备考ICA----Istio实验17---TCP流量授权

发布于：2024-04-08 ⋅ 阅读:(108) ⋅ 点赞:(0)

备考ICA----Istio实验17—TCP流量授权

1. 环境准备

1.1 环境部署

kubectl apply -f <(istioctl kube-inject -f istio/samples/tcp-echo/tcp-echo.yaml) -n kim
kubectl apply -f <(istioctl kube-inject -f istio/samples/sleep/sleep.yaml) -n kim

1.2 测试环境

检测环境的9000和9001端口

kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9000" \
    | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9001" \
    | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'

在这里插入图片描述

2. 允许策略

放行kim命名空间下,tcp-echo的9000和90001访问
auth/tcp-policy-allow-all.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: tcp-policy
  namespace: kim
spec:
  selector:
    matchLabels:
      app: tcp-echo
  action: ALLOW
  rules:
  - to:
    - operation:
        ports: ["9000", "9001"]

访问测试

kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9000" \
    | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9001" \
    | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'

在这里插入图片描述

3. 仅允许9000端口被访问

auth/tcp-policy-allow-9000-get.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: tcp-policy
  namespace: foo
spec:
  selector:
    matchLabels:
      app: tcp-echo
  action: ALLOW
  rules:
  - to:
    - operation:
        ports: ["9000"]

访问测试

kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9000" \
    | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9001" \
    | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'

在这里插入图片描述
可以看到之前9000可以被正常访问,9001访问被拒绝

4. 仅禁止9000端口访问

auth/tcp-policy-deny-9000-get.yaml

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: tcp-policy
  namespace: kim
spec:
  selector:
    matchLabels:
      app: tcp-echo
  action: DENY
  rules:
  - to:
    - operation:
        ports: ["9000"]

访问测试

kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9000" \
    | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
kubectl exec deploy/sleep -n kim \
    -- sh -c 'echo "port 9001" \
    | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'

可以看到我们仅限制了9000端口,当访问9000端口时访问被拒绝,当访问9001端口,请求被响应
在这里插入图片描述
至此备考ICA----Istio实验17—TCP流量授权实验完成

备考ICA----Istio实验17---TCP流量授权

备考ICA----Istio实验17—TCP流量授权

1. 环境准备

1.1 环境部署

1.2 测试环境

2. 允许策略

3. 仅允许9000端口被访问

4. 仅禁止9000端口访问

网站公告

今日签到

热门文章

最新发布