istio流量管理和零信任安全配置

这篇是istio流量治理的部分配置记录一下，主要还是参考官方文档

流量管理

连接池管理、熔断

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  annotations:
    meta.helm.sh/release-name: mesh-demo
    meta.helm.sh/release-namespace: istio-system
  creationTimestamp: "2022-07-13T07:37:22Z"
  generation: 7
  labels:
    app.kubernetes.io/managed-by: Helm
  name: consumer
  namespace: demo-dubbo
  resourceVersion: "18084867"
  uid: 556f20f9-379e-4e1b-bb80-2f2206b0ffa4
spec:
  host: consumer
  subsets:
  - labels:
      version: v1
    name: v1
  - labels:
      version: v1
    name: baseline
  - labels:
      version: "655"
    name: "655"
  trafficPolicy:
    connectionPool:       ##连接池配置
      http:
        http1MaxPendingRequests: 6
        http2MaxRequests: 4
        maxRequestsPerConnection: 9
        maxRetries: 3
      tcp:
        connectTimeout: 2000ms
        maxConnections: 11
    loadBalancer:           ##负载均衡算法
      simple: LEAST_CONN
    outlierDetection:       ##熔断配置
      baseEjectionTime: 4s
      consecutive5xxErrors: 2
      consecutiveErrors: 2
      interval: 3s
      maxEjectionPercent: 30

重试、超时

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  annotations:
    baseline: v1
    gray: "655"
  creationTimestamp: "2022-07-20T09:04:40Z"
  generation: 3
  name: consumer
  namespace: demo-dubbo
  resourceVersion: "17269866"
  uid: d9988797-445a-4cdb-9b3e-68856ff1bfe0
spec:
  hosts:
  - consumer
  http:
  - name: base
    retries:                ##重试
      attempts: 3
      retryOn: retriable-4xx,5xx
    route:
    - destination:
        host: consumer
        subset: baseline
    timeout: 1000ms             ##超时时间

零信任安全

定义：在不信任的网络上建立安全。

双向身份认证：

定义：开启双向TLS身份认证功能，组件之间通过密文通信

使用DestinationRule来定义启用或禁用双向TLS认证

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  annotations:
    meta.helm.sh/release-name: mesh-demo
    meta.helm.sh/release-namespace: istio-system
  creationTimestamp: "2022-07-13T07:37:22Z"
  generation: 10
  labels:
    app.kubernetes.io/managed-by: Helm
  name: provider
  namespace: demo
  resourceVersion: "18085099"
  uid: 1c3e0ef6-1751-4a68-8d5e-b7d487f2d1bd
spec:
  host: providers
  subsets:
  - labels:
      appversion: v1
    name: v1
  - labels:
      appversion: v2
    name: v2
  - labels:
      appversion: v22
    name: v22
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL. ### DISABLE=关闭 ISTIO_MUTUAL=开启

PeerAuthentication

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  creationTimestamp: "2022-08-04T09:37:05Z"
  generation: 1
  name: consumer
  namespace: demo-dubbo
  resourceVersion: "18084866"
  uid: 4535fea1-4d0d-46e9-8ae9-8eac7f4d8a40
spec:
  mtls:
    mode: STRICT
  selector:
    matchLabels:
      app: consumer

请求认证：

定义：创建JWT请求认证策略，可以定义请求头中的ACCESS TOKEN，以及JWT TOKEN 生成的相关信息

RequestAuthentication

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  creationTimestamp: "2022-08-04T02:21:38Z"
  generation: 1
  name: consumer
  namespace: demo-dubbo
  resourceVersion: "17962899"
  uid: a63a0c33-cd8b-4c13-93e3-c4ae40f6cce0
spec:
  jwtRules:
  - issuer: testing@service.istio.co
    jwks: "{\n\t\"keys\": [{\n\t\t\"e\": \"AQBQ\",\n\t\t\"kid\": \"DHFbpolUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_envvQ\",\n\t\t\"kty\":
      \"RSA\",\n\t\t\"n\": \"xAE7B6qugXyCAG3yhh7pkDkT65pHym\"\n\t}]\n}"
  selector:
    matchLabels:
      app: consumer

授权策略：

定义：用于认证请求头中的ACCESS TOKEN 是否可信，并授权给来源合法的请求

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  creationTimestamp: "2022-08-04T02:21:38Z"
  generation: 2
  name: consumer
  namespace: demo-dubbo
  resourceVersion: "18057826"
  uid: 4c088af6-a510-4651-8883-383e3e47874d
spec:
  action: DENY
  rules:
  - from:
    - source:
        principals:
        - 1=1
    to:
    - operation:
        paths:
        - /add
    when:
    - key: destination.port
      values:
      - "8080"
  selector:
    matchLabels:
      app: consumer