白名單和黑名單是用來允許或禁止訪問Service Mesh中的微服務。目前Istio支援基於服務名、服務屬性以及IP地址的白名單和黑名單。
環境準備:我們在開始之前先確保環境和完成《OpenShift 4 之Istio-Tutorial (2) 部署三個微服務》一樣,只部署了3個微服務和VirtualService、Gateway,沒有DestinationRule。
白名單只允許三個服務按照customer->preference->recommendation的方式訪問,即customer在能訪問preference的白名單中,而preference在能訪問recommendation的白名單中。
1. 檢視istiofiles/acl-whitelist.yml檔案。
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: preferencewhitelist
spec:
compiledAdapter: listchecker
params:
overrides: ["preference"]
blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: checkfrompreference
spec:
match: destination.labels["app"] == "recommendation"
actions:
- handler: preferencewhitelist
instances:
- appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: customerwhitelist
spec:
compiledAdapter: listchecker
params:
overrides: ["customer"]
blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: checkfromcustomer
spec:
match: destination.labels["app"] == "preference"
actions:
- handler: customerwhitelist
instances:
- appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: appsource
spec:
compiledTemplate: listentry
params:
value: source.labels["app"]
2. 根據istiofiles/acl-whitelist.yml檔案建立物件。
$ oc create -f istiofiles/acl-whitelist.yml
handler.config.istio.io/preferencewhitelist created
rule.config.istio.io/checkfrompreference created
handler.config.istio.io/customerwhitelist created
rule.config.istio.io/checkfromcustomer created
instance.config.istio.io/appsource created
3. 進入執行customer微服務的Pod的容器,然後使用curl命令分別訪問preference和recommendation。可以看到無法從customer容器中訪問到recommendation服務,但是可以訪問preference服務。
$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8366
bash-4.4$ curl recommendation:8080
PERMISSION_DENIED:preferencewhitelist.user1-tutorial:customer is not whitelistedbash-4.4$ exit
exit
$ oc delete -f istiofiles/acl-whitelist.yml
黑名單不允許從customer到preference的訪問,即customer在能訪問preference的黑名單中。
1. 檢視istiofiles/acl-blacklist.yml檔案。
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denycustomerhandler
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denycustomerrequests
spec:
compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denycustomer
spec:
match: destination.labels["app"] == "preference" && source.labels["app"]=="customer"
actions:
- handler: denycustomerhandler
instances: [ denycustomerrequests ]
2. 執行命令建立從customer到preference的黑名單。
$ oc create -f istiofiles/acl-blacklist.yml
3. 執行命令進入執行customer服務的容器,然後訪問preference服務。可以看到提示PERMISSION_DENIED的錯誤,說明黑名單生效。
$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
PERMISSION_DENIED:denycustomerhandler.user1-tutorial:Not allowed
bash-4.4$ exit
4. 執行命令進入執行recommendation服務的容器,然後訪問preference服務。可以看到訪問成功,這是由於在preference和recommendation之間沒有黑名單。
$ oc exec -it $(oc get pods |grep recommendation|awk '{ print $1 }'|head -1) -c recommendation /bin/bash
bash-4.2$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8384
bash-4.4$ exit
$ oc delete -f istiofiles/acl-blacklist.yml