Qaphela. transl.:
Sakha iqoqo le-Kubernetes lapho sikhiphe khona i-Istio kanye nesibonelo sohlelo lokusebenza lwe-microservice, Ukuhlaziywa Kwemizwa, ukuze sibonise amakhono e-Istio.
Nge-Istio, sikwazile ukugcina izinsiza zethu zincane ngoba azidingi ukusebenzisa izendlalelo ezifana nokuzama kabusha, ukuphelelwa yisikhathi, ama-Circuit Breaker, ukulandelela, ukugada. Ukwengeza, sisebenzise izindlela zokuhlola ezithuthukisiwe nezindlela zokuthumela: ukuhlolwa kwe-A/B, ukwenza isibuko nokukhishwa kwe-canary.
Kundaba entsha, sizobhekana nezingqimba zokugcina endleleni eya enanini lebhizinisi: ukuqinisekiswa nokugunyazwa - futhi ku-Istio kuyinjabulo yangempela!
Ukuqinisekisa nokugunyazwa ku-Istio
Angikaze ngikholwe ukuthi ngangizogqugquzelwa ukuqinisekiswa nokugunyazwa. I-Istio inganikeza ini ngokombono wezobuchwepheshe ukuze yenze lezi zihloko zibe mnandi futhi, nakakhulu, zikukhuthaze?
Impendulo ilula: I-Istio ishintsha isibopho salawa makhono isuka ezinsizeni zakho iye kummeleli Wezithunywa. Ngesikhathi izicelo zifika kumasevisi, sezivele zigunyaziwe futhi zigunyaziwe, ngakho okumele ukwenze ukubhala ikhodi ewusizo yebhizinisi.
Kuzwakala kukuhle? Ake sibheke ngaphakathi!
Ukuqinisekisa nge-Auth0
Njengeseva yobunikazi nokuphathwa kokufinyelela, sizosebenzisa i-Auth0, enenguqulo yesilingo, enembile ukuyisebenzisa futhi ngiyayithanda nje. Nokho, izimiso ezifanayo zingasetshenziswa kunoma iyiphi enye
Ukuze uqalise, yiya ku
Cacisa lesi sizinda efayeleni resource-manifests/istio/security/auth-policy.yaml
(
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Ngosizo olunjalo, Pilot (enye yezingxenye ezintathu eziyisisekelo Zendiza Yokulawula e-Istio - cishe. transl.) ilungiselela uMthunywa ukuthi aqinisekise izicelo ngaphambi kokuzidlulisela kumasevisi: sa-web-app
ΠΈ sa-feedback
. Ngesikhathi esifanayo, ukucushwa akusetshenziswa ku-service Envoys sa-frontend
, okusivumela ukuthi sishiye indawo engaphambili ingagunyaziwe. Ukuze usebenzise Inqubomgomo, sebenzisa umyalo:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io βauth-policyβ created
Buyela ekhasini wenze isicelo - uzobona ukuthi ligcina ngesimo I-401 ayigunyaziwe. Manje ake siqondise kabusha abasebenzisi abangaphambili ukuze sigunyaze nge-Auth0.
Ukuqinisekisa izicelo nge-Auth0
Ukuze uqinisekise izicelo zomsebenzisi wokugcina, udinga ukudala i-API ku-Auth0 ezomela amasevisi aqinisekisiwe (izibuyekezo, imininingwane, nezilinganiso). Ukuze udale i-API, yiya ku I-Auth0 Portal > APIs > Dala i-API bese ugcwalisa ifomu:
Ulwazi olubalulekile lapha Isikhombi, esizoyisebenzisa kamuva embhalweni. Masiyibhale kanjena:
- Izilaleli: {IZELELELI_ZAKHO}
Imininingwane esele esiyidingayo itholakala ku-Auth0 Portal esigabeni Izicelo - khetha Isicelo sokuhlola (yakhiwe ngokuzenzakalelayo kanye ne-API).
Lapha sizobhala:
- Domain: {YAKHO_DOMAIN}
- I-Client Id: {I-CLIENT_ID YAKHO}
Skrolela ku Isicelo sokuhlola kunkambu yombhalo Ama-URL okushayela emuva avunyelwe (ama-URL axazululiwe okushayela emuva), lapho sicacisa khona i-URL lapho ikholi kufanele ithunyelwe khona ngemva kokuqedwa kokuqinisekisa. Esimweni sethu kuba:
http://{EXTERNAL_IP}/callback
Futhi for Ama-URL wokuphuma avunyelwe (ama-URL avunyelwe ukuze uphume) engeza:
http://{EXTERNAL_IP}/logout
Asiqhubeke siye phambili.
Isibuyekezo sangaphambili
Shintshela egatsheni auth0
inqolobane [istio-mastery]
. Kuleli gatsha, ikhodi ye-frontend iyashintshwa ukuze iqondise kabusha abasebenzisi ku-Auth0 ukuze kuqinisekiswe futhi kusetshenziswe ithokheni ye-JWT ezicelweni kwezinye izinkonzo. Lokhu kokugcina kwenziwa kanje (
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Ukuze ushintshe indawo engaphambili ukuze usebenzise idatha yesiqashi ku-Auth0, vula sa-frontend/src/services/Auth.js
bese ubuyisela kuwo amanani esiwabhale ngenhla (
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π΄ΠΈΡΠ΅ΠΊΡΠ° ΠΏΠΎΡΠ»Π΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
}
Uhlelo lokusebenza selulungile. Cacisa i-ID yakho ye-Docker kule miyalo engezansi lapho wakha futhi usebenzisa izinguquko ezenziwe:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
Zama uhlelo lokusebenza! Uzoqondiswa kabusha ku-Auth0, lapho udinga ukungena khona (noma ukubhalisa), emva kwalokho uzobuyiselwa ekhasini okuzokwenziwa kulo izicelo eziqinisekisiwe kakade. Uma uzama imiyalo eshiwo ezingxenyeni zokuqala ze-athikili nge-curl, uzothola ikhodi 401 Ikhodi Yesimo, okubonisa ukuthi isicelo asigunyaziwe.
Masithathe isinyathelo esilandelayo - sigunyaze izicelo.
Ukugunyazwa nge-Auth0
Ukuqinisekisa kusivumela ukuthi siqonde ukuthi umsebenzisi ungubani, kodwa ukugunyazwa kuyadingeka ukuze sazi ukuthi bangafinyelela ini. I-Istio inikeza amathuluzi alokhu futhi.
Njengesibonelo, ake sakhe amaqembu amabili abasebenzisi (bona umdwebo ongezansi):
- Abasebenzisi (abasebenzisi) - ngokufinyelela kuphela kumasevisi e-SA-WebApp kanye ne-SA-Frontend;
- Omengameli (omongameli) β ngokufinyelela kuzo zontathu izinsiza.
Umqondo wokugunyaza
Ukuze sidale la maqembu, sizosebenzisa isandiso sokugunyazwa kwe-Auth0 futhi sisebenzise i-Istio ukuze siwanikeze amazinga ahlukene okufinyelela.
Ukufakwa nokucushwa kwe-Auth0 Authorization
Kungosi ye-Auth0, vakashela izandiso (Izandiso) bese ufaka Ukugunyaza0. Ngemva kokufaka, yiya ku Isandiso Sokugunyaza, futhi lapho - ekucushweni komqashi ngokuchofoza kwesokudla phezulu bese ukhetha inketho yemenyu efanele (Ukucushwa). Vula amaqembu (Amaqembu) bese uchofoza inkinobho yomthetho wokushicilela (Shicilela umthetho).
Ukudala amaqembu
Esandisweni Sokugunyazwa yiya ku Amaqembu futhi udale iqembu Abafanisi. Njengoba sizophatha bonke abasebenzisi abagunyaziwe njengabasebenzisi abajwayelekile, asikho isidingo sokudala iqembu elengeziwe labo.
Khetha iqembu Abafanisi, Cindezela Faka Amalungu, engeza i-akhawunti yakho eyinhloko. Shiya abanye abasebenzisi ngaphandle kwanoma yiliphi iqembu ukuze wenze isiqiniseko sokuthi banqatshelwe ukufinyelela. (Abasebenzisi abasha bangadalwa ngesandla nge I-Auth0 Portal > Abasebenzisi > Dala Umsebenzisi.)
Engeza Isimangalo Seqembu Kuthokheni Yokufinyelela
Abasebenzisi bengezwe emaqenjini, kodwa lolu lwazi kufanele luboniswe kumathokheni okufinyelela. Ukuze uhambisane ne-OpenID Connect futhi ngesikhathi esifanayo sibuyisele amaqembu esiwadingayo, ithokheni izodinga ukwengeza elayo.
Ukuze udale umthetho, hamba ku-Auth0 Portal ukuze Rules, Cindezela Dala Umthetho bese ukhetha umthetho ongenalutho kuzifanekiso.
Kopisha ikhodi engezansi bese uyigcina njengomthetho omusha Engeza isimangalo seqembu (
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}
Ukubhala: Le khodi ithatha iqembu lokuqala lomsebenzisi elichazwe Esandisweni Sokugunyazwa futhi iyengeza kuthokheni yokufinyelela njengesimangalo sangokwezifiso (ngaphansi kwendawo yayo yegama, njengoba kudingwa i-Auth0).
Buyela ekhasini Rules futhi uhlole ukuthi unemithetho emibili ebhalwe ngokulandelana okulandelayo:
- ukugunyaza0-ukugunyazwa-isandiso
- Engeza isimangalo seqembu
I-oda libalulekile ngoba inkambu yeqembu ithola umthetho ngendlela efanayo ukugunyaza0-ukugunyazwa-isandiso futhi ngemva kwalokho yengezwe njengesimangalo ngomthetho wesibili. Umphumela uyithokheni yokufinyelela efana nalena:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [ΡΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π΄Π»Ρ Π½Π°Π³Π»ΡΠ΄Π½ΠΎΡΡΠΈ]
}
Manje udinga ukulungisa ummeleli Wezithunywa ukuze uhlole ukufinyelela komsebenzisi, iqembu elizokhishwa ngakho ekufuneni (https://sa.io/group
) kuthokheni yokufinyelela ebuyisiwe. Lesi isihloko sesigaba esilandelayo sendatshana.
Ukulungiselelwa kokugunyazwa ku-Istio
Ukuze ukugunyazwa kusebenze, kufanele uvule i-RBAC ye-Istio. Ukuze senze lokhu, sizosebenzisa ukucushwa okulandelayo:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local"
Izincazelo:
- 1 β vula i-RBAC kumasevisi kuphela nezikhala zamagama ezisohlwini lwenkundla
Inclusion
; - 2 β sibhala uhlu lwezinsiza zethu.
Masisebenzise ukumisa ngomyalo olandelayo:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Wonke amasevisi manje adinga Ukulawulwa Kokufinyelela Okusekelwe Endimeni. Ngamanye amazwi, ukufinyelela kuzo zonke izinsiza akuvunyelwe futhi kuzoholela ekuphenduleni RBAC: access denied
. Manje ake sivumele ukufinyelela kubasebenzisi abagunyaziwe.
Ukulungiselelwa kokufinyelela kubasebenzisi abavamile
Bonke abasebenzisi kufanele bakwazi ukufinyelela izinsiza ze-SA-Frontend kanye ne-SA-WebApp. Kusetshenziswe kusetshenziswa izinsiza ezilandelayo ze-Istio:
- ServiceRole - inquma amalungelo umsebenzisi anawo;
- ServiceRoleBinding β inquma ukuthi ekabani le ServiceRole.
Kubasebenzisi abajwayelekile sizovumela ukufinyelela ezinsizeni ezithile (
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Futhi ngokusebenzisa regular-user-binding
sebenzisa i-ServiceRole kubo bonke abavakashi bekhasi (
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"
Ingabe "bonke abasebenzisi" kusho ukuthi abasebenzisi abangagunyaziwe bazokwazi ukufinyelela ku-SA WebApp? Cha, inqubomgomo izohlola ukufaneleka kwethokheni ye-JWT.
Masisebenzise ukucupha:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding created
Ukulungiselelwa kokufinyelela komengameli
Komengameli, sifuna ukunika amandla ukufinyelela kuzo zonke izinsiza (
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Kodwa sifuna amalungelo anjalo kuphela kulabo basebenzisi ithokheni yabo yokufinyelela iqukethe isimangalo https://sa.io/group
ngencazelo Moderators
(
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user"
Masisebenzise ukucupha:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding created
Ngenxa yokugcinwa kwesikhashana kwezithunywa, kungathatha amaminithi ambalwa ukuze imithetho yokugunyazwa isebenze. Ungabe usuqinisekisa ukuthi abasebenzisi nomengameli banamazinga ahlukene okufinyelela.
Isiphetho kule ngxenye
Ngokujulile nokho, ingabe uke wayibona indlela elula, engakhandleki, engakala futhi evikelekile yokuqinisekisa nokugunyazwa?
Izinsiza ezintathu kuphela ze-Istio (i-RbacConfig, i-ServiceRole, ne-ServiceRoleBinding) bezidingeka ukuze kuzuzwe ukulawula okuhle kakhulu kokuqinisekisa nokugunyazwa kokufinyelela komsebenzisi wokugcina ezinsizeni.
Ukwengeza, sizinakekele lezi zinkinga ngezinsiza zethu zezithunywa, sazuza:
- ukunciphisa inani lekhodi ejwayelekile engase iqukathe izinkinga zokuphepha neziphazamisi;
- ukunciphisa inani lezimo eziyisiphukuphuku lapho iphuzu elilodwa lavela khona ukuthi lifinyeleleke ngaphandle futhi likhohlwe ukulibika;
- ukususa isidingo sokuvuselela zonke izinsizakalo njalo lapho indima entsha noma ilungelo lengezwa;
- ukuthi izinsiza ezintsha zihlala zilula, zivikelekile futhi ziyashesha.
isiphetho
I-Istio ivumela amaqembu ukuthi agxilise izinsiza zawo emisebenzini ebaluleke kakhulu yebhizinisi ngaphandle kokwengeza ngaphezulu kumasevisi, ukuwabuyisela esimweni esincane.
I-athikili (ezingxenyeni ezintathu) inikeze ulwazi oluyisisekelo kanye neziyalezo ezisebenzayo esezilungele ukuqalisa nge-Istio kumaphrojekthi wangempela.
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- "Buyela kuma-microservices nge-Istio":
ingxenye 1 (isingeniso sezici eziyinhloko) ,ingxenye 2 (umzila, ukulawulwa kwethrafikhi) ; - Β«
I-Conduit - isevisi enemeshi engasindi ye-Kubernetes "; - Β«
Iyini i-mesh yesevisi futhi kungani ngiyidinga [ngohlelo lokusebenza lwefu olunama-microservices]? ".
Source: www.habr.com