kubernetes - BookInfo示例应用程序的Istio mTLS问题

Question

我已经使用Helm在新的GKE群集上安装了Istio 1.1 RC，并启用了mTLS(省略了一些选项，例如Grafana和Kiali):

helm template istio/install/kubernetes/helm/istio \
  --set global.mtls.enabled=true \
  --set global.controlPlaneSecurityEnabled=true \
  --set istio_cni.enabled=true \
  --set istio-cni.excludeNamespaces={"istio-system"} \
  --name istio \
  --namespace istio-system >> istio.yaml

kubectl apply -f istio.yaml

接下来，我像这样安装Bookinfo示例应用程序:

kubectl label namespace default istio-injection=enabled
kubectl apply -f istio/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio/samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl apply -f istio/samples/bookinfo/networking/destination-rule-all-mtls.yaml

然后，我按照以下示例进行测试:https://istio.io/docs/tasks/security/mutual-tls/

我的结果表明配置不正确，但是上面的验证指南并未提供有关如何解决或诊断问题的任何提示。这是我看到的:

istio/bin/istioctl authn tls-check productpage.default.svc.cluster.local
Stderr when execute [/usr/local/bin/pilot-discovery request GET /debug/authenticationz ]: gc 1 @0.015s 6%: 0.016+1.4+1.0 ms clock, 0.064+0.31/0.45/1.6+4.0 ms cpu, 4->4->1 MB, 5 MB goal, 4 P
gc 2 @0.024s 9%: 0.007+1.4+1.0 ms clock, 0.029+0.15/1.1/1.1+4.3 ms cpu, 4->4->2 MB, 5 MB goal, 4 P

HOST:PORT                                      STATUS     SERVER     CLIENT     AUTHN POLICY     DESTINATION RULE
productpage.default.svc.cluster.local:9080     OK         mTLS       mTLS       default/         default/istio-system

这似乎表明mTLS正常。之前的检查全部通过，例如检查cachain是否存在等。上述检查通过了所有bookinfo组件。

但是，以下检查显示了一个问题:

1: Confirm that plain-text requests fail as TLS is required to talk to httpbin with the following command: 

kubectl exec $(kubectl get pod -l app=productpage -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl http://productpage:9080/productpage -o /dev/null -s -w '%{http_code}\n'

200 <== Error.  Should fail.

2: Confirm TLS requests without client certificate also fail:
kubectl exec $(kubectl get pod -l app=productpage -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://productpage:9080/productpage -o /dev/null -s -w '%{http_code}\n' -k

000 <=== Correct behaviour
command terminated with exit code 35 

3: Confirm TLS request with client certificate succeed:
kubectl exec $(kubectl get pod -l app=productpage -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://productpage:9080/productpage -o /dev/null -s -w '%{http_code}\n' --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k

000 <=== Incorrect. Should succeed.
command terminated with exit code 35

我还能做些什么来调试安装？我已经非常仔细地遵循了安装过程。这是我的集群信息:

Kubernetes master is running at https://<omitted>
calico-typha is running at https://<omitted>/api/v1/namespaces/kube-system/services/calico-typha:calico-typha/proxy
GLBCDefaultBackend is running at https://<omitted>/api/v1/namespaces/kube-system/services/default-http-backend:http/proxy
Heapster is running at https://<omitted>/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at https://<omitted>/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://<omitted>/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy

Kubernetes version: 1.11.7-gke.4

我想我正在寻找更全面的指南或可以检查的一些特定事项。

编辑:附加信息:
pods 状态:

default ns:
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-68868454f5-l7srt       2/2     Running   0          3h
productpage-v1-5cb458d74f-lmf7x   2/2     Running   0          2h
ratings-v1-76f4c9765f-ttstt       2/2     Running   0          2h
reviews-v1-56f6855586-qszpm       2/2     Running   0          2h
reviews-v2-65c9df47f8-ztrss       2/2     Running   0          3h
reviews-v3-6cf47594fd-hq6pc       2/2     Running   0          2h

istio-system ns:
NAME                                                        READY   STATUS      RESTARTS   AGE
grafana-7b46bf6b7c-2qzcv                                    1/1     Running     0          3h
istio-citadel-5bf5488468-wkmvf                              1/1     Running     0          3h
istio-cleanup-secrets-release-1.1-latest-daily-zmw7s        0/1     Completed   0          3h
istio-egressgateway-cf8d6dc69-fdmw2                         1/1     Running     0          3h
istio-galley-5bcd455cbb-7wjkl                               1/1     Running     0          3h
istio-grafana-post-install-release-1.1-latest-daily-vc2ff   0/1     Completed   0          3h
istio-ingressgateway-68b6767bcb-65h2d                       1/1     Running     0          3h
istio-pilot-856849455f-29nvq                                2/2     Running     0          2h
istio-policy-5568587488-7lkdr                               2/2     Running     2          3h
istio-sidecar-injector-744f68bf5f-h22sp                     1/1     Running     0          3h
istio-telemetry-7ffd6f6d4-tsmxv                             2/2     Running     2          3h
istio-tracing-759fbf95b7-lc7fd                              1/1     Running     0          3h
kiali-5d68f4c676-qrxfd                                      1/1     Running     0          3h
prometheus-c4b6997b-6d5k9                                   1/1     Running     0          3h

示例destinationrule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  creationTimestamp: "2019-02-21T15:15:09Z"
  generation: 1
  name: productpage
  namespace: default   
spec:
  host: productpage
  subsets:
  - labels:
      version: v1
    name: v1
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

Answer 1

如果您使用的是Istio 1.1 RC，则应查看https://preliminary.istio.io/而不是https://istio.io/上的文档。 primary.istio.io网站始终是文档的工作副本，与下一个Istio版本(当前为1.1)相对应。

就是说，这些文档当前每天都在发生很大变化，因为它们可能在接下来的几周内在1.1发行之前的最终测试中进行清理和更正。

对于纯文本http请求在测试中返回200的可能解释是，您可能正在使用permissive mode运行。