问题现象
当服务受到攻击,或者只允许服务在某些 IP 下才可以访问的时候,通常的做法是为服务加上 IP 黑白名单。
解决方法
下面以 httpbin
为例,说明如何在 Istio
中使用 AuthorizationPolicy
为服务设置 IP 黑白名单。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# httpbin.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.makeoptim.com"
gateways:
- gateway/makeoptim-gateway
http:
- route:
- destination:
port:
number: 8000
host: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 8000
部署完 httpbin
后,可以直接访问。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ curl httpbin.makeoptim.com/get
{
"args": {},
"headers": {
"Accept": "*/*",
"Content-Length": "0",
"Host": "httpbin.makeoptim.com",
"User-Agent": "curl/7.64.1",
"X-B3-Parentspanid": "50419cd0b3ae983a",
"X-B3-Sampled": "0",
"X-B3-Spanid": "5a0bbd2e611fa59e",
"X-B3-Traceid": "33c8c481a13746c050419cd0b3ae983a",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "38.75.137.213",
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/default;Hash=abb1a2a76a04fe7476cd38738e98a228b39dbf6a88936fd249ee23839ec98234;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
"X-Request-Id": "2fe85688-cf60-4f61-b9bb-25e354625124"
},
"origin": "38.75.137.213",
"url": "http://httpbin.makeoptim.com/get"
}
下面,为 httpbin
服务添加 IP 黑名单,使得某些 IP 无法访问 httpbin
。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: ["38.75.137.213"]
to:
- operation:
hosts:
- httpbin.makeoptim.com
这里,我的 IP 是 38.75.137.213
,而在 AuthorizationPolicy
中,设置了 DENY
并指向 httpbin.makeoptim.com
。
这时,再次访问 httpbin.makeoptim.com
就会返回 RBAC: access denied
,表示已经成功设置了黑名单。
1
2
❯ curl httpbin.makeoptim.com/get
RBAC: access denied
注:
ipBlocks
可以支持单个 IP (e.g. “1.2.3.4”) 和 CIDR (e.g. “1.2.3.0/24”),详见 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source。上面的例子为设置黑名单,白名单其实也很简单,就是把
DENY
变成ALLOW
,更多的设置详见 https://istio.io/latest/docs/reference/config/security/authorization-policy/。
to/operation/hosts
可以指定某些host
,这样可以只对某些服务做黑白名单,而不影响到整个服务网格。
ALLOW
和DENY
可以多个组合使用来满足业务的需求,详见 https://istio.io/latest/docs/concepts/security/#authorization。