Istio 常见问题 - 如何为服务设置 IP 黑白名单

Read in English

问题现象

服务受到攻击,或者只允许服务在某些 IP 下才可以访问的时候,通常的做法是为服务加上 IP 黑白名单

解决方法

下面以 httpbin 为例,说明如何在 Istio 中使用 AuthorizationPolicy 为服务设置 IP 黑白名单。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# httpbin.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin.makeoptim.com"
  gateways:
  - gateway/makeoptim-gateway
  http:
  - route:
      - destination:
          port:
            number: 8000
          host: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8000
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
      - image: docker.io/citizenstig/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 8000

部署完 httpbin 后,可以直接访问。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ curl httpbin.makeoptim.com/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.makeoptim.com", 
    "User-Agent": "curl/7.64.1", 
    "X-B3-Parentspanid": "50419cd0b3ae983a", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "5a0bbd2e611fa59e", 
    "X-B3-Traceid": "33c8c481a13746c050419cd0b3ae983a", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Envoy-External-Address": "38.75.137.213", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/default;Hash=abb1a2a76a04fe7476cd38738e98a228b39dbf6a88936fd249ee23839ec98234;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 
    "X-Request-Id": "2fe85688-cf60-4f61-b9bb-25e354625124"
  }, 
  "origin": "38.75.137.213", 
  "url": "http://httpbin.makeoptim.com/get"
}

下面,为 httpbin 服务添加 IP 黑名单,使得某些 IP 无法访问 httpbin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
       ipBlocks: ["38.75.137.213"]
    to:
    - operation:
        hosts:
        - httpbin.makeoptim.com

这里,我的 IP 是 38.75.137.213,而在 AuthorizationPolicy 中,设置了 DENY 并指向 httpbin.makeoptim.com

这时,再次访问 httpbin.makeoptim.com 就会返回 RBAC: access denied,表示已经成功设置了黑名单。

1
2
❯ curl httpbin.makeoptim.com/get
RBAC: access denied

注:

参考链接

延伸阅读

CatchZeng
Written by CatchZeng Follow
AI (Machine Learning) and DevOps enthusiast.