欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio多集群探秘,部署了50次多集群后我得出的结论
istio防故障利器,你知道几个,istio新手不要读,太难!
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
学习目标
什么是PeerAuthentication
PeerAuthentication defines how traffic will be(mtls) tunneled (or not) to the sidecar.
资源详解
Field | Type | Description | Required |
| | The selector determines the workloads to apply the ChannelAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy. | No |
| | Mutual TLS settings for workload. If not defined, inherit from parent. | No |
| | Port specific mutual TLS settings. | No |
没有selector
全局有效
pa-default-global.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
For mesh level, put the policy in root-namespace according to your Istio installation.
默认工作负载都启用mtls
关闭productpage mtls
dr-productpage-mtls-disable.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage
subsets:
- labels:
version: v1
name: v1
trafficPolicy:
tls:
mode: DISABLE
访问失败
名称空间有效
pa-default.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
selector
pa-productpage-selector.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: STRICT
mtls
PeerAuthentication.MutualTLS.Mode
Name | Description |
| Inherit from parent, if has one. Otherwise treated as PERMISSIVE. |
| Connection is not tunneled. |
| Connection can be either plaintext or mTLS tunnel. |
| Connection is an mTLS tunnel (TLS with client cert must be presented). |
mode
UNSET
pa-productpage-mode-UNSET.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: UNSET
DISABLE
pa-productpage-mode-DISABLE.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: DISABLE
PERMISSIVE
pa-productpage-mode-PERMISSIVE.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: PERMISSIVE
STRICT
pa-productpage-mode-STRICT.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: STRICT
portLevelMtls
pa-productpage-portLevelMtls.yaml
apiVersion: security.istio.io/v1beta1标签:name,mtls,envoyfilter,istio,详解,mode,productpage,PeerAuthentication From: https://blog.51cto.com/u_11979904/5948171
kind: PeerAuthentication
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
mtls:
mode: STRICT
portLevelMtls:
9080:
mode: DISABLE