第十一章:安全配置
学习如何配置 Loki 的安全特性,包括认证、授权和 TLS。
最后更新: 2024-01-25
页面目录
Loki 安全配置
本章节介绍 Loki 的安全配置,包括认证、授权、TLS 加密等。
认证配置
启用认证
# /etc/loki/config.yaml
auth_enabled: true
server:
http_listen_address: 0.0.0.0
http_listen_port: 3100
# 认证配置
authenticator:
type: basic
config:
password_file: /etc/loki/users.txt
用户文件
# /etc/loki/users.txt
admin:$2y$10$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
user1:$2y$10$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
生成密码
# 使用 htpasswd 生成
htpasswd -nbBC 12 admin password | tr -d ':\n'
# 或使用 docker
docker run --rm httpd:alpine htpasswd -nbBC 12 admin password
多租户配置
基本配置
# /etc/loki/config.yaml
auth_enabled: true
# 多租户配置
tenant_configs:
path_prefix: /etc/loki/tenants
limits_config:
enforce_metric_name: false
reject_old_samples: true
max_label_names_per_series: 30
max_streams_per_user: 5000
租户配置
# /etc/loki/tenants/tenant1.yaml
id: tenant1
name: "Tenant 1"
storage:
s3:
bucketnames: loki-tenant1-chunks
region: us-east-1
rules:
s3:
bucketnames: loki-tenant1-rules
# /etc/loki/tenants/tenant2.yaml
id: tenant2
name: "Tenant 2"
storage:
s3:
bucketnames: loki-tenant2-chunks
region: us-east-1
HTTP Header
# 通过 HTTP Header 传递租户 ID
# X-Scope-OrgID: tenant1
# 在 Promtail 中配置
client:
url: http://loki:3100/loki/api/v1/push
headers:
X-Scope-OrgID: tenant1
TLS 配置
Server TLS
# /etc/loki/config.yaml
server:
http_tls_config:
cert_file: /etc/loki/tls/server.crt
key_file: /etc/loki/tls/server.key
client_auth_type: "NoClientCert"
grpc_tls_config:
cert_file: /etc/loki/tls/grpc.crt
key_file: /etc/loki/tls/grpc.key
Client TLS
# /etc/loki/config.yaml
client:
url: https://loki:3100/loki/api/v1/push
tls_config:
ca_file: /etc/loki/tls/ca.crt
cert_file: /etc/loki/tls/client.crt
key_file: /etc/loki/tls/client.key
server_name: loki.example.com
insecure_skip_verify: false
生成证书
# 生成 CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt \
-subj "/CN=Loki CA"
# 生成服务端证书
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
-subj "/CN=loki.example.com"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 365 -sha256
# 生成客户端证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr \
-subj "/CN=client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out client.crt -days 365 -sha256
授权配置
限制配置
limits_config:
# 采集限制
ingestion_rate_mb: 10
ingestion_burst_size_mb: 20
# 查询限制
max_entries_limit_per_query: 5000
max_query_parallelism: 10
max_query_series: 5000
# 存储限制
max_streams_per_user: 1000
max_global_streams_per_user: 5000
# 标签限制
max_label_name_length: 1024
max_label_value_length: 2048
max_label_names_per_series: 15
租户限制
# 通过 overrides 配置
limits_config:
global:
ingestion_rate_mb: 10
max_streams_per_user: 1000
overrides:
tenant1:
ingestion_rate_mb: 50
max_streams_per_user: 5000
tenant2:
ingestion_rate_mb: 100
max_streams_per_user: 10000
网络安全
防火墙配置
# 开放端口
firewall-cmd --add-port=3100/tcp --permanent
firewall-cmd --add-port=9095/tcp --permanent
firewall-cmd --add-port=7946/tcp --permanent
firewall-cmd --reload
# 或使用 iptables
iptables -A INPUT -p tcp --dport 3100 -j ACCEPT
网络策略
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: loki-network-policy
namespace: loki
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: loki
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: grafana
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 3100
egress:
- to:
- podSelector:
matchLabels:
app: minio
ports:
- protocol: TCP
port: 9000
安全最佳实践
1. 启用认证
auth_enabled: true
2. 使用 TLS
server:
http_tls_config:
cert_file: /etc/loki/tls/server.crt
key_file: /etc/loki/tls/server.key
3. 限制资源使用
limits_config:
ingestion_rate_mb: 10
max_entries_limit_per_query: 5000
4. 定期轮换密钥
# 定期更新 TLS 证书
openssl req -x509 -new -nodes -key server.key -sha256 \
-days 90 -out server.crt
下一步
接下来让我们学习最佳实践。
👉 最佳实践