Methods of accessing external services in istio grid

background

Use in a production environment Istio When , Perhaps the most important issues to consider are security and performance , I'm here to discuss the next security issue with you , How to be in Istio Accessing external services in the grid .Istio Two modes are provided to configure the access policy for external requests , And through configuration items outboundTrafficPolicy.mode To specify the .  The default mode is ALLOW_ANY, That is, it allows all external unknown services to be requested within the grid ; Another model is REGISTRY_ONLY, Indicates that only services registered in the service grid registry are allowed . default ALLOW_ANY Although the mode is easy to use , But there are some potential safety hazards , The recommended practice is to switch to REGISTRY_ONLY Pattern . So in REGISTRY_ONLY How to access external services in mode ？ What is the implementation mechanism ？ Here I will discuss these two issues with you .

Scheme Research

At present, we are installing and deploying Istio It uses helm, You can add the corresponding configuration in the installation --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY modify outboundTrafficPolicy.mode Value ; If Istio Installed , adopt kubectl edit cm istio -n istio-system This value can be dynamically modified .

apiVersion: v1data:  mesh: |- defaultConfig:      discoveryAddress: istiod.istio-system.svc:15012      proxyMetadata:        DNS_AGENT: ""      tracing:        zipkin:          address: zipkin.istio-system:9411    outboundTrafficPolicy:      mode: REGISTRY_ONLY

End of configuration REGISTRY_ONLY after , We are pod Cannot access external services in

So in REGISTRY_ONLY In mode , How can I access external services ？ First we pass The figure below look down Istio When can I access external services , How to modify the configuration to access external services at this time ？

The picture depicts product Service access review service , So let's assume that review The service will continue to call 36.152.44.96 This external service .

When reviews Application needs access 36.152.44.96 This external service , Will be in reviews Send request information upstream in the application container of , The following describes how to access external requests in the order shown in the figure .

1. reviews Services access external services , This step is right reviews For service, it belongs to export flow , By iptables The rule intercepts and forwards the traffic to the outlet OUTPUT chain .
2. OUTPUT Chain forwarding traffic to ISTIO_OUTPUT chain .
3. stay ISTIO_OUTPUT There are nine rules in the chain by default , decision reviews Where does the traffic from the service accessing the external service go , Here we can customize a rule -A ISTIO_OUTPUT -d 36.152.44.0/24 -j RETURN, Make a visit to 36.152.44.96 The traffic of this external service jumps out of the current chain , call POSTROUTING chain , Direct access to external services ; If you use the default rule , Traffic is forwarded to ISTIO_REDIRECT chain .
4. ISTIO_REDIRECT The chain is redirected directly to Envoy Monitoring 15001 Outlet flow port .
5. The traffic strategy for external services is not Istio In the service grid , If you do not configure it, register the external service in the service grid , after Envoy An error message will be returned after a series of outlet traffic management actions . So here we need to configure ServiceEntry, Bring external services into the service grid , And then through Envoy You can continue to send external requests after the traffic governance , When accessing an external request, it will be iptables Intercept and forward to the outlet traffic OUTPUT chain .
6. OUTPUT Chain forwarding traffic to ISTIO_OUTPUT chain .
7. Here it will match ISTIO_OUTPUT The fourth rule of the chain -A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN, The flow is direct RETURN To the next chain POSTROUTING chain , the POSTROUTING The chain flows out to access external services .

We see through the 11 Step 、 The first 13 The configuration can be modified in both ways Istio Internal services access external services , What should I do ？

adopt iptables Rule access

If you want to 11 Step straight out ISTIO_OUT Chain call POSTROUTING chain , You need to add a custom iptables The rules -A ISTIO_OUTPUT -d 36.152.44.0/24 -j RETURN, We know iptables The rule is istio-init The definition of ,istio-init What is executed at startup is istio-iptables command , We are manifests Of injection-template.yaml I see in the document istio-iptables Default partial configuration .

 - "-i"    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"    - "-x"    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"    - "-b"    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"    - "-d"  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"  {{- else }}    - "15090,15021,15020"

• -i The default is *, All outbound traffic will be redirected to Envoy agent
• -x The default is empty. , When -i Parameter is * when , Used to indicate which addresses are not redirected Envoy agent , Forward directly
• -b The default is *, Comma separated ports , The traffic of the specified port will be redirected to Envoy
• -d The default is 15090,15021,15020, Comma separated ports , Specify which ports do not need to redirect traffic to Envoy

According to the above configuration, we can Istio In service through global.proxy.* Global configuration , It can also be found in the deployment Pass through traffic.sidecar.istio.io/* Configure the corresponding parameters . Our goal now is to have access to 36.152.44.96 Your request will not be redirected to Envoy agent , Forward directly , So we have deployment Add in traffic.sidecar.istio.io/excludeOutboundIPRanges: 36.152.44.0/24, After the execution, we describe pod Details of , Get pod Some of the configurations in are as follows , You can see that the settings take effect ,36.152.44.0/24 Will not redirect to Envoy in

  -i  *  -x  36.152.44.0/24  -b  *  -d  15090,15021,15020

Keep looking at pod Medium iptables The rules , Can be seen in the original ISTIO_OUTPUT Nine iptables A custom rule is inserted in the rule A ISTIO_OUTPUT -d 36.152.44.0/24 -j RETURN

 -A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT -A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN -A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT -A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN -A ISTIO_OUTPUT -d 36.152.44.0/24 -j RETURN -A ISTIO_OUTPUT -j ISTIO_REDIRECT

adopt ServiceEntry visit

Istio stay 15001 Port usage VirtualOutboundListener Process outgoing requests ,Iptable take Envoy Where Pod After the external request of is intercepted, it is sent to the local 15001 port , The listener does not perform service processing after receiving , Instead, it is distributed to other independent listeners according to the destination port of the request .  The external services we access are 36.152.44.96:80, therefore Envoy  Match to... According to the destination port  0.0.0.0_80  This Outbound listener, And forward to the listener.

When  0.0.0.0_80  After receiving the outbound request , It will not be sent directly to the destination cluster, Actually, by checking 0.0.0.0_80 Of listener Information about , We can't find the purpose cluster or endpoint, In this listener A routing rule is configured in 80, In this routing rule, route matching will be performed according to different request destinations .

adopt name by 80 We didn't find any routing rules that match 36.152.44.96 Request , So will be listener Inside default_filter_match Handle , Enter into BlackHoleCluster In cluster , The request is discarded . Let's briefly introduce Envoy Two special in cluster：BlackHoleCluster and PassthroughCluster,BlackHoleCluster There is no... Configured to process requests in host. Request access to the cluster Will be discarded , Instead of sending it to a host, If outboundTrafficPolicy.mode=REGISTRY_ONLY, By default, all requested external services will directly enter BlackHoleCluster Throw it away in the middle .PassthroughCluster Of type Set to ORIGINAL_DST, Indicates that any message sent to the cluster All requests are sent directly to the original destination in the request , If outboundTrafficPolicy.mode=ALLOW_ANY,Envoy The request will not be rerouted directly to the original destination .

stay outboundTrafficPolicy.mode=REGISTRY_ONLY In mode , In order to prevent the flow from entering BlackHoleCluster in , We need to add ServiceEntry, Register external requests in the service grid , In order to Envoy External services can be found route Conduct flow processing .

apiVersion: networking.istio.io/v1beta1kind: ServiceEntrymetadata:  name: baidu-ipspec:  hosts:  - www.baidu.com  addresses:  - 36.152.44.96  location: MESH_EXTERNAL  ports:  - number: 80    name: baidu-http    protocol: HTTP  resolution: NONE

End of configuration ServiceEntry Then we will check again review Of route Information , You can see 36.152.44.96 Has been added to route It's in , Directly in pod Access external services in 36.152.44.96 Can get the right request .

summary

Through to Istio Visit the scheme of external services to conduct research , We learned Istio How to pass iptables Handle traffic entering the grid , I also have a general understanding of Envoy Handle Outbound Flow of traffic . The above survey is based on Istio 1.8 edition , There may be errors or inaccuracies in the content , Welcome to exchange and correct .