OpenShift 4 之Istio-Tutorial (10) 访问白名单、黑名单

本系列OpenShift Servic Mesh教程是基于Red Hat官方公开发行的《Introducing Istio Service Mesh for Micoservices》出版物，我将所有操作在OpenShift 4.2.x环境中进行了验证。喜欢读英文或者需要了解更多和场景相关知识点的小伙伴可以通过上面的链接下载该书慢慢阅读。

白名单和黑名单是用来允许或禁止访问Service Mesh中的微服务。目前Istio支持基于服务名、服务属性以及IP地址的白名单和黑名单。

环境准备：我们在开始之前先确保环境和完成《OpenShift 4 之Istio-Tutorial (2) 部署三个微服务》一样，只部署了3个微服务和VirtualService、Gateway，没有DestinationRule。

白名单

只允许三个服务按照customer->preference->recommendation的方式访问，即customer在能访问preference的白名单中，而preference在能访问recommendation的白名单中。

1. 查看istiofiles/acl-whitelist.yml文件。

apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
  name: preferencewhitelist
spec:
  compiledAdapter: listchecker
  params:
    overrides: ["preference"]
    blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: checkfrompreference
spec:
  match: destination.labels["app"] == "recommendation"
  actions:
  - handler: preferencewhitelist
    instances:
    - appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
  name: customerwhitelist
spec:
  compiledAdapter: listchecker
  params:
    overrides: ["customer"]
    blacklist: false
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: checkfromcustomer
spec:
  match: destination.labels["app"] == "preference"
  actions:
  - handler: customerwhitelist
    instances:
    - appsource
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: appsource
spec:
  compiledTemplate: listentry
  params:
    value: source.labels["app"]

2. 根据istiofiles/acl-whitelist.yml文件创建对象。

$ oc create -f istiofiles/acl-whitelist.yml
handler.config.istio.io/preferencewhitelist created
rule.config.istio.io/checkfrompreference created
handler.config.istio.io/customerwhitelist created
rule.config.istio.io/checkfromcustomer created
instance.config.istio.io/appsource created

3. 进入运行customer微服务的Pod的容器，然后使用curl命令分别访问preference和recommendation。可以看到无法从customer容器中访问到recommendation服务，但是可以访问preference服务。

$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8366
	bash-4.4$ curl recommendation:8080
PERMISSION_DENIED:preferencewhitelist.user1-tutorial:customer is not whitelistedbash-4.4$ exit
exit

4. 删除白名单

$ oc delete -f istiofiles/acl-whitelist.yml

黑名单

不允许从customer到preference的访问，即customer在能访问preference的黑名单中。

1. 查看istiofiles/acl-blacklist.yml文件。

apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
  name: denycustomerhandler
spec:
  compiledAdapter: denier
  params:
    status:
      code: 7
      message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: denycustomerrequests
spec:
  compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: denycustomer
spec:
  match: destination.labels["app"] == "preference" && source.labels["app"]=="customer"
  actions:
  - handler: denycustomerhandler
    instances: [ denycustomerrequests ]

2. 执行命令创建从customer到preference的黑名单。

$ oc create -f istiofiles/acl-blacklist.yml

3. 执行命令进入运行customer服务的容器，然后访问preference服务。可以看到提示PERMISSION_DENIED的错误，说明黑名单生效。

$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash
bash-4.4$ curl preference:8080
PERMISSION_DENIED:denycustomerhandler.user1-tutorial:Not allowed
bash-4.4$ exit

4. 执行命令进入运行recommendation服务的容器，然后访问preference服务。可以看到访问成功，这是由于在preference和recommendation之间没有黑名单。

$ oc exec -it $(oc get pods |grep recommendation|awk '{ print $1 }'|head -1) -c recommendation /bin/bash
bash-4.2$ curl preference:8080
preference => recommendation v1 from '67976848-4l4s7': 8384
bash-4.4$ exit

4. 删除黑名单恢复环境

$ oc delete -f istiofiles/acl-blacklist.yml