智汇华云 | Istio中双向TLS认证功能详解( 三 ) 一、概述Istio中实现了从客户端

sleep.foo to httpbin.foo: 200
[root@master1 istio-1.6.0]# kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl-s | grep X-Forwarded-Client-Cert
[root@master1 istio-1.6.0]#
接下来为服务器端配置PeerAuthentication策略，让其强制执行双向tls认证
cat
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "httpbin"
namespace: "foo"
spec:
selector:
matchLabels:
app: httpbin
mtls:
mode: STRICT
EOF
这时再次进行测试
[root@master1 istio-1.6.0]# kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl "" -s -o /dev/null -w "sleep.foo to httpbin.foo: %{http_code}\n"
sleep.foo to httpbin.foo: 503
[root@master1 istio-1.6.0]#
出现了503错误，这其实是一个tls冲突，因为截至目前为止我们为服务器端设置了强制使用双向tls认证，但是客户端还未设置。
接下来设置客户端。
cat
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "httpbin"
spec:
host: "httpbin.foo.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
然后进行测试，发现现在已经可以正常访问，且使用了双向tls认证，符合预期。
[root@master1 istio-1.6.0]# kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl "" -s -o /dev/null -w "sleep.foo to httpbin.foo: %{http_code}\n"
sleep.foo to httpbin.foo: 200
[root@master1 istio-1.6.0]# kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl-s | grep X-Forwarded-Client-Cert
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/foo/sa/httpbin;Hash=b8a73b2655b270e23eda820e49c56cc9b16521d98cb6c1896eff41c58cc32d56;Subject=\"\";URI=spiffe://cluster.local/ns/foo/sa/sleep"
[root@master1 istio-1.6.0]#
清理命令
kubectl delete PeerAuthentication httpbin -n foo
kubectl delete DestinationRule httpbin -n foo
kubectl delete -f
kubectl delete -f
kubectl delete ns foo