.demo:8000/get"
}

我们部署了v1和v2这2个版本的httpbin,发现只有httpbin-v2可以访问到

下面我们制定下只允许在demo这个namespace下和demo这个命名空间下拥有sleep这个sa身份的才能访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: demo
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/demo/sa/sleep"]
   - source:
       namespaces: ["demo"]
EOF

下面我们测试下,分别通过demo和nwxdemo中这2个命名空间下的sleep服务来访问下demo下的httpbin服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.demo:8000", 
    "User-Agent": "curl/7.69.1", 
    "X-B3-Parentspanid": "408e7d7f4363a9bf", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "89c42647d4f04419", 
    "X-B3-Traceid": "7f9fb7b5cffbb30b408e7d7f4363a9bf", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=8047b0dc92219d97bf966222da87d61ac7c857f8a562f487f7a44e936da499e0;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/sleep"
  }, 
  "origin": "127.0.0.1", 
  "url": "http://httpbin.demo:8000/get"
}
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-fh29m -n nwxdemo -c sleep -- curl http://httpbin.demo:8000/get
RBAC: access denied

可以发下只有demo下的pod才有访问权限。

接下来我们放通下nwxdemo下的sleep服务访问权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: demo
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/nwxdemo/sa/sleep"]
   - source:
       namespaces: ["demo"]
EOF

我们放通nwxdemo下拥有sleep这个sa的服务允许访问就行。

下面我们配置下限制只能访问httpbin特定的接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: demo
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/demo/sa/sleep"]
   - source:
       namespaces: ["demo"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/get"]
EOF

测试可以发现,sleep只能访问到httpbin的get接口,无法访问ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.demo:8000", 
    "User-Agent": "curl/7.69.1", 
    "X-B3-Parentspanid": "22a55f5bbea49ab5", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "33800e033e1cb882", 
    "X-B3-Traceid": "cc3a5b206a1a57be22a55f5bbea49ab5", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=8047b0dc92219d97bf966222da87d61ac7c857f8a562f487f7a44e936da499e0;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/sleep"
  }, 
  "origin": "127.0.0.1", 
  "url": "http://httpbin.demo:8000/get"
}
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/ip
RBAC: access denied

下面我们给安全规则的条件再加一个限制,加上请求的header

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: demo
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/demo/sa/sleep"]
   - source:
       namespaces: ["demo"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/get"]
   when:
   - key: request.headers[x-rfma-token]
     values: ["test*"]
EOF

从下面的测试访问看,我们只有加上请求头x-rfma-token:test*才能访问到httpbin,否则是访问不通的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/get
RBAC: access denied[root@VM-0-13-centos istio-1.5.1]# kubectl exec -it sleep-5b7bf56c54-bhsk8 -n demo -c sleep -- curl http://httpbin.demo:8000/get -H x-rfma-token:test1
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.demo:8000", 
    "User-Agent": "curl/7.69.1", 
    "X-B3-Parentspanid": "4f565c230a76c4c8", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "d4d8fed86d2ea3f5", 
    "X-B3-Traceid": "c7cd5c2f28b112664f565c230a76c4c8", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=8047b0dc92219d97bf966222da87d61ac7c857f8a562f487f7a44e936da499e0;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/sleep", 
    "X-Rfma-Token": "test1"
  }, 
  "origin": "127.0.0.1", 
  "url": "http://httpbin.demo:8000/get"
}

安全策略里面主要存在以下几个字段,我们可以通过下面字段配置更丰富的安全访问策略

来源(source):

  • principal/namespace/ipBlock

操作(to):

  • host/method/path

条件(when):

  • request
  • source/destination
Istio
#Kubernetes #Istio
istio入门系列之配置安全策略
https://www.niewx.cn/2020/12/14/2020-12-14-Configure-security-policy-of-istio-entry-series/
作者
VashonNie
发布于
2020年12月14日
许可协议