kubernetes 伊斯蒂奥|Envoy代理问题:0 NR滤波器链未找到|TCP - Python套接字客户端和套接字服务器在一个集群中(MESH_INTERNAL)

ycl3bljg  于 2023-03-01  发布在  Kubernetes
关注(0)|答案(1)|浏览(99)

我有一个小问题与Istio和EnvoyProxy:* * 未找到NR过滤器链**
套接字客户端和套接字服务器在同一集群中运行(分离的docker-container),并定期发送明文消息。socket服务器运行在端口50000,socket客户端运行在端口50001。(允许),通信工作没有问题。如果我激活mTLS(STRICT),下面列出的错误发生。我已经尝试编写EnvoyFilters,但我不能想象这是正确的方式。

从envoy-proxy记录:

    • 在Socket服务器端:**

[2023-01-16T19:52:55.941Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 5000 - "-" "-" "-" "-" "-" - - 10.1.2.142:50000 10.1.2.146:50001 - -
[2023-01-16T19:58:05.909Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 5001 - "-" "-" "-" "-" "-" - - 10.1.2.142:50000 10.1.2.146:50001 - -

    • 在套接字客户端:**
Connect to SocketServer...  server-c-socket-server-service.server-c-socket-server.svc.cluster.local
SERVER_NAME as string => server-c-socket-server-service.server-c-socket-server.svc.cluster.local
Traceback (most recent call last):
File "/service/server-c-socket-client.py", line 94, in <module>
main()
File "/service/server-c-socket-client.py", line 91, in main
ConnectToSocketServer(SERVER_NAME)
File "/service/server-c-socket-client.py", line 60, in ConnectToSocketServer
answer = con.recv(1024)
^^^^^^^^^^^^^^
ConnectionResetError: [Errno 104] Connection reset by peer

更多信息:

    • 是严格的网格策略. yaml**
apiVersion: security.istio.io/v1beta1 
kind: PeerAuthentication
 metadata:
   name: "default"
   namespace: "istio-system"
 spec:
   mtls:
     mode: STRICT
    • 虚拟服务套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: server-c-socket-client-virtualservice
  namespace: server-c-socket-client
spec:
  hosts:
  - server-c-socket-client-service.server-c-socket-client.svc.cluster.local
  tcp:
  - match:
    - port: 50001
    route:
    - destination:
      host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
      port:
        number: 50001
    weight: 100
    • 虚拟服务套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: server-c-socket-server-virtualservice
  namespace: server-c-socket-server
spec:
  hosts: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
  tcp:
  route:
  - destination:
    host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
    port:
      number: 50000
  weight: 100
    • isto目标规则套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3 
kind: DestinationRule 
metadata:
   name: server-c-socket-client-destinationrule
   namespace: server-c-socket-client 
spec:
   host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
   trafficPolicy:
     tls:
       mode: MUTUAL
       credentialName: cacerts
       sni: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
    • 位置目标规则套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule 
metadata:
   name: server-c-socket-server-destinationrule
   namespace: server-c-socket-server
 spec:
   host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
   trafficPolicy:
     tls:
       mode: MUTUAL
       credentialName: cacerts
       sni: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
    • istio-对等身份验证-套接字-客户端. yaml**
apiVersion: security.istio.io/v1beta1 
kind: PeerAuthentication 
metadata:
   name: server-c-socket-client-peerauthentication
   namespace: server-c-socket-client
 spec:
   mtls:
     mode: STRICT
    • istio对等身份验证套接字服务器. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
   name: server-c-socket-server-peerauthentication
   namespace: server-c-socket-server
 spec:
   mtls:
     mode: STRICT

系统

    • Kubernetes:**MicroK8s版本1.25.5修订版本4418
    • kubectl版本:**客户端版本:v1.25.5自定义版本:v4.5.7服务器版本:版本1.25.5
    • 操作系统:**Ubuntu 22.04.1
    • istioctl代理状态**
NAME                                                                      CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                     VERSION
istio-ingressgateway-78f69b5b89-w24fx.istio-system                        Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-d887c9b84-xk9tn     1.14.4
server-c-nginx-deploy-7cb9cc7574-57tdw.server-c-nginx                     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-d887c9b84-xk9tn     1.14.4
server-c-socket-client-deploy-7469697f89-ndf89.server-c-socket-client     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-d887c9b84-xk9tn     1.14.4
server-c-socket-server-deploy-5d47669d86-fk8kh.server-c-socket-server     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-d887c9b84-xk9tn     1.14.4

我已经在istio中尝试了许多属性,并努力创建一个EnvoyFilter,不幸的是,它没有给出理想的结果。"未找到NR滤波器链" #30819 https://github.com/istio/istio/issues/30819或www.example.comhttps://vikaschoudhary16.com/2022/06/20/undeistio-permissive-authz-magic/#Scenario_2_non-injected_client_to_injected_and_non-injected_services
最后,应该对纯文本消息(TCP)进行加密,这在STRICT模式下不起作用。
如果您有任何想法或需要更多信息,请让我知道。
最好的问候。

一些更新的文件|2023年1月19日:

  • 通信在一个群集中
  • 无传出/传入外部群集流量(例如,未配置入口或出口网关)
  • 套接字服务器位于名称空间中:服务器-C-套接字-服务器
  • 套接字客户端位于名称空间中:服务器-C-套接字-客户端
  • 如果我从Socket服务器编辑PeerAuthentication为PERMISSIVE,它会立即工作,但不会加密...:(
  • 我还向套接字客户端Python脚本添加了一个sleep命令(大约3分钟),因为我怀疑部署和envoy-sidecar之间存在时间问题
  • 我注意到Envoy错误"10.1.2.142:50000 10.1.2.146:50001"的第一个IP地址是套接字服务器,第二个是套接字客户端,看起来服务器不知道如何回复套接字连接请求...
    • isto目标规则套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server-c-socket-client-destinationrule
  namespace: server-c-socket-client
spec:
  host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
    • 位置目标规则套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server-c-socket-server-destinationrule
  namespace: server-c-socket-server
spec:
  host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
    • istio对等身份验证套接字服务器. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: server-c-socket-server-peerauthentication
  namespace: server-c-socket-server
spec:
  mtls:
    mode: STRICT
    • istio-对等身份验证-套接字-客户端. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: server-c-socket-client-peerauthentication
  namespace: server-c-socket-client
spec:
  mtls:
    mode: STRICT
    • 是严格的网格策略. yaml**
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
    • 虚拟服务套接字客户端. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: server-c-socket-client-virtualservice
  namespace: server-c-socket-client
spec:
  hosts:
  - server-c-socket-client-service.server-c-socket-client.svc.cluster.local
  tcp:
  - match:
    - port: 50001
    route:
    - destination:
        host: server-c-socket-client-service.server-c-socket-client.svc.cluster.local
        subset: v1
        port:
          number: 50001
      weight: 100
    • 虚拟服务套接字服务器. yaml**
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: server-c-socket-server-virtualservice
  namespace: server-c-socket-server
spec:
  hosts:
  - server-c-socket-server-service.server-c-socket-server.svc.cluster.local
  tcp:
  - match:
    - port: 50000
    route:
    - destination:
        host: server-c-socket-server-service.server-c-socket-server.svc.cluster.local
        subset: v1
        port:
          number: 50000
      weight: 100
    • 统计方案版本. yaml**

一个16b1x一个17b1x一个18b1x

    • 平均值:严格**
server-c@server-c:~$ microk8s istioctl pc listeners deploy/server-c-socket-server-deploy -n server-c-socket-server --port 15006
ADDRESS         PORT    MATCH                                                                                       DESTINATION
0.0.0.0         15006   Addr: *:15006                                                                               Non-HTTP/Non-TCP
0.0.0.0         15006   Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0                    InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: tls; Addr: 0.0.0.0/0                                                                 InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: tls; Addr: *:50000                                                                   Cluster: inbound|50000||
    • mtl:允许**
server-c@server-c:~$ microk8s istioctl pc listeners deploy/server-c-socket-server-deploy -n server-c-socket-server --port 15006
ADDRESS         PORT  MATCH                                                                                                         DESTINATION
0.0.0.0         15006   Addr: *:15006                                                                                               Non-HTTP/Non-TCP
0.0.0.0         15006   Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0                                    InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0                                                       InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0                                                                   InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: raw_buffer; Addr: 0.0.0.0/0                                                                          InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: tls; Addr: 0.0.0.0/0                                                                                 InboundPassthroughClusterIpv4
0.0.0.0         15006   Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:50000            Cluster: inbound|50000||
0.0.0.0         15006   Trans: tls; Addr: *:50000                                                                                   Cluster: inbound|50000||
0.0.0.0         15006   Trans: raw_buffer; Addr: *:50000                                                                            Cluster: inbound|50000||
mqkwyuun

mqkwyuun1#

我太专注于Istio,以至于没有进一步研究底层应用程序...
在我以前的应用程序中,服务器尝试直接与客户机pod通信,而不是通过套接字客户机服务(这是基本的问题)。我已经改变了我的应用程序,这样两端都有一个套接字客户端和一个套接字服务器。这些是交替产生的,使得第一客户端A联系服务器B,然后客户端B联系服务器A =〉总是交替的。这意味着我现在可以在Istio中跟踪这两个服务的连接性,然后使用mTLS进行尝试。Working Socket Client and Server => mTLS

相关问题