authorizationPolicy详解

最新推荐文章于 2024-06-17 19:05:48 发布
最新推荐文章于 2024-06-17 19:05:48 发布
阅读量3.1k 收藏 2
点赞数 2
分类专栏: k8s实战之kubectl源码分析 文章标签: 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hxpjava1/article/details/117330067
版权

 欢迎关注我的公众号:

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

istio多集群探秘,部署了50次多集群后我得出的结论

istio多集群链路追踪,附实操视频

istio防故障利器,你知道几个,istio新手不要读,太难!

istio业务权限控制,原来可以这么玩

istio实现非侵入压缩,微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

学习目标

什么是AuthorizationPolicy

授权功能是 Istio 中安全体系的一个重要组成部分,它用来实现访问控制的功能,即判断一个请求是否允许通过,这个请求可以是从外部进入 Istio 内部的请求,也可以是在 Istio 内部从服务 A 到服务 B 的请求。可以把授权功能近似地认为是一种四层到七层的“防火墙”,它会像传统防火墙一样,对数据流进行分析和匹配,然后执行相应的动作。

流程

Authorization policies support ALLOW, DENY and CUSTOM actions. The policy precedence is CUSTOM, DENY and ALLOW. The following graph shows the policy precedence in detail:

资源详解

FieldTypeDescriptionRequired
selectorWorkloadSelectorOptional. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.No
rulesRule[]Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads.No
actionActionOptional. The action to take if the request is matched with the rules.No
providerExtensionProvider (oneof)Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.No

允许nothing

allow-nothing.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-nothing
spec:
  # This matches nothing, the action defaults to ALLOW if not specified.
  {}

The following example shows an ALLOW policy that matches nothing. If there are no other ALLOW policies, requests will always be denied because of the “deny by default” behavior.

默认拒绝,有通过则通过

全局拒绝所有

kubectl apply -f global-deny-all.yaml -n istio-system

global-deny-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: istio-system
spec:
  action: DENY
  # This matches everything.
  rules:
  - {}

名称空间拒绝所有

deny-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
spec:
  action: DENY
  # This matches everything.
  rules:
  - {}

名称空间级别

名称空间允许所有

allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-all
spec:
 action: ALLOW
 rules:
 - {}

名称空间级别

selector

productpage-allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       methods: ["GET", "POST"]

action

NameDescription
ALLOWAllow a request only if it matches the rules. This is the default type.
DENYDeny a request if it matches any of the rules.
AUDITAudit a request if it matches any of the rules.
CUSTOMThe CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true. The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the authorization decision made by ALLOW and DENY action. Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to the extension by specifying the name of the provider. One example use case of the extension is to integrate with a custom external authorization system to delegate the authorization decision to it.Note: The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

ALLOW

productpage-allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       methods: ["GET", "POST"]

DENY

1删除deny all

kubectl delete -f deny-all.yaml -n istio

2禁止访问produtpage

productpage-deny-allyaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: DENY
 rules:
 - {}

AUDIT

productpage-audit-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: AUDIT
 rules:
 - {}

the only supported plugin is the Stackdriver plugin

需要安装audit插件

CUSTOM

The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

1创建opa策略

opa介绍

OPA-重新定义规则引擎-入门篇 | 菜鸟Miao

验证opa

The Rego Playground

policy.rego

package envoy.authz
​
import input.attributes.request.http as http_request
​
default allow = false
​
token = {"payload": payload} {
    [_, encoded] := split(http_request.headers.authorization, " ")
    [_, payload, _] := io.jwt.decode(encoded)
}
​
allow {
    action_allowed
}
​
​
bar := "bar"
​
action_allowed {
  bar ==token.payload.foo
}
​

2创建secret

kubectl create secret generic opa-policy --from-file policy.rego -n istio

3创建opa

opa-deployment.yaml

apiVersion: v1
kind: Service
metadata:
  name: opa
  labels:
    app: opa
spec:
  ports:
  - name: grpc
    port: 9191
    targetPort: 9191
  selector:
    app: opa
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: opa
  labels:
    app: opa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opa
  template:
    metadata:
      labels:
        app: opa
    spec:
      containers:
        - name: opa
          image: openpolicyagent/opa:latest-envoy
          securityContext:
            runAsUser: 1111
          volumeMounts:
          - readOnly: true
            mountPath: /policy
            name: opa-policy
          args:
          - "run"
          - "--server"
          - "--addr=localhost:8181"
          - "--diagnostic-addr=0.0.0.0:8282"
          - "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
          - "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
          - "--set=decision_logs.console=true"
          - "--ignore=.*"
          - "/policy/policy.rego"
          ports:
          - containerPort: 9191
          livenessProbe:
            httpGet:
              path: /health?plugins
              scheme: HTTP
              port: 8282
            initialDelaySeconds: 5
            periodSeconds: 5
          readinessProbe:
            httpGet:
              path: /health?plugins
              scheme: HTTP
              port: 8282
            initialDelaySeconds: 5
            periodSeconds: 5
      volumes:
        - name: opa-policy
          secret:
            secretName: opa-policy

4编辑meshconfig

kubectl edit configmap istio -n istio-system

  mesh: |-
    # Add the following contents:
    extensionProviders:
    - name: "opa.istio"
      envoyExtAuthzGrpc:
        service: "opa.istio.svc.cluster.local"
        port: "9191"

5闯将ap

ext-authz.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ext-authz
 namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: CUSTOM
 provider:
   name: "opa.istio"
 rules:
 - to:
   - operation:
       paths: ["/productpage"]

6测试

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

参考GitHub - istio-ecosystem/authservice: Move OIDC token acquisition out of your app code and into the Istio mesh

第三方授权服务

rules

FieldTypeDescriptionRequired
fromFrom[]Optional. from specifies the source of a request.If not set, any source is allowed.No
toTo[]Optional. to specifies the operation of a request.If not set, any operation is allowed.No
whenCondition[]Optional. when specifies a list of additional conditions of a request.If not set, any condition is allowed.No

from

FieldTypeDescriptionRequired
sourceSourceSource specifies the source of a request.No
FieldTypeDescriptionRequired
principalsstring[]Optional. A list of source peer identities (i.e. service account), which matches to the “source.principal” attribute. This field requires mTLS enabled.If not set, any principal is allowed.No
notPrincipalsstring[]Optional. A list of negative match of source peer identities.No
requestPrincipalsstring[]Optional. A list of request identities (i.e. “iss/sub” claims), which matches to the “request.auth.principal” attribute.If not set, any request principal is allowed.No
notRequestPrincipalsstring[]Optional. A list of negative match of request identities.No
namespacesstring[]Optional. A list of namespaces, which matches to the “source.namespace” attribute. This field requires mTLS enabled.If not set, any namespace is allowed.No
notNamespacesstring[]Optional. A list of negative match of namespaces.No
ipBlocksstring[]Optional. A list of IP blocks, which matches to the “source.ip” attribute. Populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.If not set, any IP is allowed.No
notIpBlocksstring[]Optional. A list of negative match of IP blocks.No
remoteIpBlocksstring[]Optional. A list of IP blocks, which matches to the “remote.ip” attribute. Populated from X-Forwarded-For header or proxy protocol. To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig when you install Istio or using an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.If not set, any IP is allowed.No
notRemoteIpBlocksstring[]Optional. A list of negative match of remote IP blocks.No

principals

productpage-rules-from-principals.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - from:
     - source:
         principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]

notPrincipals

productpage-rules-from-notPrincipals.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - from:
     - source:
         notPrincipals: ["cluster.local/ns/istio-system/sa/test"]

requestPrincipals

The principal of the authenticated JWT token, constructed from the JWT claims in the format of /, requires request authentication policy applied

jwt相关

productpage-rules-from-requestPrincipals-star.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - to:
    - operation:
        notPaths: ["/healthz"]
    from:
    - source:
        requestPrincipals: ["*"]

1启用jwt

requestauthentications/ra-example-productpage.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
spec:
  selector:
    matchLabels:
      app: productpage
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwks: |
      { "keys":
         [
           {
             "e":"AQAB",
             "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
             "kty":"RSA",
             "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
           }
         ]
      }
    forwardOriginalToken: true

2使用authorizationPolicy

productpage-rules-from-requestPrincipals.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/productpage"]
    from:
    - source:
        requestPrincipals:
        - "testing@secure.istio.io/testing@secure.istio.io"

3访问

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

验证token:

JSON Web Tokens - jwt.io

productpage-rules-from-requestPrincipals-semi-star.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/productpage"]
    from:
    - source:
        requestPrincipals:
        - "testing@secure.istio.io/*"

notRequestPrincipals

jwt相关

productpage-rules-from-notRequestPrincipals.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/productpage"]
    from:
    - source:
        notRequestPrincipals:
        - "testing@secure.istio.io/testing@secure.istio.io"

namespaces

productpage-rules-from-namespaces.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - from:
   - source:
       namespaces:
       - "istio-system"

notNamespaces

productpage-rules-from-notNamespaces.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - from:
   - source:
       notNamespaces:
       - "test"

ipBlocks

ingressgateway-rules-from-ipBlocks.yaml

kubectl apply -f ingressgateway-rules-from-ipBlocks.yaml -n istio-system

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ingressgateway
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: ALLOW
 rules:
 - from:
   - source:
       ipBlocks:
       - "172.20.0.0/16"

设置xff,原地址保持

notIpBlocks

ingressgateway-rules-from-notIpBlocks.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ingressgateway
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: ALLOW
 rules:
 - from:
   - source:
       notIpBlocks:
       - "172.20.0.0/16"

remoteIpBlocks

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

用于设置白名单

ingressgateway-rules-from-remoteIpBlocks.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ingressgateway
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: DENY
 rules:
 - from:
   - source:
       remoteIpBlocks:
       - 192.168.198.1/32

notRemoteIpBlocks

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

用于设置黑名单

ingressgateway-rules-from-notRemoteIpBlocks.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ingressgateway
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: ALLOW
 rules:
 - from:
   - source:
       notRemoteIpBlocks:
       - "192.168.198.1/32

to

FieldTypeDescriptionRequired
operationOperationOperation specifies the operation of a request.No
FieldTypeDescriptionRequired
hostsstring[]Optional. A list of hosts, which matches to the “request.host” attribute.If not set, any host is allowed. Must be used only with HTTP.No
notHostsstring[]Optional. A list of negative match of hosts.No
portsstring[]Optional. A list of ports, which matches to the “destination.port” attribute.If not set, any port is allowed.No
notPortsstring[]Optional. A list of negative match of ports.No
methodsstring[]Optional. A list of methods, which matches to the “request.method” attribute. For gRPC service, this will always be “POST”.If not set, any method is allowed. Must be used only with HTTP.No
notMethodsstring[]Optional. A list of negative match of methods.No
pathsstring[]Optional. A list of paths, which matches to the “request.url_path” attribute. For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.If not set, any path is allowed. Must be used only with HTTP.No
notPathsstring[]Optional. A list of negative match of paths.No

hosts

productpage-rules-to-hosts.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       hosts:
       - "bookinfo.demo:30986"
   from:
   - source:
       namespaces:
       - "istio-system"

details-rules-to-hosts.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       hosts:
       - "details:9080"

其实是authority,必须加上端口

notHosts

productpage-rules-to-notHosts.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       notHosts:
       - "test"
   from:
   - source:
       namespaces:
       - "istio-system"

ports

details-rules-to-ports.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       ports:
       - "9080"

notPorts

details-rules-to-notPorts.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       notPorts:
       - "9080"

methods

details-rules-to-methods.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       methods:
       - "GET"

notMethods

details-rules-to-notMethods.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       notMethods:
       - "GET"

paths

details-rules-to-paths.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       paths:
       - "/details/0"

统配符

details-rules-to-paths-star.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       paths:
       - "/details/*"

notPaths

details-rules-to-notPaths.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       notPaths:
       - "/details/0"

通配符

details-rules-to-notPaths-star.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: details
spec:
 selector:
   matchLabels:
     app: details
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       notPaths:
       - "/details/*"

when

FieldTypeDescriptionRequired
keystringThe name of an Istio attribute. See the full list of supported attributes.Yes
valuesstring[]Optional. A list of allowed values for the attribute. Note: at least one of values or not_values must be set.No
notValuesstring[]Optional. A list of negative match of values for the attribute. Note: at least one of values or not_values must be set.No

https://istio.io/latest/docs/reference/config/security/conditions/

NameDescriptionSupported ProtocolsExample
request.headersHTTP request headers. The header name is surrounded by [] without any quotesHTTP onlykey: request.headers[User-Agent] values: ["Mozilla/*"]
source.ipSource workload instance IP address, supports single IP or CIDRHTTP and TCPkey: source.ip values: ["10.1.2.3", "10.2.0.0/16"]
remote.ipOriginal client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDRHTTP and TCPkey: remote.ip values: ["10.1.2.3", "10.2.0.0/16"]
source.namespaceSource workload instance namespace, requires mutual TLS enabledHTTP and TCPkey: source.namespace values: ["default"]
source.principalThe identity of the source workload, requires mutual TLS enabledHTTP and TCPkey: source.principal values: ["cluster.local/ns/default/sa/productpage"]
request.auth.principalThe principal of the authenticated JWT token, constructed from the JWT claims in the format of /, requires request authentication policy appliedHTTP onlykey: request.auth.principal values: ["issuer.example.com/subject-admin"]
request.auth.audiencesThe intended audiences of the authenticated JWT token, constructed from the JWT claim `, requires request authentication policy applied | HTTP only |key: request.auth.audiencesvalues: ["example.com"]`
request.auth.presenterThe authorized presenter of the authenticated JWT token, constructed from the JWT claim `, requires request authentication policy applied | HTTP only |key: request.auth.presentervalues: ["123456789012.example.com"]`
request.auth.claimsRaw claims of the authenticated JWT token. The claim name is surrounded by [] without any quotes, nested claim can also be used, requires request authentication policy applied. Note only support claim of type string or list of stringHTTP onlykey: request.auth.claims[iss] values: ["*@foo.com"]key: request.auth.claims[nested1][nested2] values: ["some-value"]
destination.ipDestination workload instance IP address, supports single IP or CIDRHTTP and TCPkey: destination.ip values: ["10.1.2.3", "10.2.0.0/16"]
destination.portDestination workload instance port, must be in the range [0, 65535]. Note this is not the service portHTTP and TCPkey: destination.port values: ["80", "443"]
connection.sniThe server name indication, requires TLS enabledHTTP and TCPkey: connection.sni values: ["www.example.com"]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listHTTP and TCPkey: experimental.envoy.filters.network.mysql_proxy[db.table] values: ["[update]"]
fieldsub fieldJWT claims
from.sourcerequestPrincipalsiss/sub
from.sourcenotRequestPrincipalsiss/sub
when.keyrequest.auth.principaliss/sub
when.keyrequest.auth.audiencesaud
when.keyrequest.auth.presenterazp
when.keyrequest.auth.claims[key]JWT 全部属性

request.headers

values

productpage-rules-when-request-headers-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.headers[test]
     values:
     - "test"

curl 192.168.198.154:30986/productpage --header "test:test"

notValues

productpage-rules-when-request-headers-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.headers[test]
     notValues:
     - "test"

curl 192.168.198.154:30986/productpage --header "test:test"

curl 192.168.198.154:30986/productpage --header "test:test2"

source.ip

values

productpage-when-source-ip-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - when:
   - key: source.ip
     values:
     - "172.20.0.0/16"

notValues

productpage-when-source-ip-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - when:
   - key: source.ip
     notValues:
     - "172.20.0.0/16"

remote.ip

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

黑白名单

values

productpage-when-remote-ip-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: DENY
 rules:
 - when:
   - key: remote.ip
     values:
     - "192.168.198.1/32"

notValues

productpage-when-remote-ip-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - when:
   - key: remote.ip
     notValues:
     - "192.168.198.1/32"

source.namespace

values

productpage-when-source-namespace-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - when:
   - key: source.namespace
     values:
     - "istio-system"

notValues

productpage-when-source-namespace-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - when:
   - key: source.namespace
     notValues:
     - "istio-system"

source.principal

values

productpage-when-source-principal-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: source.principal
     values: 
     - "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"

notValues

productpage-when-source-principal-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: source.principal
     notValues: 
     - "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"

request.auth.principal

jwt相关

values

productpage-when-request-auth-principal-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.principal
     values: 
     - "testing@secure.istio.io/testing@secure.istio.io"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-principal-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.principal
     notValues: 
     - "testing@secure.istio.io/testing@secure.istio.io"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.audiences

相当于request.auth.claims[aud]

values

productpage-when-request-auth-audiences-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.audiences
     values: 
     - "app"
     - “web”

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-audiences-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.audiences
     notValues: 
     - "app"
     - “web”

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.presenter

相当于request.auth.claims[azp]

authorized presenter

values

productpage-when-request-auth-presenter-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.presenter
     values: 
     - "app"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-presenter-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.presenter
     notValues: 
     - "app"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.claims

jwt相关

values

productpage-when-request-auth-claims-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.claims[groups]
     values: 
     - "group1"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-claims-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: request.auth.claims[groups]
     notValues: 
     - "group1"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

destination.ip

values

productpage-when-destination-ip-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: destination.ip
     values: 
     - "172.20.0.0/16"

notValues

productpage-when-destination-ip-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: destination.ip
     notValues: 
     - "172.20.0.0/16"

destination.port

values

productpage-when-destination-port-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: destination.port
     values: 
     - "9080"

notValues

productpage-when-destination-port-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: destination.port
     notValues: 
     - "9080"

connection.sni

values

productpage-when-connection-sni-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: connection.sni
     values: 
     - "outbound_.9080_._.productpage.istio.svc.cluster.local"

requestedServerName的值

notValues

productpage-when-connection-sni-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: connection.sni
     notValues: 
     - "outbound_.9080_._.productpage.istio.svc.cluster.local"

experimental.envoy.filters.*

试验性的

暂时不验证

values

productpage-when-envoy-filters-mysql_proxy-values.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: experimental.envoy.filters.network.mysql_proxy[db.table]
     values: 
     - "[update]"

notValues

productpage-when-envoy-filters-mysql_proxy-notValues.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - when:
   - key: experimental.envoy.filters.network.mysql_proxy[db.table]
     notValues: 
     - "[update]"

组合配置

productpage-complex.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: 
        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
        namespaces: 
        - istio-system
    to:
    - operation:
        methods: ["GET"]
        paths: ["/productpage"]
    - operation:
        methods: ["GET"]
        paths: ["/static/*"]
    - operation:
        methods: ["GET"]
        paths: ["/api/v1/products/*"]
    - operation:
        methods: ["GET"]
        paths: ["/logout"]
    - operation:
        methods: ["POST"]
        paths: ["/login"]
    when:
    - key: source.ip
      values:
      - "172.20.0.0/16"

Dependency on mutual TLS

Istio uses mutual TLS to securely pass some information from the client to the server. Mutual TLS must be enabled before using any of the following fields in the authorization policy:

  • the principals and notPrincipals field under the source section

  • the namespaces and notNamespaces field under the source section

  • the source.principal custom condition

  • the source.namespace custom condition

Mutual TLS is not required if you don’t use any of the above fields in the authorization policy.

hxpjava1
关注
  • 2
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
y134.第七章 服务网格与治理-Istio从入门到精通 -- 授权策略(二十)
Raymond的博客
09-15 298
Istio的授权机制为Istio网格中的workload提供了mesh-level、namespace-level和workload-level的访问控制机制,它提供如下特性。
Istio 中的授权策略详解
ServiceMesher
07-22 1709
本文节选自 ServiceMesher 社区出品的开源电子书《Istio Handbook——Istio 服务网格进阶实践》,阅读地址:https://www.servicemesher...
Istio 安全 授权管理AuthorizationPolicy
小楼一夜听春雨,深巷明朝卖杏花
08-01 947
本质其实就是设置谁可以访问,谁不可以访问。默认命名空间是没有AuthorizationPolicy---允许所有的客户端访问。如果对Pod1生成两个策略,一个是allow,一个是deny,两个冲突的时候那么allow就不再生效了,deny是生效的。这里是没有指定应用到谁上面去,有没有指定使用哪些客户端,这样就是拒绝了所有的了。这个和cka考试里面的网络策略是类似的。它是可以实现更加细颗粒度限制的。上面{}代表着所有的客户端。这个代表是允许命名空间ns1客户端可以访问。但是并不想让所有的客户端都可以访问。
297 Custom Authorization Policies
最新发布
学会分享
06-17 241
Custom Authorization Policies
【WCF】授权策略详解
weixin_34219944的博客
09-02 125
所谓授权者,就是服务授予客户端是否具有调用某个服务操作的权限。 授权过程可以通过一系列授权策略来进行评估,即每个特定的授权策略都按照各自的需求,衡量一下调用方是否具备访问服务操作的权限。在默认情况下,服务的授权策略列表中,会存在一个UnconditionalPolicy授权策略,这个类型没有公开,它的定义如下: class UnconditionalPolicy : IAuthor...
helm charts authorizationPolicy
我在深圳的这些日子的博客
01-09 221
authorizationPolicy的charts的yaml文件编写
QValueAxis详解
04-06
QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解QValueAxis详解...
iptables 详解iptables 详解
12-02
iptables 详解
cdn技术详解
01-25
cdn技术详解,高清影印版,内含部分心得。 cdn技术详解,高清影印版,内含部分心得。
Xgboost原理详解
04-11
Xgboost原理详解,参考了多个博客和论文,探讨XGB的基本原理和优点等。
IIC总线通讯协议详解
05-09
IIC总线通讯协议详解
Custom-Istio-Manifest:回购演示使用Istio清单(AuthorizationPolicies,Istio网关,VirtualServices,DestinationRules,PeerAuthentication)保护名称空间和部署的安全
03-27
安全的Istio清单 由Helm管理的Istio清单可为Kubernetes提供名称空间和部署特定的安全性。 它能做什么 部署与服务 部署服务和两个版本的UI(“主”和“测试”)。 在服务/ UI部署之前创建服务,将其端口暴露在Kubernetes集群内部。 虚拟服务和DestinationRules 为主机定义DesinationRules,并使用“版本”标签来应用VirtualService级别的规则。 为每个服务和UI定义VirtualServices(具有针对不同版本定义的流量百分比的UI) mTLS,零信任和例外 在整个名称空间中启用mTLS。 通过禁止名称空间内的所有流量来实施​​零信任。 创建基于主体的零信任例外,以允许UI与后端服务之间进行通信。 入口 创建一个Istio Ingress网关,以允许将监视和路由规则应用于进入群集的外部流量。 我在哪里看
NetCore重写IAuthorizationPolicyProvider,自定义授权策略
weixin_43872830的博客
03-17 1831
比如你想所有Controller中的方法都需要登录,除了使用[AllowAnonymous]特性不需要外。就可以重写IAuthorizationPolicyProvider。针对Api的鉴权可以同通过不同的策略实现
记一次,istio1.4升级到1.7,当开启AuthorizationPolicy时,js访问服务跨域问题。
小洲同学的博客
05-13 405
istio1.4是用的Policy做原始认证和ServiceRole做的rbac,1.4版本也遇到过跨域,当时通过配置VS的corsPolicy得以解决: istio1.7在配置了VS的corsPolicy的情况下,当服务开启AuthorizationPolicy时候,还是会发生跨域问题。翻看了下istio1.7的源码,发现VS的corsPolicy内容增加了allowOrigins为list<map<String,String>>类型。(具体的原理有时间在来补充。。。)
Istio的JWT认证授权
Micky_Yang的博客
08-15 1338
一、理解JWT   JWT(Json Web Token)是一种多方传递可信JSON数据的方案,一个JWT token由.分隔的三部分组成:{Header}.{Payload}.{Signature},其中Header是Base64编码的JSON数据,包含令牌类型typ、签名算法alg以及密钥ID kid等信息;Payload是需要传递的claims数据,也是Base64编码的JSON数据,其中有些字段是JWT标准已经有了的字段,如:exp、iat、iss、sub和aud等等,也可以根据需求添加自定义字段;
一文了解Istio外部授权
xcbeyond|疯狂源自梦想,技术成就辉煌
03-23 365
点击上方“程序猿技术大咖”,关注并选择“设为星标”回复“加群”获取入群讨论资格!初识Istio Authorization我们都知道认证(Authentication、Authn)与授权(Authorization、Authz)一同构建了起网络应用安全的基本屏障。通常,授权对认证有一定的依赖。比如我们熟悉的OAuth或者基于JWT Token的授权。Istio授权充分利用了Envoy的授权插件,基...
Istio 安全认证
hanjiangxue1006的博客
03-26 1066
Istio 安全认证架构 关联的组件 Citadel用于密钥和证书管理 Sidecar和周边代理实现客户端和服务器之间的安全通信 Pilot将授权策略和安全命名信息分发给代理 Mixer管理授权和审计 认证 Istio身份标识 不同平台身份标识 Kubernetes: Kubernetes 服务帐户 GKE/GCE: 可以使用 GCP 服务帐户 GCP: GCP 服务帐户...
Ocelot.JwtAuthorize:一个基于网关的Jwt验证包
weixin_30497527的博客
07-01 207
Ocelot作为基于.net core的API方关,有一个功能是统一验证,它的作用是把没有访问权限的请求挡在API网关外面,而不是到达API网关事端的API时才去验证;之前我有一篇博文https://www.cnblogs.com/axzxs2001/p/8005084.html,作过说明,这篇博文说明了实现代码,今天我把这个实现作了整理,封装成一个Nuget包,供大家方便调用。 Web API...
安装AuthorizationPolicy和EnvoyFilter
Rory的博客
04-22 281
报错: failed to call kfp.Client().create_run_from_pipeline_func in in-cluster juypter notebook 解决: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bind-ml-pipeline-nb-wangzy-p #修改名称 namespace: kubeflow spec: selector: m
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

hxpjava1

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值