Search

Emissary-ingress

목표 : OPA를 사용해서 /admin으로 접속하면 에러 뜨게 설정
Applicaton
apiVersion: apps/v1 kind: Deployment metadata: name: flask-deploy labels: app: flask spec: replicas: 2 selector: matchLabels: app: flask template: metadata: labels: app: flask spec: containers: - name: flask image: ACCOUNT_ID.dkr.ecr.ap-northeast-2.amazonaws.com/app:latest ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: flask-svc spec: type: NodePort selector: app: flask ports: - port: 80 targetPort: 8080 protocol: TCP
YAML
복사
kubectl apply -f deployment.yaml
Shell
복사
# Add the Repo: helm repo add datawire https://app.getambassador.io helm repo update # Create Namespace and Install: kubectl create namespace emissary && \ kubectl apply -f https://app.getambassador.io/yaml/emissary/3.9.1/emissary-crds.yaml kubectl wait --timeout=90s --for=condition=available deployment emissary-apiext -n emissary-system helm install emissary-ingress --namespace emissary datawire/emissary-ingress && \ kubectl -n emissary wait --for condition=available --timeout=90s deploy -lapp.kubernetes.io/instance=emissary-ingress
Shell
복사
8080 port로 Listener 설정
kubectl apply -f - <<EOF --- apiVersion: getambassador.io/v3alpha1 kind: Listener metadata: name: emissary-ingress-listener-8080 namespace: emissary spec: port: 8080 protocol: HTTP securityModel: XFP hostBinding: namespace: from: ALL EOF
Shell
복사
application service와 mapping
kubectl apply -f - <<EOF --- apiVersion: getambassador.io/v3alpha1 kind: Mapping metadata: name: flask-backend spec: hostname: "*" prefix: / service: flask-svc EOF
Shell
복사
OPA를 helm으로 배포
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace
Shell
복사
OPA 사이드카 설정을 위해 아래 파일 생성
cat << EOF > opa-patch.yaml spec: template: spec: containers: - name: opa image: openpolicyagent/opa:latest-envoy ports: - containerPort: 9191 args: - "run" - "--server" - "--addr=0.0.0.0:8181" - "--set=plugins.envoy_ext_authz_grpc.addr=0.0.0.0:9191" - "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow" - "--set=decision_logs.console=true" - "--ignore=.*" - "/policy/policy.rego" volumeMounts: - mountPath: /policy name: demo-policy readOnly: true volumes: - name: demo-policy configMap: name: demo-policy EOF
Shell
복사
Emissary Ingress Deployment에 OPA 사이드카 컨테이너 생성을 위한 설정을 적용
cat <<EOF | kubectl apply -n emissary -f - apiVersion: v1 kind: ConfigMap metadata: name: demo-policy data: policy.rego: |- package envoy.authz default allow = false allow if input.attributes.request.http.method == "GET" EOF kubectl patch deployment emissary-ingress -n emissary --patch-file opa-patch.yaml && kubectl get pod -n emissary
Shell
복사
ingress 파드에 OPA 사이드카 컨테이너 확인
kubectl get pod -n emissary -l app.kubernetes.io/name=emissary-ingress
Shell
복사
kubectl describe pod -n emissary -l app.kubernetes.io/name=emissary-ingress
Shell
복사
OPA 사이드카 컨테이터와 연동 할 수 있게 AuthService 리소스 생성
cat <<EOF | kubectl apply -f - apiVersion: getambassador.io/v3alpha1 kind: AuthService metadata: name: opa-ext-authservice namespace: emissary labels: product: aes app: opa-ext-auth spec: proto: grpc auth_service: localhost:9191 timeout_ms: 5000 tls: "false" protocol_version: v3 include_body: max_bytes: 8192 allow_partial: true status_on_error: code: 504 failure_mode_allow: false EOF
Shell
복사
현재는 curl시 요청이 잘가지는 모습을 확인 가능
정책 수정
cat <<EOF | kubectl apply -n emissary -f - apiVersion: v1 kind: ConfigMap metadata: name: demo-policy data: policy.rego: |- package envoy.authz allow if input.attributes.request.http.path != "/admin" EOF kubectl rollout restart deployment emissary-ingress -n emissary
Shell
복사
admin 경로 접근 시 에러가 발생하는 모습을 확인 가능