Istio mTLS与服务身份策略实践

概述目标：在服务网格中强制mTLS，基于`principals`与路径/方法进行授权，构建零信任服务间通信。适用：生产环境核心服务、跨命名空间访问控制、合规要求。核心与实战命名空间强制mTLS：apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: prod spec: mtls: mode: STRICT 授权仅允许`web`访问`api`：apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: api-allow-web namespace: prod spec: selector: matchLabels: { app: api } action: ALLOW rules: - from: - source: principals: [ "cluster.local/ns/prod/sa/web" ] to: - operation: ports: [ "8080" ] methods: [ "GET", "POST" ] 拒绝其他来源：apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: api-deny-all namespace: prod spec: selector: matchLabels: { app: api } action: DENY rules: - from: - source: {} 示例应用与分析：kubectl apply -f peerauthentication.yaml kubectl apply -f authz-allow.yaml kubectl apply -f authz-deny.yaml istioctl analyze -n prod 观测证书与身份：kubectl -n prod exec deploy/api -- curl -sS http://127.0.0.1:15000/config_dump | select-string -pattern spiffe 验证与监控mTLS状态：在Grafana/Prometheus查看`istio_mtls_client_traffic`与`istio_mtls_server_traffic`指标。授权效果：通过`web`服务发起到`api`的请求应成功，其他SA请求被拒（403）；查看`istiod`与Envoy日志。证书轮转：验证工作负载证书自动轮转，避免过期导致中断。常见误区未在命名空间设置默认`PeerAuthentication`导致明文通信；需严格模式。principals写法错误（需`cluster.local/ns/<ns>/sa/<sa>`）；导致授权不生效。忽视默认DENY策略，未定义ALLOW时访问被全部放行或拒绝；策略顺序需清晰。结语通过mTLS与基于服务身份的授权策略，Istio可在生产环境落实零信任通信与细粒度访问控制。