rootless模式下istio ambient鉴权策略

环境说明

rootless模式下测试istio Ambient功能

四层鉴权策略

这里四层指的是网络通信模型的第四层，主要的传输协议为TCP和UDP。

用于限制服务间的通信，比如下面的策略应用于带有 app: productpage 标签的 Pod，并且仅允许来自服务帐户 cluster.local/ns/default/sa/bookinfo-gateway-istio 的调用。

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:selector:matchLabels:app: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/bookinfo-gateway-istio

策略应用前，通过内部pod直接访问productpage服务，可以直接访问到：

ks-managed-kubectl-admin:/# kubectl get svc productpage
NAME          TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
productpage   ClusterIP   10.96.28.91   <none>        9080/TCP   17h
ks-managed-kubectl-admin:/# curl 10.96.28.91:9080 -I
HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.12.1
Date: Fri, 18 Oct 2024 01:42:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2080
Connection: close

应用策略，并测试访问：

ks-managed-kubectl-admin:/# kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:selector:matchLabels:app: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/bookinfo-gateway-istio
EOFauthorizationpolicy.security.istio.io/productpage-viewer created
ks-managed-kubectl-admin:/# # 直接访问productpage服务，连接被拒绝
ks-managed-kubectl-admin:/# curl 10.96.28.91:9080 -I
curl: (56) Recv failure: Connection reset by peerks-managed-kubectl-admin:/# kubectl get svc bookinfo-gateway-istio
NAME                     TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                        AGE
bookinfo-gateway-istio   NodePort   10.96.223.150   <none>        15021:30277/TCP,80:30080/TCP   17h# 通过bookinfo-gateway-istio访问是正常的
ks-managed-kubectl-admin:/# curl 10.96.223.150/productpage -I
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 18 Oct 2024 01:44:45 GMT
content-type: text/html; charset=utf-8
content-length: 15070
vary: Cookie
x-envoy-upstream-service-time: 58

七层鉴权策略

这里的七层指的是网络通信模型中的应用层，业务服务相互通信主要通过HTTP协议，其它类型暂不讨论。

要实施七层策略，需要为命名空间部署一个 waypoint 代理。此代理将处理进入命名空间的所有七层流量。

longtds@ubuntu:~$ istioctl waypoint apply --enroll-namespace --wait
waypoint default/waypoint applied
namespace default labeled with "istio.io/use-waypoint: waypoint"longtds@ubuntu:~$ kubectl get all |grep waypoint
pod/waypoint-9c5bcc75-88wt2                   1/1     Running   0          46s
service/waypoint                 ClusterIP   10.96.200.151   <none>        15021/TCP,15008/TCP            46s
deployment.apps/waypoint                 1/1     1            1           46s
replicaset.apps/waypoint-9c5bcc75                   1         1         1       46s
longtds@ubuntu:~$longtds@ubuntu:~$ kubectl get gtw
NAME               CLASS            ADDRESS                                            PROGRAMMED   AGE
bookinfo-gateway   istio            bookinfo-gateway-istio.default.svc.cluster.local   True         19h
waypoint           istio-waypoint   10.96.200.151                                      True         89s
longtds@ubuntu:~$

创建测试客户端：

longtds@ubuntu:~$ kubectl apply -f istio-1.23.2/samples/sleep/sleep.yaml
serviceaccount/sleep created
service/sleep created
deployment.apps/sleep createdlongtds@ubuntu:~$ kubectl get pod |grep sleep
sleep-5fcd8fd6c8-8r68r                    1/1     Running   0          67s
longtds@ubuntu:~$

应用（覆盖之前）策略，明确允许 sleep 服务向 productpage 服务发送 GET 请求，但不能执行其他操作：

longtds@ubuntu:~$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:targetRefs:- kind: Servicegroup: ""name: productpageaction: ALLOWrules:- from:- source:principals:- cluster.local/ns/default/sa/sleepto:- operation:methods: ["GET"]
EOF
authorizationpolicy.security.istio.io/productpage-viewer configured
longtds@ubuntu:~$

测试通过sleep访问productpage，GET请求正常返回响应，DELETE被拒绝：

longtds@ubuntu:~$ kubectl exec deploy/sleep -- curl -s -X GET http://productpage:9080/productpage |grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>longtds@ubuntu:~$ kubectl exec deploy/sleep -- curl -s -X DELETE http://productpage:9080/productpage
RBAC: access denied
longtds@ubuntu:~$

测试其它服务访问productpage服务，GET和DELETE方法都被拒绝：

longtds@ubuntu:~$ kubectl exec deploy/reviews-v1 -- curl -s -X GET http://productpage:9080/productpage
RBAC: access denied
longtds@ubuntu:~$ kubectl exec deploy/reviews-v1 -- curl -s -X DELETE http://productpage:9080/productpage
RBAC: access denied

至此完成基本的四层和七层鉴权测试，后面介绍基于waypoint的流量管理。