mirror of https://github.com/istio/istio.io.git
280 lines
57 KiB
HTML
280 lines
57 KiB
HTML
<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="HTTP Egress 流量监控和访问策略"><meta name=description content="描述如何配置 Istio 进行 HTTP Egress 流量监控和访问策略。"><meta name=author content="Vadim Eisenberg and Ronen Schaffer (IBM)"><meta name=keywords content="microservices,services,mesh,egress,traffic-management,access-control,monitoring"><meta property="og:title" content="HTTP Egress 流量监控和访问策略"><meta property="og:type" content="website"><meta property="og:description" content="描述如何配置 Istio 进行 HTTP Egress 流量监控和访问策略。"><meta property="og:url" content="/v1.24/zh/blog/2018/egress-monitoring-access-control/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.24 / HTTP Egress 流量监控和访问策略</title>
|
||
<script async src="https://www.googletagmanager.com/gtag/js?id=G-5XBWY4YJ1E"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-5XBWY4YJ1E")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.24/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.24/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.24/feed.xml><link rel="shortcut icon" href=/v1.24/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.24/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.24/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.24/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.24/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.24/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.24/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.24/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.24/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.24/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.24/favicons/favicon.svg><link rel=icon type=image/png href=/v1.24/favicons/favicon.png><link rel=mask-icon href=/v1.24/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.24/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.24/css/style.min.38f1afbdf6f8efdb4fe991ff2a53ca1c801b5c4602dea2963da44df7ceaacfb8.css integrity="sha256-OPGvvfb479tP6ZH/KlPKHIAbXEYC3qKWPaRN986qz7g=" crossorigin=anonymous><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.24/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.24",docTitle="HTTP Egress 流量监控和访问策略",iconFile="/v1.24//img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.24/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.24/zh/ aria-label=logotype><span class=logo><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
|
||
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
|
||
<svg class="icon menu-hamburger"><use xlink:href="/v1.24/img/icons.svg#menu-hamburger"/></svg>
|
||
</button>
|
||
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.24/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.24/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button>
|
||
<a href=/v1.24/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
||
<input type=hidden name=ie value=utf-8>
|
||
<input type=hidden name=hl value=zh>
|
||
<input type=hidden id=search-page-url value=/zh/search>
|
||
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
|
||
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>HTTP Egress 流量监控和访问策略</h1><p>描述如何配置 Istio 进行 HTTP Egress 流量监控和访问策略。</p></div><p class=post-author>Jun 22, 2018 <span>| </span>作者 Vadim Eisenberg and Ronen Schaffer - IBM</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.24/img/icons.svg#callout-warning"/></svg></div><div class=content>该博客文章是在 Istio 1.1 的版本下编写的,因此其中某些内容现在可能已过时。</div></aside></div><div><p>虽然 Istio 的主要关注点是管理服务网格内微服务之间的流量,但它也可以管理 ingress (从外部进入网格) 和 egress (从网格向外) 的流量。Istio 可以统一执行访问策略,并为网格内部、ingress 和 egress 流量聚合遥测数据。</p><p>在这篇博客文章中,将向您展示如何使用 Istio 进行 HTTP Egress 流量监控和访问策略。</p><h2 id=use-case>用例</h2><p>考虑一个运行处理 <em>cnn.com</em> 内容的应用程序的组织。应用程序被解耦为部署在 Istio 服务网格中的微服务。应用程序访问 <em>cnn.com</em> 的各种话题页面:<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>,<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> 和 <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>。该组织<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>配置了访问 edition.cnn.com 的权限</a>,一切都正常运行。然而,在某一时刻,本组织决定移除政治话题。实际上,这意味着禁止访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> ,只允许访问 <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> 和 <a href=https://edition.cnn.com/health>edition.cnn.com/health</a> 。该组织将根据具体情况,向个别应用程序和特定用户授予访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 的权限。</p><p>为了实现这一目标,组织的运维人员监控对外部服务的访问,并分析 Istio 日志,以验证没有向 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 发送未经授权的请求。他们还配置了 Istio 来防止自动访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 。</p><p>本组织决心防止对新策略的任何篡改,决定设置一些机制以防止恶意应用程序访问禁止的话题。</p><h2 id=related-tasks-and-examples>相关工作和示例</h2><ul><li><a href=/v1.24/zh/docs/tasks/traffic-management/egress/>Control Egress 流量</a>任务演示了网格内的应用程序如何访问外部(Kubernetes 集群之外) HTTP 和 HTTPS 服务。</li><li><a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway/>配置 Egress 网关</a>示例描述了如何配置 Istio 来通过一个称为 <em>出口网关</em> 的专用网关服务来引导出口流量。</li><li><a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>带 TLS 发起的 Egress 网关</a>示例演示了如何允许应用程序向需要 HTTPS 的外部服务器发送 HTTP 请求,同时通过 Egress Gateway 引导流量。</li><li><a href=/v1.24/zh/docs/tasks/observability/metrics/collecting-metrics/>收集指标</a>任务描述如何为网格中的服务配置指标。</li><li><a href=/v1.24/zh/docs/tasks/observability/metrics/using-istio-dashboard/>Grafana 的可视化指标</a>描述了用于监控网格流量的 Istio 仪表板。</li><li><a href=/v1.24/zh/docs/tasks/policy-enforcement/denial-and-list/>基本访问控制</a>任务显示如何控制对网格内服务的访问。</li><li><a href=/v1.24/zh/docs/tasks/policy-enforcement/denial-and-list/>拒绝和白/黑名单</a>任务显示如何使用黑名单或白名单检查器配置访问策略。</li></ul><p>与上面的遥测和安全任务相反,这篇博客文章描述了 Istio 的监控和访问策略,专门应用于 egress 流量。</p><h2 id=before-you-begin>开始之前</h2><p>按照<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>带 TLS 发起的 Egress 网关</a>中的步骤,<strong>启用了双向 TLS 身份验证</strong>,而不需要<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup>清除</a>步骤。完成该示例后,您可以从安装了 <code>curl</code> 的网格中容器访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>。本文假设 <code>SOURCE_POD</code> 环境变量包含源 pod 的名称,容器的名称为 <code>sleep</code>。</p><h2 id=configure-monitoring-and-access-policies>配置监控和访问策略</h2><p>由于您希望以 <em>安全方式</em> 完成您的任务,您应该通过 <em>egress 网关</em> 引导流量,正如<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>带 TLS 发起的 Egress 网关</a>任务中所描述的那样。这里的 <em>安全方式</em> 意味着您希望防止恶意应用程序绕过 Istio 监控和策略强制。</p><p>根据我们的场景,组织执行了<a href=/v1.24/zh/blog/2018/egress-monitoring-access-control/#before-you-begin>开始之前</a>部分中的命令,启用 HTTP 流量到 <em>edition.cnn.com</em> ,并将该流量配置为通过 egress 网关。egress 网关执行 TLS 发起到 <em>edition.cnn.com</em> ,因此流量在网格中被加密。此时,组织已经准备好配置 Istio 来监控和应用 <em>edition.cnn.com</em> 流量的访问策略。</p><h3 id=logging>日志</h3><p>配置 Istio 以记录对 <em>*.cnn.com</em> 的访问。创建一个 <code>logentry</code> 和两个 <a href=/v1.24/zh/docs/reference/config/policy-and-telemetry/adapters/stdio/>stdio</a> <code>handlers</code>,一个用于记录禁止访问(<em>error</em> 日志级别),另一个用于记录对 <em>*.cnn.com</em> 的所有访问(<em>info</em> 日志级别)。然后创建规则将 <code>logentry</code> 实例定向到 <code>handlers</code>。一个规则指导访问 <em>*.cnn.com/politics</em> 为日志禁止访问处理程序, 另一个规则指导日志条目的处理程序,输出每个访问 <em>*.cnn.com</em> 作为 <em>info</em> 的日志级别。要了解 Istio <code>logentries</code>、<code>rules</code> 和 <code>handlers</code>,请参见 <a href=/v1.24/zh/blog/2017/adapter-model/>Istio 适配器模型</a>。下图显示了涉及的实体和它们之间的依赖关系:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.46700562636976%><a data-skipendnotes=true href=/v1.24/zh/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg title="用于 egress 监视和访问策略的实例、规则和处理程序"><img class=element-to-stretch src=/v1.24/zh/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg alt="用于 egress 监视和访问策略的实例、规则和处理程序"></a></div><figcaption>用于 egress 监视和访问策略的实例、规则和处理程序</figcaption></figure><ol><li><p>创建 <code>logentry</code>、<code>rules</code> 和 <code>handlers</code>。注意您指定了 <code>context.reporter.uid</code> 作为
|
||
<code>kubernetes://istio-egressgateway</code> 在规则中只能从 egress 网关获取日志信息。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
||
# Log entry for egress access
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: logentry
|
||
metadata:
|
||
name: egress-access
|
||
namespace: istio-system
|
||
spec:
|
||
severity: '"info"'
|
||
timestamp: request.time
|
||
variables:
|
||
destination: request.host | "unknown"
|
||
path: request.path | "unknown"
|
||
responseCode: response.code | 0
|
||
responseSize: response.size | 0
|
||
reporterUID: context.reporter.uid | "unknown"
|
||
sourcePrincipal: source.principal | "unknown"
|
||
monitored_resource_type: '"UNSPECIFIED"'
|
||
---
|
||
# Handler for error egress access entries
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: stdio
|
||
metadata:
|
||
name: egress-error-logger
|
||
namespace: istio-system
|
||
spec:
|
||
severity_levels:
|
||
info: 2 # output log level as error
|
||
outputAsJson: true
|
||
---
|
||
# Rule to handle access to *.cnn.com/politics
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: rule
|
||
metadata:
|
||
name: handle-politics
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith("cnn.com") && request.path.startsWith("/politics") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
||
actions:
|
||
- handler: egress-error-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
---
|
||
# Handler for info egress access entries
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: stdio
|
||
metadata:
|
||
name: egress-access-logger
|
||
namespace: istio-system
|
||
spec:
|
||
severity_levels:
|
||
info: 0 # output log level as info
|
||
outputAsJson: true
|
||
---
|
||
# Rule to handle access to *.cnn.com
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
EOF</code></pre></li><li><p>发送三个 HTTP 请求到 <em>cnn.com</em> 、<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>、<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> 和 <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>。
|
||
三个请求都应该返回 <em>200 OK</em> 。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
200
|
||
200
|
||
200</code></pre></li><li><p>查询 Mixer 日志,查看请求信息出现在日志中:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{"level":"info","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"info","time":"2019-01-29T07:43:24.886316Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"info","time":"2019-01-29T07:43:25.369663Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"error","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}</code></pre><p>您将看到与您的三个请求相关的四个日志条目。三个关于访问 <em>edition.cnn.com</em> 的 <em>info</em> 信息和一个关于访问 <em>edition.cnn.com/politics</em> 的 <em>error</em> 信息。服务网格 operators 可以查看所有访问实例,还可以搜索日志中表示禁止访问的 <em>error</em> 日志。这是在自动地阻塞禁止访问之前可以应用的第一个安全措施,即将所有禁止访问实例记录为错误。在某些设置中,这可能是一个足够的安全措施。</p><p>注意以下属性:</p><ul><li><code>destination</code>、<code>path</code>、<code>responseCode</code> 和 <code>responseSize</code> 与请求的 HTTP 参数相关</li><li><code>sourcePrincipal</code>:<code>cluster.local/ns/default/sa/sleep</code> —— 表示 <code>default</code> 命名空间中的 <code>sleep</code> 服务帐户的字符串</li><li><code>reporterUID</code>: <code>kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system</code> —— 报告 pod 的 UID,在本例中为 <code>istio-egressgateway-747b6764b8-44rrh</code>,位于 <code>istio-system</code> 命名空间中</li></ul></li></ol><h3 id=access-control-by-routing>路由访问控制</h3><p>启用对 <em>edition.cnn.com</em> 的访问进行日志记录之后,自动执行访问策略,即只允许访问 <em>/health</em> 和 <em>/sport</em> URL 路径。这样一个简单的策略控制可以通过 Istio 路由实现。</p><ol><li><p>为 <em>edition.cnn.com</em> 重定义 <code>VirtualService</code> :</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-cnn-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
gateways:
|
||
- istio-egressgateway
|
||
- mesh
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 80
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: cnn
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
uri:
|
||
regex: "/health|/sport"
|
||
route:
|
||
- destination:
|
||
host: edition.cnn.com
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
EOF</code></pre><p>注意,您通过 <code>url</code> 添加添加了一个 <code>match</code>,该条件检查 URL 路径是 <em>/health</em> 还是 <em>/sport</em> 。还要注意,此条件已添加到 <code>VirtualService</code> 的 <code>istio-egressgateway</code> 部分,因为就安全性而言,egress 网关是一个经过加固的组件(请参阅 <a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations>egress 网关安全性注意事项</a>)。您一定不希望您的任何策略被篡改。</p></li><li><p>发送之前的三个 HTTP 请求到 <em>cnn.com</em> :</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
404
|
||
200
|
||
200</code></pre><p>向 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 发送请求会返回 <em>404 Not Found</em> ,然而向
|
||
<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> 和
|
||
<a href=https://edition.cnn.com/health>edition.cnn.com/health</a> 发送请求,会像我们预想的那样返回 <em>200 OK</em> 。</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.24/img/icons.svg#callout-tip"/></svg></div><div class=content>您可能需要等待几秒钟,等待 <code>VirtualService</code> 的更新传播到 egress 网关。</div></aside></div></li><li><p>查询 Mixer 日志,可以看到关于请求的信息再次出现在日志中:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{"level":"info","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"info","time":"2019-01-29T07:55:59.697565Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"info","time":"2019-01-29T07:56:00.264498Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
||
{"level":"error","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}</code></pre><p>你依然会得到关于访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 的信息和错误消息,然而这次 <code>responseCode</code> 会像我们预想的那样返回 <code>404</code> 。</p></li></ol><p>虽然在这个简单的例子中使用 Istio 路由实现访问控制是可行的,但是在更复杂的例子中就不够了。例如,组织可能希望在某些条件下允许访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>,因此需要比仅通过 URL 路径过滤更复杂的策略逻辑。您可能想要应用 Istio Mixer 适配器,例如允许/禁止 URL 路径的<a href=/v1.24/zh/docs/tasks/policy-enforcement/denial-and-list/#attribute-based-whitelists-or-blacklists>白名单或黑名单</a>。策略规则允许指定复杂的条件,用丰富的表达式语言指定,其中包括与和或逻辑运算符。这些规则可用于日志记录和策略检查。更高级的用户可能希望应用基于 <a href=/v1.24/zh/docs/concepts/security/#authorization>Istio 角色访问控制</a>。</p><p>另一方面是与远程访问策略系统的集成。如果在我们的用例中组织操作一些<a href=https://en.wikipedia.org/wiki/Identity_management>标识和访问管理</a>系统,您可能希望配置 Istio 来使用来自这样一个系统的访问策略信息。您可以通过应用 <a href=/v1.24/zh/blog/2017/adapter-model/>Istio Mixer 适配器</a>来实现这种集成。</p><p>现在您移除在本节中使用的路由取消访问控制,在下一节将向您演示通过 Mixer 策略检查实现访问控制。</p><ol><li><p>用之前<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-TLS-origination-with-an-egress-gateway>配置 Egress 网关</a>示例中的版本替换 <em>edition.cnn.com</em> 的 <code>VirtualService</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-cnn-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
gateways:
|
||
- istio-egressgateway
|
||
- mesh
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 80
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: cnn
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
route:
|
||
- destination:
|
||
host: edition.cnn.com
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
EOF</code></pre></li><li><p>发送之前的三个 HTTP 请求到 <em>cnn.com</em> ,这一次您应该会收到三个 <em>200 OK</em> 的响应:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
200
|
||
200
|
||
200</code></pre></li></ol><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.24/img/icons.svg#callout-tip"/></svg></div><div class=content>您可能需要等待几秒钟,等待 <code>VirtualService</code> 的更新传播到 egress 网关。</div></aside></div><h3 id=access-control-by-Mixer-policy-checks>Mixer 策略检查访问控制</h3><p>在该步骤中,您使用 Mixer <a href=/v1.24/zh/docs/reference/config/policy-and-telemetry/adapters/list/><code>Listchecker</code> 适配器</a>,它是一种白名单。您可以使用请求的 URL 路径定义一个 <code>listentry</code>,并使用一个 <code>listchecker</code> 由 <code>overrides</code> 字段指定的允许 URL 路径的静态列表检查 <code>listentry</code>。对于<a href=https://en.wikipedia.org/wiki/Identity_management>外部标识和访问管理</a>系统,请使用 <code>providerurl</code> 字段。实例、规则和处理程序的更新图如下所示。注意,您重用相同的策略规则 <code>handle-cn-access</code> 来进行日志记录和访问策略检查。</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:52.79420593027812%><a data-skipendnotes=true href=/v1.24/zh/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg title="用于 egress 监视和访问策略的实例、规则和处理程序"><img class=element-to-stretch src=/v1.24/zh/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg alt="用于 egress 监视和访问策略的实例、规则和处理程序"></a></div><figcaption>用于 egress 监视和访问策略的实例、规则和处理程序</figcaption></figure><ol><li><p>定义 <code>path-checker</code> 和 <code>request-path</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl create -f -
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: listchecker
|
||
metadata:
|
||
name: path-checker
|
||
namespace: istio-system
|
||
spec:
|
||
overrides: ["/health", "/sport"] # overrides provide a static list
|
||
blacklist: false
|
||
---
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: listentry
|
||
metadata:
|
||
name: request-path
|
||
namespace: istio-system
|
||
spec:
|
||
value: request.path
|
||
EOF</code></pre></li><li><p>修改 <code>handle-cnn-access</code> 策略规则并发送 <code>request-path</code> 实例到 <code>path-checker</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
||
# Rule handle egress access to cnn.com
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
- handler: path-checker.listchecker
|
||
instances:
|
||
- request-path.listentry
|
||
EOF</code></pre></li><li><p>执行常规测试,将 HTTP 请求发送到 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>,<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> 和 <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>。正如所料,对 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 的请求返回 <em>403</em> (禁止)。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
403
|
||
200
|
||
200</code></pre></li></ol><h3 id=access-control-by-Mixer-policy-checks-part-2>Mixer 策略检查访问控制,第二部分</h3><p>在我们用例中的组织设法配置日志和访问控制之后,它决定扩展它的访问策略,
|
||
允许具有特殊<a href=https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-service-account/>服务帐户</a>
|
||
的应用程序访问 <em>cnn.com</em> 的任何主题,而不受监控。您将看到如何在 Istio 中配置此需求。</p><ol><li><p>使用 <code>politics</code> 服务账户开启 <a href=https://github.com/istio/istio/tree/release-1.24/samples/sleep>sleep</a> 示例程序。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sed 's/: sleep/: politics/g' samples/sleep/sleep.yaml | kubectl create -f -
|
||
serviceaccount "politics" created
|
||
service "politics" created
|
||
deployment "politics" created</code></pre></li><li><p>定义 <code>SOURCE_POD_POLITICS</code> shell 变量来保存带有 <code>politics</code> 服务帐户的源 pod 的名称,以便向外部服务发送请求。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export SOURCE_POD_POLITICS=$(kubectl get pod -l app=politics -o jsonpath={.items..metadata.name})</code></pre></li><li><p>执行常规测试,这次从 <code>SOURCE_POD_POLITICS</code> 发送三个 HTTP 请求。对 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 的请求返回 <em>403</em> ,因为您没有为 <em>politics</em> 命名空间配置异常。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
403
|
||
200
|
||
200</code></pre></li><li><p>查询 Mixer 日志,可以看到来自 <em>politics</em> 命名空间的请求信息出现在日志中:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{"level":"info","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
||
{"level":"info","time":"2019-01-29T08:04:42.568424Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
||
{"level":"error","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
||
{"level":"info","time":"2019-01-29T08:04:42.615641Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}</code></pre><p>注意 <code>sourcePrincipal</code> 是 <code>cluster.local/ns/default/sa/politics</code>,表示 <code>default</code> 命名空间中的 <code>politics</code> 服务帐户。</p></li><li><p>重新定义 <code>handle-cn-access</code> 和 <code>handl-politics</code> 策略规则,使 <em>politics</em> 命名空间中的应用程序免受监控和策略强制。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
||
# Rule to handle access to *.cnn.com/politics
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: rule
|
||
metadata:
|
||
name: handle-politics
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith("cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && request.path.startsWith("/politics") && source.principal != "cluster.local/ns/default/sa/politics"
|
||
actions:
|
||
- handler: egress-error-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
---
|
||
# Rule handle egress access to cnn.com
|
||
apiVersion: "config.istio.io/v1alpha2"
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && source.principal != "cluster.local/ns/default/sa/politics"
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
- handler: path-checker.listchecker
|
||
instances:
|
||
- request-path.listentry
|
||
EOF</code></pre></li><li><p>从 <code>SOURCE_POD</code> 中执行常规测试:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
403
|
||
200
|
||
200</code></pre><p>由于 <code>SOURCE_POD</code> 没有 <code>politics</code> 服务帐户,所以像以前一样访问 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 会被禁止。</p></li><li><p>从 <code>SOURCE_POD_POLITICS</code> 中执行之前的测试:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
||
200
|
||
200
|
||
200</code></pre><p>访问 <em>edition.cnn.com</em> 的所有话题都是被允许的。</p></li><li><p>检查 Mixer 日志,查看是否有更多使用 <code>sourcePrincipal</code> 请求,能够匹配 <code>cluster.local/ns/default/sa/politics</code> 的内容出现在日志中。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4</code></pre></li></ol><h2 id=comparison-with-HTTPS-egress-traffic-control>与 HTTPS egress 流量控制进行比较</h2><p>在这个用例中,应用程序使用 HTTP 和 Istio Egress 网关为它们执行 TLS 初始化。或者,应用程序可以通过向 <em>edition.cnn.com</em> 发出 HTTPS 请求来发起 TLS 本身。在本节中,我们将描述这两种方法及其优缺点。</p><p>在 HTTP 方法中,请求在本地主机上不加密地发送,由 Istio sidecar 代理拦截并转发到 egress 网关。由于您将 Istio 配置为在 sidecar 代理和 egress 网关之间使用相互的 TLS,因此流量会使 pod 加密。egress 网关解密流量,检查 URL 路径、HTTP 方法和报头,报告遥测数据并执行策略检查。如果请求没有被某些策略检查阻止,那么 egress 网关将执行 TLS 发起到外部目的地(在我们的示例中是 <em>cnn.com</em> ),因此请求将再次加密并发送到外部目的地。下图演示了这种方法的流程。网关内的 HTTP 协议根据解密后网关看到的协议来指定协议。</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.24/zh/blog/2018/egress-monitoring-access-control/http-to-gateway.svg title="HTTP egress 流量通过 egress 网关"><img class=element-to-stretch src=/v1.24/zh/blog/2018/egress-monitoring-access-control/http-to-gateway.svg alt="HTTP egress 流量通过 egress 网关"></a></div><figcaption>HTTP egress 流量通过 egress 网关</figcaption></figure><p>这种方法的缺点是请求在 pod 中发送时没有加密,这可能违反某些组织的安全策略。此外,一些 SDK 具有硬编码的外部服务 URL,包括协议,因此不可能发送 HTTP 请求。这种方法的优点是能够检查 HTTP 方法、头和 URL 路径,并基于它们应用策略。</p><p>在 HTTPS 方法中,从应用程序到外部目的地的请求是端到端加密的。下图演示了这种方法的流程。网关中的 HTTPS 协议指定网关所看到的协议。</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.24/zh/blog/2018/egress-monitoring-access-control/https-to-gateway.svg title="HTTPS egress 流量通过 egress 网关"><img class=element-to-stretch src=/v1.24/zh/blog/2018/egress-monitoring-access-control/https-to-gateway.svg alt="HTTPS egress 流量通过 egress 网关"></a></div><figcaption>HTTPS egress 流量通过 egress 网关</figcaption></figure><p>从安全的角度来看,端到端 HTTPS 被认为是一种更好的方法。然而,由于流量是加密的,Istio 代理和出口网关只能看到源和目标 IP 以及目标的 <a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a>。由于您将 Istio 配置为在 sidecar 代理和 egress 网关之间使用相互的 TLS ,所以<a href=/v1.24/zh/docs/concepts/security/#istio-identity>源标识</a>也是已知的。网关无法检查 URL 路径、HTTP 方法和请求的头,因此无法基于 HTTP 信息进行监控和策略。在我们的用例中,组织将能够允许访问 <em>edition.cnn.com</em> 并指定允许哪些应用程序访问 <em>edition.cnn.com</em> 。但是,将不可能允许或阻止对 <em>edition.cnn.com</em> 的特定 URL 路径的访问。使用 HTTPS 方法既不能阻止对 <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> 的访问,也不能监控此类访问。</p><p>我们认为,每个组织都应充分考虑这两种方法的优缺点,并选择最适合其需要的方法。</p><h2 id=summary>总结</h2><p>在这篇博客文章中,我们展示了如何将 Istio 的不同监控和策略机制应用于 HTTP egress 流量。可以通过配置日志适配器来实现监控。访问策略可以通过配置 <code>VirtualServices</code> 或配置各种策略检查适配器来实现。向您演示了一个只允许特定 URL 路径的简单策略。还向您展示了一个更复杂的策略,通过对具有特定服务帐户的应用程序进行豁免,扩展了简单策略。最后,比较了 HTTP-with-TLS-origination egress 流量与 HTTPS egress 流量,以及通过 Istio 进行控制的可能性。</p><h2 id=cleanup>清理</h2><ol><li><p>执行<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway/>配置 Egress 网关</a>示例的<a href=/v1.24/zh/docs/tasks/traffic-management/egress/egress-gateway/#cleanup>清理</a>部分中的说明。</p></li><li><p>删除日志和策略检查配置:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete logentry egress-access -n istio-system
|
||
$ kubectl delete stdio egress-error-logger -n istio-system
|
||
$ kubectl delete stdio egress-access-logger -n istio-system
|
||
$ kubectl delete rule handle-politics -n istio-system
|
||
$ kubectl delete rule handle-cnn-access -n istio-system
|
||
$ kubectl delete -n istio-system listchecker path-checker
|
||
$ kubectl delete -n istio-system listentry request-path</code></pre></li><li><p>删除 <em>politics</em> 源 pod:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sed 's/: sleep/: politics/g' samples/sleep/sleep.yaml | kubectl delete -f -
|
||
serviceaccount "politics" deleted
|
||
service "politics" deleted
|
||
deployment "politics" deleted</code></pre></li></ol></div><div class=share-social><div class=heading>Share this post</div><div class=share-buttons><a href="https://www.linkedin.com/shareArticle?mini=true&url=%2fv1.24%2fzh%2fblog%2f2018%2fegress-monitoring-access-control%2f" target=_blank><img class=share-icon src=/v1.24/img/social/linkedin.svg alt="Share to LinkedIn">
|
||
</a><a href="https://twitter.com/intent/tweet?text=HTTP%20Egress%20%e6%b5%81%e9%87%8f%e7%9b%91%e6%8e%a7%e5%92%8c%e8%ae%bf%e9%97%ae%e7%ad%96%e7%95%a5&url=%2fv1.24%2fzh%2fblog%2f2018%2fegress-monitoring-access-control%2f" target=_blank><img class=share-icon src=/v1.24/img/social/twitterx.svg alt="Share to X">
|
||
</a><a href="https://www.facebook.com/sharer/sharer.php?u=%2fv1.24%2fzh%2fblog%2f2018%2fegress-monitoring-access-control%2f" target=_blank><img class=share-icon src=/v1.24/img/social/facebook.svg alt="Share to Facebook"></a></div></div><nav class=pagenav><div class=left><a title="如何通过 Stackdriver 将 Istio 访问日志导出到 BigQuery、GCS、Pub/Sub 等不同的接收器。" href=/v1.24/zh/blog/2018/export-logs-through-stackdriver/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.24/img/icons.svg#left-arrow"/></svg>通过 Stackdriver 将日志导出到 BigQuery、GCS、Pub/Sub</a></div><div class=right><a title="Istio v1alpha3 路由 API 介绍, 动机及其设计原则。" href=/v1.24/zh/blog/2018/v1alpha3-routing/ class=next-link>Istio v1aplha3 路由 API 介绍<svg class="icon right-arrow"><use xlink:href="/v1.24/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.24/img/icons.svg#github"/></svg>
|
||
</a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.24/img/icons.svg#drive"/></svg>
|
||
</a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.24/img/icons.svg#slack"/></svg>
|
||
</a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.24/img/icons.svg#stackoverflow"/></svg>
|
||
</a><a class=channel title='Follow us on LinkedIn to get the latest news' href=https://www.linkedin.com/company/istio/ aria-label=LinkedIn><svg class="icon linkedin"><use xlink:href="/v1.24/img/icons.svg#linkedin"/></svg>
|
||
</a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.24/img/icons.svg#twitter"/></svg>
|
||
</a><a class=channel title='Follow us on Bluesky to get the latest news' href=https://bsky.app/profile/istio.io aria-label=Bluesky><svg class="icon bluesky"><use xlink:href="/v1.24/img/icons.svg#bluesky"/></svg>
|
||
</a><a class=channel title='Follow us on Mastodon to get the latest news' href=https://mastodon.social/@istio aria-label=Mastodon rel=me><svg class="icon mastodon"><use xlink:href="/v1.24/img/icons.svg#mastodon"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.24/zh/ aria-label=logotype><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English
|
||
</a><a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.24/img/icons.svg#tick"/></svg>
|
||
中文
|
||
</a><a tabindex=-1 lang=uk id=switch-lang-uk class=footer-languages-item>Українська</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款
|
||
</a>|
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策
|
||
</a>|
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>商标
|
||
</a>|
|
||
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.24/content/zh/blog/2018/egress-monitoring-access-control/index.md>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2024 the Istio Authors.</span>
|
||
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>版本
|
||
Istio 归档
|
||
1.24.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2018/egress-monitoring-access-control/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2018/egress-monitoring-access-control/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.24/img/icons.svg#top"/></svg></button></div></body></html> |