红帽全球峰会6.3. 部署示例应用程序
为我们的示例应用程序创建一个新项目:
oc new-project hello-world
$ oc new-project hello-worldCopy to Clipboard Copied! Toggle word wrap Toggle overflow 部署 hello world 应用程序:
oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
$ oc new-app -n hello-world --image=docker.io/openshift/hello-openshiftCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将预先创建的 service 资源转换为 NodePort 服务类型:
oc -n hello-world patch service hello-openshift -p '{"spec":{"type":"NodePort"}}'$ oc -n hello-world patch service hello-openshift -p '{"spec":{"type":"NodePort"}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 使用 AWS Load Balancer Operator 部署 AWS ALB:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow curl AWS ALB Ingress 端点,以验证 hello world 应用程序是否可以访问:
注意AWS ALB 置备需要几分钟时间。如果您收到一个错误,显示
curl: (6) Could not resolve host,请等待并重试。INGRESS=$(oc -n hello-world get ingress hello-openshift-alb -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') curl "http://${INGRESS}"$ INGRESS=$(oc -n hello-world get ingress hello-openshift-alb -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') $ curl "http://${INGRESS}"Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
Hello OpenShift!
Hello OpenShift!Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.3.1. 配置 AWS WAF
AWS WAF 服务是一个 Web 应用程序防火墙,可让您监控、保护和控制转发到您受保护的 Web 应用程序资源的 HTTP 和 HTTPS 请求,如 Red Hat OpenShift Service on AWS。
创建 AWS WAF 规则文件以应用到我们的 Web ACL:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 这将启用 Core (Common)和 SQL AWS Managed Rule Sets。
使用以上指定的规则创建一个 AWS WAF Web ACL:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 使用 AWS WAF Web ACL ARN 注解 Ingress 资源:
oc annotate -n hello-world ingress.networking.k8s.io/hello-openshift-alb \ alb.ingress.kubernetes.io/wafv2-acl-arn=${WAF_ARN}$ oc annotate -n hello-world ingress.networking.k8s.io/hello-openshift-alb \ alb.ingress.kubernetes.io/wafv2-acl-arn=${WAF_ARN}Copy to Clipboard Copied! Toggle word wrap Toggle overflow 等待 10 秒,以便规则传播并测试应用程序是否仍然可以正常工作:
curl "http://${INGRESS}"$ curl "http://${INGRESS}"Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
Hello OpenShift!
Hello OpenShift!Copy to Clipboard Copied! Toggle word wrap Toggle overflow 测试 WAF 是否拒绝错误请求:
curl -X POST "http://${INGRESS}" \ -F "user='<script><alert>Hello></alert></script>'"$ curl -X POST "http://${INGRESS}" \ -F "user='<script><alert>Hello></alert></script>'"Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意激活 AWS WAF 集成有时可能需要几分钟。如果您没有收到
403 Forbidden错误,请等待几秒钟,然后重试。预期的结果是一个
403 Forbidden错误,这意味着 AWS WAF 正在保护您的应用程序。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}