背景
istio mtls 让 pod 之间的通信加密,更安全,这里简单记录一下如何使用
示例
准备环境
apiVersion: v1
kind: Namespace
metadata:
name: demo-1
---
apiVersion: v1
kind: Pod
metadata:
labels:
app: demo-1
name: demo-1
namespace: demo-1
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: demo-1
---
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: demo-1
namespace: demo-1
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 8080
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: demo-1
namespace: demo-1
spec:
gateways:
- demo-1
hosts:
- demo-1.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: demo-1
port:
number: 80
subset: v1
---
apiVersion: v1
kind: Service
metadata:
name: demo-1
namespace: demo-1
spec:
ports:
- port: 80
name: http
selector:
app: demo-1
验证无 mtls
host=$(kubectl get svc -n istio-system istio-ingressgateway -ojsonpath={.spec.clusterIP})
curl -H 'Host: demo-1.com' $host
配置 mtls
PERMISSIVE 为非强制 mtls 运行非 mtls
STRICT 为强制 mtls 运行非 mtls 会报错
这里实验使用强制 mtls
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: demo-1
spec:
mtls:
mode: STRICT
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: demo-1
namespace: demo-1
spec:
host: demo-1
subsets:
- labels:
app: demo-1
name: v1
验证无 mtls
host=$(kubectl get svc -n istio-system istio-ingressgateway -ojsonpath={.spec.clusterIP})
curl -H 'Host: demo-1.com' $host
补充
实际上 mtls 建议分阶段
1 阶段 PeerAuthentication 的 mode 设置 PERMISSIVE,destinationrule 的 tls mode 设置 disable
2 阶段 PeerAuthentication 的 mode 设置 PERMISSIVE,destinationrule 的 tls mode 设置 ISTIO_MUTUAL
3 阶段 PeerAuthentication 的 mode 设置 STRICT,destinationrule 的 tls mode 设置 ISTIO_MUTUAL
