从 Istio egress 网关访问外部代理
我需要严格控制 K8S 命名空间中的应用程序到外部站点的所有流量。由于 K8S NetworkPolicy 对象仅允许指定目标 IP 地址,因此我们更喜欢使用 Istio 来管理传出流量,以便我们可以使用主机名而不是 CIDR 来配置外部服务。此外,我们还有一个企业范围的代理,必须用于所有互联网流量。
遵循 https://istio.io/latest/docs/ tasks/traffic-management/egress/http-proxy/ 我们可以管理 pod 的 sidecar(设置了正确的环境变量 HTTP_PROXY 等)可以通过公司代理访问互联网。这意味着通信POD -->边车 -->代理 -->外部网站有效。但在这种情况下,Istio 出口网关被绕过。
然而,我们需要是以下通信路径:POD -->边车 --> Istio 出口网关 -->代理 -->外部网站。
当前设置如下:
- POD 具有 HTTP_PROXY 环境。变量设置为
proxy.int.xxx.zz:8080 - 我们应用了以下 yaml:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: proxylb
spec:
hosts:
- proxy.int.xxx.zz
ports:
- number: 8080
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
spec:
hosts:
- edition.cnn.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: orf
spec:
hosts:
- www.orf.at
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- edition.cnn.com
- www.orf.at
- port:
number: 443
name: tls
protocol: TLS
hosts:
- edition.cnn.com
- www.orf.at
tls:
mode: PASSTHROUGH
- port:
number: 8080
name: tcp
protocol: TCP
hosts:
- proxy.int.xxx.zz
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-egressgateway
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
- name: orf
- name: proxylb
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- edition.cnn.com
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: edition.cnn.com
port:
number: 80
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-orf-through-egress-gateway
spec:
hosts:
- www.orf.at
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.orf.at
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: orf
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sniHosts:
- www.orf.at
route:
- destination:
host: www.orf.at
port:
number: 443
weight: 100
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: orf
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: www.orf.at
port:
number: 80
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-proxylb-through-egress-gateway
spec:
hosts:
- proxy.int.xxx.zz
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
port: 8080
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: proxylb
port:
number: 8080
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 8080
route:
- destination:
host: proxy.int.xxx.zz
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: trilateral
spec:
egress:
- hosts:
- "./*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
但是,当运行curl 时,我们得到:
curl -k -I https://istio.io
curl: (56) Recv failure: Connection reset by peer
这个设置应该有效吗?缺什么?
预先非常感谢您的任何提示。
I'd need to tightly control all traffic to external sites from the applications in the K8S namespace. As the K8S NetworkPolicy objects allow specifying target IP addresses only we'd prefer using Istio to mange the outgoing traffic so that we can use hostnames instead of CIDRs to configure our external services. Furthermore we have an enterprise wide proxy which must be used for all traffic to the internet.
Following https://istio.io/latest/docs/tasks/traffic-management/egress/http-proxy/ we could manage that the sidecar of the pod (with the proper environment variables HTTP_PROXY etc. set) can access the internet via the corporate proxy. This means that the communication POD --> sidecar --> proxy --> external site works. However in this case the Istio egress gateway is bypassed.
What we'd however need is the following communication path: POD --> sidecar --> Istio egress gateway --> proxy --> external site.
Out current setup is the following:
- The PODs have the HTTP_PROXY env. variable set to
proxy.int.xxx.zz:8080 - We have the following yamls applied:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: proxylb
spec:
hosts:
- proxy.int.xxx.zz
ports:
- number: 8080
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
spec:
hosts:
- edition.cnn.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: orf
spec:
hosts:
- www.orf.at
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- edition.cnn.com
- www.orf.at
- port:
number: 443
name: tls
protocol: TLS
hosts:
- edition.cnn.com
- www.orf.at
tls:
mode: PASSTHROUGH
- port:
number: 8080
name: tcp
protocol: TCP
hosts:
- proxy.int.xxx.zz
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-egressgateway
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
- name: orf
- name: proxylb
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- edition.cnn.com
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: edition.cnn.com
port:
number: 80
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-orf-through-egress-gateway
spec:
hosts:
- www.orf.at
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.orf.at
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: orf
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sniHosts:
- www.orf.at
route:
- destination:
host: www.orf.at
port:
number: 443
weight: 100
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: orf
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: www.orf.at
port:
number: 80
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-proxylb-through-egress-gateway
spec:
hosts:
- proxy.int.xxx.zz
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
port: 8080
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: proxylb
port:
number: 8080
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 8080
route:
- destination:
host: proxy.int.xxx.zz
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: trilateral
spec:
egress:
- hosts:
- "./*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
However when running a curl we get:
curl -k -I https://istio.io
curl: (56) Recv failure: Connection reset by peer
Should this setup work? What is missing?
Thanks a lot in advance for any hint.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论