目录

13.5 TLS路由

上一章

13.7 EnvoyFilter

下一章

更多图书

13.6 mTLS迁移

在服务迁移到服务网格中时,可能需要逐渐地迁移,这时候可能会由于网格内的服务启用了mTLS,导致网格外的服务调用网格中的服务失败。为了解决这种问题,可以把网格中服务的mTLS模式设置为PERMISSIVE,这样网格中的服务既可以接收mTLS加密流量,又可以接收没有经过mTLS加密的普通流量。等到所有服务都迁移到网格中,再把网格中服务的mTLS模式设置为STRICT,使网格内的服务只接受mTLS加密的流量。这样可以保证服务之间的通信安全。

配置服务httpbin接收两种类型的流量示例:

1 apiVersion: authentication.istio.io/v1alpha1
 2 kind: Policy
 3 metadata:
 4   name: httpbin
 5 spec:
 6   targets:
 7   - name: httpbin
 8   peers:
 9   - mtls:
10       mode: PERMISSIVE
11 ---
12 apiVersion: networking.istio.io/v1alpha3
13 kind: DestinationRule
14 metadata:
15   name: httpbin
16 spec:
17   host: "httpbin.default.svc.cluster.local"
18   trafficPolicy:
19     tls:
20       mode: ISTIO_MUTUAL

第10行设置httpbin服务的服务端mTLS模式为PERMISSIVE,表示既可以接收mTLS加密流量,又可以接收没有经过mTLS加密的普通流量。

【实验】

1)创建测试Pod:

$ kubectl apply -f kubernetes/dns-test.yaml
$ kubectl create ns legacy
$ kubectl apply -f kubernetes/dns-test.yaml -n legacy
$ kubectl get pod
NAME                         READY       STATUS        RESTARTS       AGE
dns-test                     2/2         Running       0              25s
$ kubectl get pod -n legacy
NAME                         READY       STATUS        RESTARTS       AGE
dns-test                     1/1         Running       0              24s

2)部署httpbin服务:

$ kubectl apply -f kubernetes/httpbin.yaml
$ kubectl get pod -l app=httpbin
NAME                         READY       STATUS        RESTARTS       AGE
httpbin-b67975b8f-vx4gb      2/2         Running       0              81s

3)创建httpbin服务的mTLS规则为PERMISSIVE模式的路由:

$ kubectl apply -f istio/security/mtls-httpbin-both.yaml

4)服务访问测试:

$ kubectl exec dns-test -c dns-test -- curl -s http://httpbin.default:8000/headers
{
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.default:8000", 
    "User-Agent": "curl/7.35.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "98d45df0bd84370d", 
    "X-B3-Traceid": "98d45df0bd84370d", 
    "X-Request-Id": "794f2d8a-38e1-9037-835c-ed29e06e62f0"
  }
}
$ kubectl exec dns-test -c dns-test -n legacy -- curl -s http://httpbin.default:8000/headers
{
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.default:8000", 
    "User-Agent": "curl/7.35.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "a720bcba6c04c95c", 
    "X-B3-Traceid": "a720bcba6c04c95c", 
    "X-Request-Id": "96431a94-84f5-9ef5-9192-7d2323e5686e"
  }
}

5)创建httpbin服务的mTLS规则为STRICT模式:

$ kubectl apply -f istio/security/mtls-httpbin-strict.yaml

6)服务访问测试:

$ kubectl exec dns-test -c dns-test -- curl -s http://httpbin.default:8000/headers
{
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.default:8000", 
    "User-Agent": "curl/7.35.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "eea1d828dbd22bd9", 
    "X-B3-Traceid": "eea1d828dbd22bd9", 
    "X-Request-Id": "feea08c3-c97f-9200-862b-df8297f83a7b"
  }
}
$ kubectl exec dns-test -c dns-test -n legacy -- curl -s http://httpbin.default:8000/headers
command terminated with exit code 56

从上面的服务访问测试可以得出如下的结论:当httpbin服务使用PERMISSIVE模式的mTLS时,普通请求和经过mTLS加密的请求都会成功。当httpbin服务使用STRICT模式的mTLS时,只有使用mTLS加密的请求会成功,而普通请求则会失败。

7)清理:

$ kubectl delete ns legacy
$ kubectl delete -f kubernetes/dns-test.yaml
$ kubectl delete -f kubernetes/httpbin.yaml
$ kubectl delete -f istio/security/mtls-httpbin-strict.yaml