Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

1.2. 使用 Service Mesh 2.x 在 OpenShift Serverless 中隔离网络流量

您可以在 OpenShift Serverless 中使用 Service Mesh 2.x 来控制和隔离服务间的网络流量。此集成可帮助您定义精细的通信策略,通过 mutual TLS 增强安全性,并管理无服务器环境中的流量流。

重要

使用 Service Mesh 在 OpenShift Serverless 中隔离网络流量只是一个技术预览功能。技术预览功能不受红帽产品服务等级协议(SLA)支持,且功能可能并不完整。红帽不推荐在生产环境中使用它们。这些技术预览功能可以使用户提早试用新的功能,并有机会在开发阶段提供反馈意见。

有关红帽技术预览功能支持范围的更多信息,请参阅技术预览功能支持范围

Service Mesh 可以用来使用 Service Mesh AuthorizationPolicy 资源在共享 Red Hat OpenShift Serverless 集群上的租户之间隔离网络流量。Serverless 也可以使用几个 Service Mesh 资源来利用此功能。租户是一组一个或多个项目,可以通过共享集群上的网络访问。

1.2.1. 先决条件
复制链接

  • 您可以使用集群管理员访问权限访问 Red Hat OpenShift Serverless 帐户。
  • 您已设置了 Service Mesh 2.x 和 Serverless 集成。
  • 您已为每个租户创建了一个或多个 OpenShift 项目。

1.2.2. 高级别架构
复制链接

Service Mesh 提供的 Serverless 流量隔离的高级架构由 knative-servingknative-eventing 和租户的命名空间中 AuthorizationPolicy 对象组成,所有组件都是 Service Mesh 的一部分。注入的 Service Mesh sidecar 强制执行这些规则,以便在租户之间隔离网络流量。

1.2.3. 保护 Service Mesh
复制链接

授权策略和 mTLS 允许您保护 Service Mesh。

流程

  1. 确保租户的所有 Red Hat OpenShift Serverless 项目都与成员位于同一个 ServiceMeshMemberRoll 对象中: 

    apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
 name: default
 namespace: istio-system
spec:
 members:
   - knative-serving    # static value, needs to be here, see setup page
   - knative-eventing   # static value, needs to be here, see setup page
   - team-alpha-1       # example OpenShift project that belongs to the team-alpha tenant
   - team-alpha-2       # example OpenShift project that belongs th the team-alpha tenant
   - team-bravo-1       # example OpenShift project that belongs to the team-bravo tenant
   - team-bravo-2       # example OpenShift project that belongs th the team-bravo tenant
    Copy to Clipboard Toggle word wrap

    属于网格的所有项目都必须在严格的模式下强制使用 mTLS。这会强制 Istio 只接受与 client-certificate 存在的连接,并允许 Service Mesh sidecar 使用 AuthorizationPolicy 对象验证源。

  2. 使用 knative-servingknative-eventing 命名空间中的 AuthorizationPolicy 对象创建配置:

    knative-default-authz-policies.yaml 配置文件示例

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all-by-default
  namespace: knative-eventing
spec: { }
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all-by-default
  namespace: knative-serving
spec: { }
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "imc-dispatcher"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ]
      to:
        - operation:
            methods: [ "POST" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-mt-channel-based-broker-ingress-to-kafka-channel
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "kafka-channel-receiver"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ]
      to:
        - operation:
            methods: [ "POST" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-kafka-channel-to-mt-channel-based-broker-filter
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "broker-filter"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ]
      to:
        - operation:
            methods: [ "POST" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-imc-to-mt-channel-based-broker-filter
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "broker-filter"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ]
      to:
        - operation:
            methods: [ "POST" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-probe-kafka-broker-receiver
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "kafka-broker-receiver"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
      to:
        - operation:
            methods: [ "GET" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-probe-kafka-sink-receiver
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "kafka-sink-receiver"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
      to:
        - operation:
            methods: [ "GET" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-probe-kafka-channel-receiver
  namespace: knative-eventing
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: "kafka-channel-receiver"
  rules:
    - from:
        - source:
            namespaces: [ "knative-eventing" ]
            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
      to:
        - operation:
            methods: [ "GET" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-traffic-to-activator
  namespace: knative-serving
spec:
  selector:
    matchLabels:
      app: activator
  action: ALLOW
  rules:
    - from:
        - source:
            namespaces: [ "knative-serving", "istio-system" ]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-traffic-to-autoscaler
  namespace: knative-serving
spec:
  selector:
    matchLabels:
      app: autoscaler
  action: ALLOW
  rules:
    - from:
        - source:
            namespaces: [ "knative-serving" ]
    Copy to Clipboard Toggle word wrap

    这些策略限制 Serverless 系统组件之间网络通信的访问规则。具体来说,它们强制执行以下规则:

    • 拒绝 knative-servingknative-eventing 命名空间中未明确允许的所有流量
    • 允许来自 istio-systemknative-serving 命名空间的流量来激活器
    • 允许来自 knative-serving 命名空间的流量到自动扩展
    • 允许 knative-eventing 命名空间中的 Apache Kafka 组件健康探测
    • 允许 knative-eventing 命名空间中的基于频道的代理的内部流量

  3. 应用授权策略配置: 

    $ oc apply -f knative-default-authz-policies.yaml
    Copy to Clipboard Toggle word wrap

  4. 定义哪些 OpenShift 项目可以相互通信。对于这个通信,一个租户的每个 OpenShift 项目都需要以下内容:

    • 一个 AuthorizationPolicy 对象将传入的流量直接限制到租户的项目
    • 一个 AuthorizationPolicy 对象使用在 knative-serving 项目中运行的 Serverless 的 activator 组件限制传入的流量
    • 一个 AuthorizationPolicy 对象,允许 Kubernetes 在 Knative Services 上调用 PreStopHooks

    安装 helm 工具并为每个租户创建所需资源,而不是手动创建这些策略:

    安装 helm 工具

    $ helm repo add openshift-helm-charts https://charts.openshift.io/
    Copy to Clipboard Toggle word wrap

    团队 alpha创建示例配置

    $ helm template openshift-helm-charts/redhat-knative-istio-authz --version 1.36.0 --set "name=team-alpha" --set "namespaces={team-alpha-1,team-alpha-2}" > team-alpha.yaml
    Copy to Clipboard Toggle word wrap

    团队 bravo创建示例配置

    $ helm template openshift-helm-charts/redhat-knative-istio-authz --version 1.31.0 --set "name=team-bravo" --set "namespaces={team-bravo-1,team-bravo-2}" > team-bravo.yaml
    Copy to Clipboard Toggle word wrap

  5. 应用授权策略配置: 

    $ oc apply -f team-alpha.yaml team-bravo.yaml
    Copy to Clipboard Toggle word wrap

1.2.4. 验证配置
复制链接

您可以使用 curl 命令验证网络流量隔离的配置。

注意

以下示例假设有两个租户,每个租户都有一个命名空间,以及 ServiceMeshMemberRoll 对象的所有部分,使用 team-alpha.yamlteam-bravo.yaml 文件中的资源配置。

流程

  1. 在两个租户的命名空间中部署 Knative Services:

    team-alpha的命令示例

    $ kn service create test-webapp -n team-alpha-1 \
    --annotation-service serving.knative.openshift.io/enablePassthrough=true \
    --annotation-revision sidecar.istio.io/inject=true \
    --env RESPONSE="Hello Serverless" \
    --image docker.io/openshift/hello-openshift
    Copy to Clipboard Toggle word wrap

    team-bravo的命令示例

    $ kn service create test-webapp -n team-bravo-1 \
    --annotation-service serving.knative.openshift.io/enablePassthrough=true \
    --annotation-revision sidecar.istio.io/inject=true \
    --env RESPONSE="Hello Serverless" \
    --image docker.io/openshift/hello-openshift
    Copy to Clipboard Toggle word wrap

    另外,使用以下 YAML 配置: 

    apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: test-webapp
  namespace: team-alpha-1
  annotations:
    serving.knative.openshift.io/enablePassthrough: "true"
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: 'true'
    spec:
      containers:
        - image: docker.io/openshift/hello-openshift
          env:
            - name: RESPONSE
              value: "Hello Serverless!"
---
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: test-webapp
  namespace: team-bravo-1
  annotations:
    serving.knative.openshift.io/enablePassthrough: "true"
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: 'true'
    spec:
      containers:
        - image: docker.io/openshift/hello-openshift
          env:
            - name: RESPONSE
              value: "Hello Serverless!"
    Copy to Clipboard Toggle word wrap

  2. 部署 curl pod 来测试连接: 

    $ cat <<EOF | oc apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: curl
  namespace: team-alpha-1
  labels:
    app: curl
spec:
  replicas: 1
  selector:
    matchLabels:
      app: curl
  template:
    metadata:
      labels:
        app: curl
      annotations:
        sidecar.istio.io/inject: 'true'
    spec:
      containers:
      - name: curl
        image: curlimages/curl
        command:
        - sleep
        - "3600"
EOF
    Copy to Clipboard Toggle word wrap

  3. 使用 curl 命令验证配置。

    通过集群本地域测试 team-alpha-1 team-alpha-1,这允许:

    示例命令

    $ oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-alpha-1:80
    Copy to Clipboard Toggle word wrap

    输出示例

    HTTP/1.1 200 OK
content-length: 18
content-type: text/plain; charset=utf-8
date: Wed, 26 Jul 2023 12:49:59 GMT
server: envoy
x-envoy-upstream-service-time: 9

Hello Serverless!
    Copy to Clipboard Toggle word wrap

    通过外部域测试 team-alpha-1 到 team-alpha-1 连接,允许:

    示例命令

    $ EXTERNAL_URL=$(oc get ksvc -n team-alpha-1 test-webapp -o custom-columns=:.status.url --no-headers) && \
oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $EXTERNAL_URL
    Copy to Clipboard Toggle word wrap

    输出示例

    HTTP/2 200
content-length: 18
content-type: text/plain; charset=utf-8
date: Wed, 26 Jul 2023 12:55:30 GMT
server: istio-envoy
x-envoy-upstream-service-time: 3629

Hello Serverless!
    Copy to Clipboard Toggle word wrap

    通过集群的本地域测试 team-alpha-1team-bravo-1 连接,该连接不允许:

    示例命令

    $ oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-bravo-1:80
    Copy to Clipboard Toggle word wrap

    输出示例

    * processing: http://test-webapp.team-bravo-1:80
*   Trying 172.30.73.216:80...
* Connected to test-webapp.team-bravo-1 (172.30.73.216) port 80
> GET / HTTP/1.1
> Host: test-webapp.team-bravo-1
> User-Agent: curl/8.2.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Wed, 26 Jul 2023 12:55:49 GMT
< server: envoy
< x-envoy-upstream-service-time: 6
<
* Connection #0 to host test-webapp.team-bravo-1 left intact
RBAC: access denied
    Copy to Clipboard Toggle word wrap

    通过外部域测试 team-alpha-1team-bravo-1 连接,允许:

    示例命令

    $ EXTERNAL_URL=$(oc get ksvc -n team-bravo-1 test-webapp -o custom-columns=:.status.url --no-headers) && \
oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $EXTERNAL_URL
    Copy to Clipboard Toggle word wrap

    输出示例

    HTTP/2 200
content-length: 18
content-type: text/plain; charset=utf-8
date: Wed, 26 Jul 2023 12:56:22 GMT
server: istio-envoy
x-envoy-upstream-service-time: 2856

Hello Serverless!
    Copy to Clipboard Toggle word wrap

  4. 删除为验证创建的资源: 

    $ oc delete deployment/curl -n team-alpha-1 && \
oc delete ksvc/test-webapp -n team-alpha-1 && \
oc delete ksvc/test-webapp -n team-bravo-1
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat