istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Sync replace "sleep" to “curl” part 2 into Chinese (#15793)

This commit is contained in:
Wilson Wu 2024-10-12 17:56:25 +08:00 committed by GitHub
parent 61789039f1
commit dd63078cc1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 110 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
content/zh/docs/setup/upgrade/canary/index.md
View File

@ -84,7 +84,7 @@ istiod-canary-6956db645c-vwhsk
`istiod-canary` 控制平面。这是在基于命名空间标签的 Sidecar 注入期间控制的 `istio.io/rev`
创建一个命名空间 `test-ns` 并启用 `istio-injection`
`test-ns` 命名空间中,部署一个示例 sleep Pod
`test-ns` 命名空间中,部署一个示例 curl Pod
1. 创建命名空间 `test-ns`
@ -98,10 +98,10 @@ istiod-canary-6956db645c-vwhsk
$ kubectl label namespace test-ns istio-injection=enabled
{{< /text >}}
1. 在 `test-ns` 命名空间中启动一个示例 sleep Pod。
1. 在 `test-ns` 命名空间中启动一个示例 curl Pod。
{{< text bash >}}
$ kubectl apply -n test-ns -f samples/sleep/sleep.yaml
$ kubectl apply -n test-ns -f samples/curl/curl.yaml
{{< /text >}}
要升级命名空间 `test-ns`,请删除 `istio-injection` 标签,然后添加 `istio.io/rev` 标签以指向
@ -164,12 +164,12 @@ $ istioctl proxy-status | grep "\.test-ns "
$ kubectl label ns app-ns-3 istio.io/rev=prod-canary
{{< /text >}}
1. 在每个命名空间中部署一个 sleep Pod 示例:
1. 在每个命名空间中部署一个 curl Pod 示例:
{{< text bash >}}
$ kubectl apply -n app-ns-1 -f samples/sleep/sleep.yaml
$ kubectl apply -n app-ns-2 -f samples/sleep/sleep.yaml
$ kubectl apply -n app-ns-3 -f samples/sleep/sleep.yaml
$ kubectl apply -n app-ns-1 -f samples/curl/curl.yaml
$ kubectl apply -n app-ns-2 -f samples/curl/curl.yaml
$ kubectl apply -n app-ns-3 -f samples/curl/curl.yaml
{{< /text >}}
1. 使用 `istioctl proxy-status` 命令验证应用程序与控制平面的映射:
@ -177,9 +177,9 @@ $ istioctl proxy-status | grep "\.test-ns "
{{< text bash >}}
$ istioctl ps
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-s8zfg {{< istio_full_version >}}
sleep-78ff5975c6-8kxpl.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_previous_version_revision >}}-1-bdf5948d5-n72r2 {{< istio_previous_version >}}.1
sleep-78ff5975c6-8q7m6.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_previous_version_revision >}}-1-bdf5948d5-n72r2 {{< istio_previous_version_revision >}}.1
curl-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-s8zfg {{< istio_full_version >}}
curl-78ff5975c6-8kxpl.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_previous_version_revision >}}-1-bdf5948d5-n72r2 {{< istio_previous_version >}}.1
curl-78ff5975c6-8q7m6.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_previous_version_revision >}}-1-bdf5948d5-n72r2 {{< istio_previous_version_revision >}}.1
{{< /text >}}
{{< boilerplate revision-tags-middle >}}
@ -200,9 +200,9 @@ $ kubectl rollout restart deployment -n app-ns-2
{{< text bash >}}
$ istioctl ps
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
sleep-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
sleep-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
curl-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
curl-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
curl-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-{{< istio_full_version_revision >}}-7f6fc6cfd6-jsktb {{< istio_full_version >}}
{{< /text >}}
### 默认版本 {#default-tag}

4
content/zh/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/index.md
View File

@ -105,13 +105,13 @@ EOF
### 使用 `proxy.istio.io/config` 注解配置链路追踪 {#using-proxy-istio-io-config-annotation-for-trace-settings}
您可以添加 `proxy.istio.io/config` 注解到 Pod 元数据规约中,以覆盖任何网格范围的链路追踪配置。
例如,要修改 Istio 附带的 `sleep` Deployment您需要在 `samples/sleep/sleep.yaml` 中添加以下内容:
例如,要修改 Istio 附带的 `curl` Deployment您需要在 `samples/curl/curl.yaml` 中添加以下内容:
{{< text yaml >}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
name: curl
spec:
...
template:

2
content/zh/docs/tasks/observability/distributed-tracing/sampling/index.md
View File

@ -87,7 +87,7 @@ EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
name: curl
spec:
...
template:

18
content/zh/docs/tasks/observability/logs/access-log/index.md
View File

@ -82,9 +82,9 @@ $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogF
\"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n
{{< /text >}}
下表显示了一个使用默认的访问日志格式的示例,请求从 `sleep` 发送到 `httpbin`
下表显示了一个使用默认的访问日志格式的示例,请求从 `curl` 发送到 `httpbin`
| 日志运算符 | sleep 中的访问日志 | httpbin 中的访问日志 |
| 日志运算符 | curl 中的访问日志 | httpbin 中的访问日志 |
|--------------|---------------------|-----------------------|
| `[%START_TIME%]` | `[2020-11-25T21:26:18.409Z]` | `[2020-11-25T21:26:18.409Z]`
| `\"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\"` | `"GET /status/418 HTTP/1.1"` | `"GET /status/418 HTTP/1.1"`
@ -111,10 +111,10 @@ $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogF
## 测试访问日志 {#test-the-access-log}
1. 从 `sleep` 向 `httpbin` 发送一个请求:
1. 从 `curl` 向 `httpbin` 发送一个请求:
{{< text bash >}}
$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
$ kubectl exec "$SOURCE_POD" -c curl -- curl -sS -v httpbin:8000/status/418
...
< HTTP/1.1 418 Unknown
...
@ -125,10 +125,10 @@ $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogF
...
{{< /text >}}
1. 检查 `sleep` 的日志:
1. 检查 `curl` 的日志:
{{< text bash >}}
$ kubectl logs -l app=sleep -c istio-proxy
$ kubectl logs -l app=curl -c istio-proxy
[2019-03-06T09:31:27.354Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 11 10 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "172.30.146.73:80" outbound|8000||httpbin.default.svc.cluster.local - 172.21.13.94:8000 172.30.146.82:60290 -
{{< /text >}}
@ -139,17 +139,17 @@ $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogF
[2019-03-06T09:31:27.360Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 5 2 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "127.0.0.1:80" inbound|8000|http|httpbin.default.svc.cluster.local - 172.30.146.73:80 172.30.146.82:38618 outbound_.8000_._.httpbin.default.svc.cluster.local
{{< /text >}}
请注意,与请求相对应的信息分别出现在源(`sleep`)和目标(`httpbin`)的 Istio
请注意,与请求相对应的信息分别出现在源(`curl`)和目标(`httpbin`)的 Istio
代理日志中。您可以在日志中看到 HTTP 动词(`GET`、HTTP 路径(`/status/418`)、
响应码(`418`)和其他[请求相关信息](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-rules)。
## 清理 {#cleanup}
关闭 [sleep]({{<github_tree>}}/samples/sleep) 和
关闭 [curl]({{<github_tree>}}/samples/curl) 和
[httpbin]({{<github_tree>}}/samples/httpbin) 服务:
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete -f @samples/curl/curl.yaml@
$ kubectl delete -f @samples/httpbin/httpbin.yaml@
{{< /text >}}

22
content/zh/docs/tasks/observability/logs/otel-provider/index.md
View File

@ -70,11 +70,11 @@ $ cat <<EOF | kubectl apply -n default -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: sleep-logging
name: curl-logging
spec:
selector:
matchLabels:
app: sleep
app: curl
accessLogging:
- providers:
- name: otel
@ -122,10 +122,10 @@ $ istioctl install -f <your-istio-operator-config-file>
\"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n
{{< /text >}}
下表显示的示例针对从 `sleep` 发送到 `httpbin` 的请求使用默认的访问日志格式:
下表显示的示例针对从 `curl` 发送到 `httpbin` 的请求使用默认的访问日志格式:
| 日志运算符 | sleep 中的访问日志 | httpbin 中的访问日志 |
|--------------|---------------------|-----------------------|
| 日志运算符 | curl 中的访问日志 | httpbin 中的访问日志 |
|--------------|--------------------|-----------------------|
| `[%START_TIME%]` | `[2020-11-25T21:26:18.409Z]` | `[2020-11-25T21:26:18.409Z]`
| `\"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\"` | `"GET /status/418 HTTP/1.1"` | `"GET /status/418 HTTP/1.1"`
| `%RESPONSE_CODE%` | `418` | `418`
@ -151,10 +151,10 @@ $ istioctl install -f <your-istio-operator-config-file>
## 测试访问日志 {#test-access-log}
1. 将请求从 `sleep` 发送到 `httpbin`
1. 将请求从 `curl` 发送到 `httpbin`
{{< text bash >}}
$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
$ kubectl exec "$SOURCE_POD" -c curl -- curl -sS -v httpbin:8000/status/418
...
< HTTP/1.1 418 Unknown
...
@ -171,17 +171,17 @@ $ istioctl install -f <your-istio-operator-config-file>
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream - "-" 0 135 3 1 "-" "curl/7.73.0-DEV" "84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "127.0.0.1:80" inbound|8000|| 127.0.0.1:41854 10.44.1.27:80 10.44.1.23:37652 outbound_.8000_._.httpbin.foo.svc.cluster.local default
{{< /text >}}
请注意,与请求对应的消息分别出现在来源和目的地(即 `sleep` 和 `httpbin`)的 Istio 代理日志中。
请注意,与请求对应的消息分别出现在来源和目的地(即 `curl` 和 `httpbin`)的 Istio 代理日志中。
您可以在此日志中看到 HTTP 动作(`GET`、HTTP 路径(`/status/418`)、响应码(`418`
和其他[请求相关的信息](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-rules)。
## 清理 {#cleanup}
关闭 [sleep]({{< github_tree >}}/samples/sleep) 和 [httpbin]({{< github_tree >}}/samples/httpbin) 服务:
关闭 [curl]({{< github_tree >}}/samples/curl) 和 [httpbin]({{< github_tree >}}/samples/httpbin) 服务:
{{< text bash >}}
$ kubectl delete telemetry sleep-logging
$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete telemetry curl-logging
$ kubectl delete -f @samples/curl/curl.yaml@
$ kubectl delete -f @samples/httpbin/httpbin.yaml@
$ kubectl delete -f @samples/open-telemetry/otel.yaml@ -n istio-system
{{< /text >}}

10
content/zh/docs/tasks/observability/logs/telemetry-api/index.md
View File

@ -45,19 +45,19 @@ $ kubectl apply -f @samples/open-telemetry/loki/otel.yaml@ -n istio-system
1. 禁用特定工作负载的访问日志
您可以使用以下配置禁用 `sleep` 服务的访问日志:
您可以使用以下配置禁用 `curl` 服务的访问日志:
{{< text bash >}}
$ cat <<EOF | kubectl apply -n default -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: disable-sleep-logging
name: disable-curl-logging
namespace: default
spec:
selector:
matchLabels:
app: sleep
app: curl
accessLogging:
- providers:
- name: otel
@ -97,11 +97,11 @@ $ kubectl apply -f @samples/open-telemetry/loki/otel.yaml@ -n istio-system
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: filter-sleep-logging
name: filter-curl-logging
spec:
selector:
matchLabels:
app: sleep
app: curl
accessLogging:
- providers:
- name: otel

138
content/zh/docs/tasks/security/authentication/authn-policy/index.md
View File

@ -26,46 +26,46 @@ $ istioctl install --set profile=default
### 设置 {#setup}
本例中我们将在 `foo``bar` 命名空间下各自创建带有 Envoy 代理Sidecar
`httpbin``sleep` 服务。我还将在 `legacy` 命名空间下创建不带
Envoy 代理Sidecar`httpbin``sleep` 服务。如果您希望使用相同的示例来完成这些任务,
`httpbin``curl` 服务。我还将在 `legacy` 命名空间下创建不带
Envoy 代理Sidecar`httpbin``curl` 服务。如果您希望使用相同的示例来完成这些任务,
请执行如下命令:
{{< text bash >}}
$ kubectl create ns foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/curl/curl.yaml@) -n foo
$ kubectl create ns bar
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n bar
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n bar
$ kubectl apply -f <(istioctl kube-inject -f @samples/curl/curl.yaml@) -n bar
$ kubectl create ns legacy
$ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n legacy
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n legacy
$ kubectl apply -f @samples/curl/curl.yaml@ -n legacy
{{< /text >}}
现在您可以在 `foo`、`bar` 或 `legacy` 三个命名空间下的任意 `sleep` Pod
现在您可以在 `foo`、`bar` 或 `legacy` 三个命名空间下的任意 `curl` Pod
中使用 `curl``httpbin.foo`、`httpbin.bar` 或 `httpbin.legacy`
发送 HTTP 请求来验证部署结果。所有请求都应该成功并返回 HTTP 200。
例如,检查 `sleep.bar` 到 `httpbin.foo` 可达性的指令如下:
例如,检查 `curl.bar` 到 `httpbin.foo` 可达性的指令如下:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n bar -o jsonpath={.items..metadata.name})" -c sleep -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
$ kubectl exec "$(kubectl get pod -l app=curl -n bar -o jsonpath={.items..metadata.name})" -c curl -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
200
{{< /text >}}
您也可以使用一行指令检查所有可能的组合:
{{< text bash >}}
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl -s "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 200
sleep.legacy to httpbin.bar: 200
sleep.legacy to httpbin.legacy: 200
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl -s "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
curl.foo to httpbin.foo: 200
curl.foo to httpbin.bar: 200
curl.foo to httpbin.legacy: 200
curl.bar to httpbin.foo: 200
curl.bar to httpbin.bar: 200
curl.bar to httpbin.legacy: 200
curl.legacy to httpbin.foo: 200
curl.legacy to httpbin.bar: 200
curl.legacy to httpbin.legacy: 200
{{< /text >}}
使用以下指令确认系统中没有对等认证策略:
@ -99,15 +99,15 @@ TLS 流量自动发送到这些工作负载,并将明文流量发送到没有
这个标头的存在就是启用双向 TLS 的证据。例如:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s | jq '.headers["X-Forwarded-Client-Cert"][0]' | sed 's/Hash=[a-z0-9]*;/Hash=<redacted>;/'
"By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=<redacted>;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep"
$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl -s http://httpbin.foo:8000/headers -s | jq '.headers["X-Forwarded-Client-Cert"][0]' | sed 's/Hash=[a-z0-9]*;/Hash=<redacted>;/'
"By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=<redacted>;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/curl"
{{< /text >}}
当服务器没有 Sidecar 时,`X-Forwarded-Client-Cert` 标头将不会存在,
这意味着请求是明文的。
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.legacy:8000/headers -s | grep X-Forwarded-Client-Cert
$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl http://httpbin.legacy:8000/headers -s | grep X-Forwarded-Client-Cert
{{< /text >}}
## 全局以 STRICT 模式启用 Istio 双向 TLS {#globally-enabling-Istio-mutual-TLS-in-STRICT-mode}
@ -142,21 +142,21 @@ EOF
再次运行测试指令:
{{< text bash >}}
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 000
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
curl.foo to httpbin.foo: 200
curl.foo to httpbin.bar: 200
curl.foo to httpbin.legacy: 200
curl.bar to httpbin.foo: 200
curl.bar to httpbin.bar: 200
curl.bar to httpbin.legacy: 200
curl.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 000
curl.legacy to httpbin.bar: 000
command terminated with exit code 56
sleep.legacy to httpbin.legacy: 200
curl.legacy to httpbin.legacy: 200
{{< /text >}}
您会发现除了从没有 Sidecar 的服务(`sleep.legacy`)到有 Sidecar
您会发现除了从没有 Sidecar 的服务(`curl.legacy`)到有 Sidecar
的服务(`httpbin.foo` 或 `httpbin.bar`)的请求外,其他请求依然是成功的。
这是符合预期的结果,因为现在严格要求使用双向 TLS但没有 Sidecar 的工作负载无法满足这一要求。
@ -190,20 +190,20 @@ EOF
{{< /text >}}
由于这些策略只应用于命名空间 `foo` 中的服务,您会看到只有从没有 Sidecar
的客户端(`sleep.legacy`)到有 Sidecar 的客户端(`httpbin.foo`)的请求会失败。
的客户端(`curl.legacy`)到有 Sidecar 的客户端(`httpbin.foo`)的请求会失败。
{{< text bash >}}
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 000
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
curl.foo to httpbin.foo: 200
curl.foo to httpbin.bar: 200
curl.foo to httpbin.legacy: 200
curl.bar to httpbin.foo: 200
curl.bar to httpbin.bar: 200
curl.bar to httpbin.legacy: 200
curl.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 200
sleep.legacy to httpbin.legacy: 200
curl.legacy to httpbin.bar: 200
curl.legacy to httpbin.legacy: 200
{{< /text >}}
### 为每个工作负载启用双向 TLS {#enable-mutual-TLS-per-workload}
@ -228,27 +228,27 @@ spec:
EOF
{{< /text >}}
再次执行测试命令。跟预期一样,从 `sleep.legacy` 到 `httpbin.bar`
再次执行测试命令。跟预期一样,从 `curl.legacy` 到 `httpbin.bar`
的请求因为同样的原因失败。
{{< text bash >}}
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 000
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
curl.foo to httpbin.foo: 200
curl.foo to httpbin.bar: 200
curl.foo to httpbin.legacy: 200
curl.bar to httpbin.foo: 200
curl.bar to httpbin.bar: 200
curl.bar to httpbin.legacy: 200
curl.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 000
curl.legacy to httpbin.bar: 000
command terminated with exit code 56
sleep.legacy to httpbin.legacy: 200
curl.legacy to httpbin.legacy: 200
{{< /text >}}
{{< text plain >}}
...
sleep.legacy to httpbin.bar: 000
curl.legacy to httpbin.bar: 000
command terminated with exit code 56
{{< /text >}}
@ -278,17 +278,17 @@ EOF
1. 如果端口绑定到服务则只能使用 `portLevelMtls` 配置,其他配置将被 Istio 忽略。
{{< text bash >}}
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 000
$ for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
curl.foo to httpbin.foo: 200
curl.foo to httpbin.bar: 200
curl.foo to httpbin.legacy: 200
curl.bar to httpbin.foo: 200
curl.bar to httpbin.bar: 200
curl.bar to httpbin.legacy: 200
curl.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 200
sleep.legacy to httpbin.legacy: 200
curl.legacy to httpbin.bar: 200
curl.legacy to httpbin.legacy: 200
{{< /text >}}
### 策略优先级 {#policy-precedence}
@ -296,7 +296,7 @@ sleep.legacy to httpbin.legacy: 200
为了演示特定服务策略比命名空间范围的策略优先级高,您可以像下面一样为
`httpbin.foo` 添加一个禁用双向 TLS 的策略。
注意您已经为所有在命名空间 `foo` 中的服务创建了命名空间范围的策略来启用双向
TLS发现从 `sleep.legacy` 到 `httpbin.foo` 的请求都会失败(如上所示)。
TLS发现从 `curl.legacy` 到 `httpbin.foo` 的请求都会失败(如上所示)。
{{< text bash >}}
$ cat <<EOF | kubectl apply -n foo -f -
@ -314,11 +314,11 @@ spec:
EOF
{{< /text >}}
重新执行来自 `sleep.legacy` 的请求,您应该又会看到请求成功并返回 200 代码,
重新执行来自 `curl.legacy` 的请求,您应该又会看到请求成功并返回 200 代码,
证明了特定服务策略覆盖了命名空间范围的策略。
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name})" -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
$ kubectl exec "$(kubectl get pod -l app=curl -n legacy -o jsonpath={.items..metadata.name})" -c curl -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
200
{{< /text >}}
@ -484,7 +484,7 @@ Istio 会一直通过认证直到 65 秒后才拒绝这些令牌:
{{< text bash >}}
$ TOKEN=$(python3 ./gen-jwt.py ./key.pem --expire 5)
$ for i in $(seq 1 10); do curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"; sleep 10; done
$ for i in $(seq 1 10); do curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"; curl 10; done
200
200
200