OpenShift 4 之Istio-Tutorial (10) 访问白名单、黑名单
汪志业
《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.6环境中验证
注意:下文的早期 OpenShift Service Mesh 支持的 白名单、黑名单 功能已有变化,不再适合较新版本的 OpenShift Service Mesh。
环境准备:我们在开始之前先确保环境和完成《OpenShift 4 之Istio-Tutorial (2) 部署三个微服务》一样,只部署了3个微服务和VirtualService、Gateway,没有DestinationRule。
白名单
只允许三个服务按照customer->preference->recommendation的方式访问,即customer在能访问preference的白名单中,而preference在能访问recommendation的白名单中。
- 查看istiofiles/acl-whitelist.yml文件。
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: preferencewhitelist
spec:
compiledAdapter: listchecker
params:
overrides: ["preference"]
blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: checkfrompreference
spec:
match: destination.labels["app"] == "recommendation"
actions:
- handler: preferencewhitelist
instances:
- appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: customerwhitelist
spec:
compiledAdapter: listchecker
params:
overrides: ["customer"]
blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: checkfromcustomer
spec:
match: destination.labels["app"] == "preference"
actions:
- handler: customerwhitelist
instances:
- appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: appsource
spec:
compiledTemplate: listentry
params:
value: source.labels["app"]
- 根据istiofiles/acl-whitelist.yml文件创建对象。
$ oc create -f istiofiles/acl-whitelist.yml -n ${ISTIO_APP}
handler.config.istio.io/preferencewhitelist created
rule.config.istio.io/checkfrompreference created
handler.config.istio.io/customerwhitelist created
rule.config.istio.io/checkfromcustomer created
instance.config.istio.io/appsource created
- 进入运行customer微服务的Pod的容器,然后使用curl命令分别访问preference和recommendation。可以看到无法从customer容器中访问到recommendation服务,但是可以访问preference服务。
$ oc exec -it $(oc get pods -n ${ISTIO_APP} | grep customer| awk '{ print $1 }' | head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8366
bash-4.4$ curl recommendation:8080
PERMISSION_DENIED:preferencewhitelist.user1-tutorial:customer is not whitelistedbash-4.4$ exit
exit
- 删除白名单
$ oc delete -f istiofiles/acl-whitelist.yml -n ${ISTIO_APP}
黑名单
不允许从customer到preference的访问,即customer在能访问preference的黑名单中。
- 查看istiofiles/acl-blacklist.yml文件。
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denycustomerhandler
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denycustomerrequests
spec:
compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denycustomer
spec:
match: destination.labels["app"] == "preference" && source.labels["app"]=="customer"
actions:
- handler: denycustomerhandler
instances: [ denycustomerrequests ]
- 执行命令创建从customer到preference的黑名单。
$ oc create -f istiofiles/acl-blacklist.yml -n ${ISTIO_APP}
- 执行命令进入运行customer服务的容器,然后访问preference服务。可以看到提示PERMISSION_DENIED的错误,说明黑名单生效。
$ oc exec -it $(oc get pods -n ${ISTIO_APP} | grep customer | awk '{ print $1 }' | head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
PERMISSION_DENIED:denycustomerhandler.user1-tutorial:Not allowed
bash-4.4$ exit
- 执行命令进入运行recommendation服务的容器,然后访问preference服务。可以看到访问成功,这是由于在preference和recommendation之间没有黑名单。
$ oc exec -it $(oc get pods -n ${ISTIO_APP} |grep recommendation | awk '{ print $1 }' | head -1) -c recommendation /bin/bash
bash-4.2$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8384
bash-4.4$ exit
- 删除黑名单恢复环境
$ oc delete -f istiofiles/acl-blacklist.yml -n ${ISTIO_APP}
类似资料: