备考ICA----Istio实验16—HTTP流量授权

1. 环境准备

kubectl apply -f istio/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio/samples/bookinfo/networking/bookinfo-gateway.yaml

访问测试

curl -I http://192.168.126.220/productpage

2. 开启mtls

mtls/mtls-default.yaml

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:name: defaultnamespace: default
spec:mtls:mode: STRICT

部署生效

kubectl apply -f mtls/mtls-default.yaml

3. 拒绝请求

default名称空间,拒绝所有请求

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: deny-allnamespace: default

配置生效

kubectl apply -f mtls/allow-nothing.yaml

访问测试

curl -I http://192.168.126.220/productpage

此时访问被拒绝.返回码403

4. 允许请求

4.1 productpage允许请求

允许以get方式访问productpage
auth/productpage-viewer.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: productpage-viewernamespace: default
spec:selector:matchLabels:app: productpageaction: ALLOWrules:- to:- operation:methods: ["GET"]

部署生效

kubectl apply -f auth/productpage-viewer.yaml 

访问测试

4.2 details允许请求

创建details-viewer允许从productpage访问到details

kubectl get pods productpage-v1-675fc69cf-xlg4x -o yaml|grep -i serviceaccount

cluster.local 本地集群
ns/default 命名空间
sa/bookinfo-productpage sa账号

auth/details-viewer.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: details-viewernamespace: default
spec:selector:matchLabels:app: detailsaction: ALLOWrules:- from:- source:principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]to:- operation:methods: ["GET"]

部署生效

kubectl apply  -f auth/details-viewer.yaml

浏览器再次访问

4.3 reviews允许请求

创建reviews-viewer允许从productpage访问到reviews
auth/reviews-viewer.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: reviews-viewernamespace: default
spec:selector:matchLabels:app: reviewsaction: ALLOWrules:- from:- source:principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]to:- operation:methods: ["GET"]

部署生效

kubectl apply -f auth/reviews-viewer.yaml

此时reviews已经可以正常显示,但ratings还是有问题.

4.4 ratings允许请求

创建ratings-viewer允许从productpage访问到ratings
auth/ratings-viewer.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:name: ratings-viewernamespace: default
spec:selector:matchLabels:app: ratingsaction: ALLOWrules:- from:- source:principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]to:- operation:methods: ["GET"]

部署生效

kubectl apply -f auth/ratings-viewer.yaml

再次访问,现在所有页面都能正常展示了

至此备考ICA----Istio实验16—HTTP流量授权实验完成