我有一个小问题与Istio和EnvoyProxy:* * 未找到NR过滤器链**
套接字客户端和套接字服务器在同一集群中运行(分离的docker-container),并定期发送明文消息。socket服务器运行在端口50000,socket客户端运行在端口50001。(允许),通信工作没有问题。如果我激活mTLS(STRICT),下面列出的错误发生。我已经尝试编写EnvoyFilters,但我不能想象这是正确的方式。
从envoy-proxy记录:
- 在Socket服务器端:**
[2023-01-16T19:52:55.941Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 5000 - "-" "-" "-" "-" "-" - - 10.1.2.142:50000 10.1.2.146:50001 - -[2023-01-16T19:58:05.909Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 5001 - "-" "-" "-" "-" "-" - - 10.1.2.142:50000 10.1.2.146:50001 - -
- 在套接字客户端:**
Connect to SocketServer... server-c-socket-server-service.server-c-socket-server.svc.cluster.local
SERVER_NAME as string => server-c-socket-server-service.server-c-socket-server.svc.cluster.local
Traceback (most recent call last):
File "/service/server-c-socket-client.py", line 94, in <module>
main()
File "/service/server-c-socket-client.py", line 91, in main
ConnectToSocketServer(SERVER_NAME)
File "/service/server-c-socket-client.py", line 60, in ConnectToSocketServer
answer = con.recv(1024)
^^^^^^^^^^^^^^
ConnectionResetError: [Errno 104] Connection reset by peer更多信息:
- 是严格的网格策略. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: STRICT- 虚拟服务套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: server-c-socket-client-virtualservice
namespace: server-c-socket-client
spec:
hosts:
- server-c-socket-client-service.server-c-socket-client.svc.cluster.local
tcp:
- match:
- port: 50001
route:
- destination:
host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
port:
number: 50001
weight: 100- 虚拟服务套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: server-c-socket-server-virtualservice
namespace: server-c-socket-server
spec:
hosts: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
tcp:
route:
- destination:
host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
port:
number: 50000
weight: 100- isto目标规则套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: server-c-socket-client-destinationrule
namespace: server-c-socket-client
spec:
host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
credentialName: cacerts
sni: server-c-socket-client-service.server-c-socket-client.svc.cluster.local- 位置目标规则套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: server-c-socket-server-destinationrule
namespace: server-c-socket-server
spec:
host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
credentialName: cacerts
sni: server-c-socket-server-service.server-c-socket-server.svc.cluster.local- istio-对等身份验证-套接字-客户端. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: server-c-socket-client-peerauthentication
namespace: server-c-socket-client
spec:
mtls:
mode: STRICT- istio对等身份验证套接字服务器. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: server-c-socket-server-peerauthentication
namespace: server-c-socket-server
spec:
mtls:
mode: STRICT系统
- Kubernetes:**MicroK8s版本1.25.5修订版本4418
- kubectl版本:**客户端版本:v1.25.5自定义版本:v4.5.7服务器版本:版本1.25.5
- 操作系统:**Ubuntu 22.04.1
- istioctl代理状态**
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
istio-ingressgateway-78f69b5b89-w24fx.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-d887c9b84-xk9tn 1.14.4
server-c-nginx-deploy-7cb9cc7574-57tdw.server-c-nginx Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-d887c9b84-xk9tn 1.14.4
server-c-socket-client-deploy-7469697f89-ndf89.server-c-socket-client Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-d887c9b84-xk9tn 1.14.4
server-c-socket-server-deploy-5d47669d86-fk8kh.server-c-socket-server Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-d887c9b84-xk9tn 1.14.4我已经在istio中尝试了许多属性,并努力创建一个EnvoyFilter,不幸的是,它没有给出理想的结果。"未找到NR滤波器链" #30819 https://github.com/istio/istio/issues/30819或www.example.comhttps://vikaschoudhary16.com/2022/06/20/undeistio-permissive-authz-magic/#Scenario_2_non-injected_client_to_injected_and_non-injected_services
最后,应该对纯文本消息(TCP)进行加密,这在STRICT模式下不起作用。
如果您有任何想法或需要更多信息,请让我知道。
最好的问候。
一些更新的文件|2023年1月19日:
- 通信在一个群集中
- 无传出/传入外部群集流量(例如,未配置入口或出口网关)
- 套接字服务器位于名称空间中:服务器-C-套接字-服务器
- 套接字客户端位于名称空间中:服务器-C-套接字-客户端
- 如果我从Socket服务器编辑PeerAuthentication为PERMISSIVE,它会立即工作,但不会加密...:(
- 我还向套接字客户端Python脚本添加了一个sleep命令(大约3分钟),因为我怀疑部署和envoy-sidecar之间存在时间问题
- 我注意到Envoy错误"10.1.2.142:50000 10.1.2.146:50001"的第一个IP地址是套接字服务器,第二个是套接字客户端,看起来服务器不知道如何回复套接字连接请求...
- isto目标规则套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: server-c-socket-client-destinationrule
namespace: server-c-socket-client
spec:
host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
sni: server-c-socket-client-service.server-c-socket-client.svc.cluster.local- 位置目标规则套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: server-c-socket-server-destinationrule
namespace: server-c-socket-server
spec:
host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
sni: server-c-socket-server-service.server-c-socket-server.svc.cluster.local- istio对等身份验证套接字服务器. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: server-c-socket-server-peerauthentication
namespace: server-c-socket-server
spec:
mtls:
mode: STRICT- istio-对等身份验证-套接字-客户端. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: server-c-socket-client-peerauthentication
namespace: server-c-socket-client
spec:
mtls:
mode: STRICT- 是严格的网格策略. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT- 虚拟服务套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: server-c-socket-client-virtualservice
namespace: server-c-socket-client
spec:
hosts:
- server-c-socket-client-service.server-c-socket-client.svc.cluster.local
tcp:
- match:
- port: 50001
route:
- destination:
host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
subset: v1
port:
number: 50001
weight: 100- 虚拟服务套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: server-c-socket-server-virtualservice
namespace: server-c-socket-server
spec:
hosts:
- server-c-socket-server-service.server-c-socket-server.svc.cluster.local
tcp:
- match:
- port: 50000
route:
- destination:
host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
subset: v1
port:
number: 50000
weight: 100- 统计方案版本. yaml**
一个16b1x一个17b1x一个18b1x
- 平均值:严格**
server-c@server-c:~$ microk8s istioctl pc listeners deploy/server-c-socket-server-deploy -n server-c-socket-server --port 15006
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: *:50000 Cluster: inbound|50000||- mtl:允许**
server-c@server-c:~$ microk8s istioctl pc listeners deploy/server-c-socket-server-deploy -n server-c-socket-server --port 15006
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:50000 Cluster: inbound|50000||
0.0.0.0 15006 Trans: tls; Addr: *:50000 Cluster: inbound|50000||
0.0.0.0 15006 Trans: raw_buffer; Addr: *:50000 Cluster: inbound|50000||
1条答案
按热度按时间mqkwyuun1#
我太专注于Istio,以至于没有进一步研究底层应用程序...
在我以前的应用程序中,服务器尝试直接与客户机pod通信,而不是通过套接字客户机服务(这是基本的问题)。我已经改变了我的应用程序,这样两端都有一个套接字客户端和一个套接字服务器。这些是交替产生的,使得第一客户端A联系服务器B,然后客户端B联系服务器A =〉总是交替的。这意味着我现在可以在Istio中跟踪这两个服务的连接性,然后使用mTLS进行尝试。Working Socket Client and Server => mTLS