devbox
从前慢现在也慢
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

authorizationPolicy详解

作者:从前慢现在也慢 | 2024-03-02 18:24:32

authorizationpolicy

 欢迎关注我的公众号:

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

istio多集群探秘,部署了50次多集群后我得出的结论

istio多集群链路追踪,附实操视频

istio防故障利器,你知道几个,istio新手不要读,太难!

istio业务权限控制,原来可以这么玩

istio实现非侵入压缩,微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

学习目标

什么是AuthorizationPolicy

授权功能是 Istio 中安全体系的一个重要组成部分,它用来实现访问控制的功能,即判断一个请求是否允许通过,这个请求可以是从外部进入 Istio 内部的请求,也可以是在 Istio 内部从服务 A 到服务 B 的请求。可以把授权功能近似地认为是一种四层到七层的“防火墙”,它会像传统防火墙一样,对数据流进行分析和匹配,然后执行相应的动作。

流程

Authorization policies support ALLOW, DENY and CUSTOM actions. The policy precedence is CUSTOM, DENY and ALLOW. The following graph shows the policy precedence in detail:

资源详解

FieldTypeDescriptionRequired
selectorWorkloadSelectorOptional. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.No
rulesRule[]Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads.No
actionActionOptional. The action to take if the request is matched with the rules.No
providerExtensionProvider (oneof)Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.No

允许nothing

allow-nothing.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: allow-nothing
  5. spec:
  6.   # This matches nothing, the action defaults to ALLOW if not specified.
  7.   {}

The following example shows an ALLOW policy that matches nothing. If there are no other ALLOW policies, requests will always be denied because of the “deny by default” behavior.

默认拒绝,有通过则通过

全局拒绝所有

kubectl apply -f global-deny-all.yaml -n istio-system

global-deny-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: deny-all
  5.   namespace: istio-system
  6. spec:
  7.   action: DENY
  8.   # This matches everything.
  9.   rules:
  10.   - {}

名称空间拒绝所有

deny-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: deny-all
  5. spec:
  6.   action: DENY
  7.   # This matches everything.
  8.   rules:
  9.   - {}

名称空间级别

名称空间允许所有

allow-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: allow-all
  5. spec:
  6.  action: ALLOW
  7.  rules:
  8.  - {}

名称空间级别

selector

productpage-allow-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage-allow-all
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        methods: ["GET", "POST"]

action

NameDescription
ALLOWAllow a request only if it matches the rules. This is the default type.
DENYDeny a request if it matches any of the rules.
AUDITAudit a request if it matches any of the rules.
CUSTOMThe CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true. The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the authorization decision made by ALLOW and DENY action. Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to the extension by specifying the name of the provider. One example use case of the extension is to integrate with a custom external authorization system to delegate the authorization decision to it.Note: The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

ALLOW

productpage-allow-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage-allow-all
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        methods: ["GET", "POST"]

DENY

1删除deny all

kubectl delete -f deny-all.yaml -n istio

2禁止访问produtpage

productpage-deny-allyaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage-allow-all
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: DENY
  11.  rules:
  12.  - {}

AUDIT

productpage-audit-all.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage-allow-all
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: AUDIT
  11.  rules:
  12.  - {}

the only supported plugin is the Stackdriver plugin

需要安装audit插件

CUSTOM

The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

1创建opa策略

opa介绍

OPA-重新定义规则引擎-入门篇 | 菜鸟Miao

验证opa

The Rego Playground

policy.rego

  1. package envoy.authz
  3. import input.attributes.request.http as http_request
  5. default allow = false
  7. token = {"payload": payload} {
  8.     [_, encoded] := split(http_request.headers.authorization, " ")
  9.     [_, payload, _] := io.jwt.decode(encoded)
  10. }
  12. allow {
  13.     action_allowed
  14. }
  17. bar := "bar"
  19. action_allowed {
  20.   bar ==token.payload.foo
  21. }

2创建secret

kubectl create secret generic opa-policy --from-file policy.rego -n istio

3创建opa

opa-deployment.yaml

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4.   name: opa
  5.   labels:
  6.     app: opa
  7. spec:
  8.   ports:
  9.   - name: grpc
  10.     port: 9191
  11.     targetPort: 9191
  12.   selector:
  13.     app: opa
  14. ---
  15. kind: Deployment
  16. apiVersion: apps/v1
  17. metadata:
  18.   name: opa
  19.   labels:
  20.     app: opa
  21. spec:
  22.   replicas: 1
  23.   selector:
  24.     matchLabels:
  25.       app: opa
  26.   template:
  27.     metadata:
  28.       labels:
  29.         app: opa
  30.     spec:
  31.       containers:
  32.         - name: opa
  33.           image: openpolicyagent/opa:latest-envoy
  34.           securityContext:
  35.             runAsUser: 1111
  36.           volumeMounts:
  37.           - readOnly: true
  38.             mountPath: /policy
  39.             name: opa-policy
  40.           args:
  41.           - "run"
  42.           - "--server"
  43.           - "--addr=localhost:8181"
  44.           - "--diagnostic-addr=0.0.0.0:8282"
  45.           - "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
  46.           - "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
  47.           - "--set=decision_logs.console=true"
  48.           - "--ignore=.*"
  49.           - "/policy/policy.rego"
  50.           ports:
  51.           - containerPort: 9191
  52.           livenessProbe:
  53.             httpGet:
  54.               path: /health?plugins
  55.               scheme: HTTP
  56.               port: 8282
  57.             initialDelaySeconds: 5
  58.             periodSeconds: 5
  59.           readinessProbe:
  60.             httpGet:
  61.               path: /health?plugins
  62.               scheme: HTTP
  63.               port: 8282
  64.             initialDelaySeconds: 5
  65.             periodSeconds: 5
  66.       volumes:
  67.         - name: opa-policy
  68.           secret:
  69.             secretName: opa-policy

4编辑meshconfig

kubectl edit configmap istio -n istio-system

  1.   mesh: |-
  2.     # Add the following contents:
  3.     extensionProviders:
  4.     - name: "opa.istio"
  5.       envoyExtAuthzGrpc:
  6.         service: "opa.istio.svc.cluster.local"
  7.         port: "9191"

5闯将ap

ext-authz.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: ext-authz
  5.  namespace: istio-system
  6. spec:
  7.  selector:
  8.    matchLabels:
  9.      app: istio-ingressgateway
  10.  action: CUSTOM
  11.  provider:
  12.    name: "opa.istio"
  13.  rules:
  14.  - to:
  15.    - operation:
  16.        paths: ["/productpage"]

6测试

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

参考GitHub - istio-ecosystem/authservice: Move OIDC token acquisition out of your app code and into the Istio mesh

第三方授权服务

rules

FieldTypeDescriptionRequired
fromFrom[]Optional. from specifies the source of a request.If not set, any source is allowed.No
toTo[]Optional. to specifies the operation of a request.If not set, any operation is allowed.No
whenCondition[]Optional. when specifies a list of additional conditions of a request.If not set, any condition is allowed.No

from

FieldTypeDescriptionRequired
sourceSourceSource specifies the source of a request.No
FieldTypeDescriptionRequired
principalsstring[]Optional. A list of source peer identities (i.e. service account), which matches to the “source.principal” attribute. This field requires mTLS enabled.If not set, any principal is allowed.No
notPrincipalsstring[]Optional. A list of negative match of source peer identities.No
requestPrincipalsstring[]Optional. A list of request identities (i.e. “iss/sub” claims), which matches to the “request.auth.principal” attribute.If not set, any request principal is allowed.No
notRequestPrincipalsstring[]Optional. A list of negative match of request identities.No
namespacesstring[]Optional. A list of namespaces, which matches to the “source.namespace” attribute. This field requires mTLS enabled.If not set, any namespace is allowed.No
notNamespacesstring[]Optional. A list of negative match of namespaces.No
ipBlocksstring[]Optional. A list of IP blocks, which matches to the “source.ip” attribute. Populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.If not set, any IP is allowed.No
notIpBlocksstring[]Optional. A list of negative match of IP blocks.No
remoteIpBlocksstring[]Optional. A list of IP blocks, which matches to the “remote.ip” attribute. Populated from X-Forwarded-For header or proxy protocol. To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig when you install Istio or using an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.If not set, any IP is allowed.No
notRemoteIpBlocksstring[]Optional. A list of negative match of remote IP blocks.No

principals

productpage-rules-from-principals.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - from:
  13.      - source:
  14.          principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]

notPrincipals

productpage-rules-from-notPrincipals.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - from:
  13.      - source:
  14.          notPrincipals: ["cluster.local/ns/istio-system/sa/test"]

requestPrincipals

The principal of the authenticated JWT token, constructed from the JWT claims in the format of /, requires request authentication policy applied

jwt相关

productpage-rules-from-requestPrincipals-star.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: productpage
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: productpage
  9.   action: ALLOW
  10.   rules:
  11.   - to:
  12.     - operation:
  13.         notPaths: ["/healthz"]
  14.     from:
  15.     - source:
  16.         requestPrincipals: ["*"]

1启用jwt

requestauthentications/ra-example-productpage.yaml

  1. apiVersion: "security.istio.io/v1beta1"
  2. kind: "RequestAuthentication"
  3. metadata:
  4.   name: "jwt-example"
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: productpage
  9.   jwtRules:
  10.   - issuer: "testing@secure.istio.io"
  11.     jwks: |
  12.       { "keys":
  13.          [
  14.            {
  15.              "e":"AQAB",
  16.              "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
  17.              "kty":"RSA",
  18.              "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
  19.            }
  20.          ]
  21.       }
  22.     forwardOriginalToken: true

2使用authorizationPolicy

productpage-rules-from-requestPrincipals.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: productpage
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: productpage
  9.   action: ALLOW
  10.   rules:
  11.   - to:
  12.     - operation:
  13.         paths: ["/productpage"]
  14.     from:
  15.     - source:
  16.         requestPrincipals:
  17.         - "testing@secure.istio.io/testing@secure.istio.io"

3访问

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

验证token:

JSON Web Tokens - jwt.io

productpage-rules-from-requestPrincipals-semi-star.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: productpage
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: productpage
  9.   action: ALLOW
  10.   rules:
  11.   - to:
  12.     - operation:
  13.         paths: ["/productpage"]
  14.     from:
  15.     - source:
  16.         requestPrincipals:
  17.         - "testing@secure.istio.io/*"

notRequestPrincipals

jwt相关

productpage-rules-from-notRequestPrincipals.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: productpage
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: productpage
  9.   action: ALLOW
  10.   rules:
  11.   - to:
  12.     - operation:
  13.         paths: ["/productpage"]
  14.     from:
  15.     - source:
  16.         notRequestPrincipals:
  17.         - "testing@secure.istio.io/testing@secure.istio.io"

namespaces

productpage-rules-from-namespaces.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - from:
  13.    - source:
  14.        namespaces:
  15.        - "istio-system"

notNamespaces

productpage-rules-from-notNamespaces.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - from:
  13.    - source:
  14.        notNamespaces:
  15.        - "test"

ipBlocks

ingressgateway-rules-from-ipBlocks.yaml

kubectl apply -f ingressgateway-rules-from-ipBlocks.yaml -n istio-system

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: ingressgateway
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: istio-ingressgateway
  9.  action: ALLOW
  10.  rules:
  11.  - from:
  12.    - source:
  13.        ipBlocks:
  14.        - "172.20.0.0/16"

设置xff,原地址保持

notIpBlocks

ingressgateway-rules-from-notIpBlocks.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: ingressgateway
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: istio-ingressgateway
  9.  action: ALLOW
  10.  rules:
  11.  - from:
  12.    - source:
  13.        notIpBlocks:
  14.        - "172.20.0.0/16"

remoteIpBlocks

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

用于设置白名单

ingressgateway-rules-from-remoteIpBlocks.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: ingressgateway
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: istio-ingressgateway
  9.  action: DENY
  10.  rules:
  11.  - from:
  12.    - source:
  13.        remoteIpBlocks:
  14.        - 192.168.198.1/32

notRemoteIpBlocks

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

用于设置黑名单

ingressgateway-rules-from-notRemoteIpBlocks.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: ingressgateway
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: istio-ingressgateway
  9.  action: ALLOW
  10.  rules:
  11.  - from:
  12.    - source:
  13.        notRemoteIpBlocks:
  14.        - "192.168.198.1/32

to

FieldTypeDescriptionRequired
operationOperationOperation specifies the operation of a request.No
FieldTypeDescriptionRequired
hostsstring[]Optional. A list of hosts, which matches to the “request.host” attribute.If not set, any host is allowed. Must be used only with HTTP.No
notHostsstring[]Optional. A list of negative match of hosts.No
portsstring[]Optional. A list of ports, which matches to the “destination.port” attribute.If not set, any port is allowed.No
notPortsstring[]Optional. A list of negative match of ports.No
methodsstring[]Optional. A list of methods, which matches to the “request.method” attribute. For gRPC service, this will always be “POST”.If not set, any method is allowed. Must be used only with HTTP.No
notMethodsstring[]Optional. A list of negative match of methods.No
pathsstring[]Optional. A list of paths, which matches to the “request.url_path” attribute. For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.If not set, any path is allowed. Must be used only with HTTP.No
notPathsstring[]Optional. A list of negative match of paths.No

hosts

productpage-rules-to-hosts.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        hosts:
  15.        - "bookinfo.demo:30986"
  16.    from:
  17.    - source:
  18.        namespaces:
  19.        - "istio-system"

details-rules-to-hosts.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        hosts:
  15.        - "details:9080"

其实是authority,必须加上端口

notHosts

productpage-rules-to-notHosts.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        notHosts:
  15.        - "test"
  16.    from:
  17.    - source:
  18.        namespaces:
  19.        - "istio-system"

ports

details-rules-to-ports.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        ports:
  15.        - "9080"

notPorts

details-rules-to-notPorts.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        notPorts:
  15.        - "9080"

methods

details-rules-to-methods.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        methods:
  15.        - "GET"

notMethods

details-rules-to-notMethods.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        notMethods:
  15.        - "GET"

paths

details-rules-to-paths.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        paths:
  15.        - "/details/0"

统配符

details-rules-to-paths-star.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        paths:
  15.        - "/details/*"

notPaths

details-rules-to-notPaths.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        notPaths:
  15.        - "/details/0"

通配符

details-rules-to-notPaths-star.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: details
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: details
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - to:
  13.    - operation:
  14.        notPaths:
  15.        - "/details/*"

when

FieldTypeDescriptionRequired
keystringThe name of an Istio attribute. See the full list of supported attributes.Yes
valuesstring[]Optional. A list of allowed values for the attribute. Note: at least one of values or not_values must be set.No
notValuesstring[]Optional. A list of negative match of values for the attribute. Note: at least one of values or not_values must be set.No

https://istio.io/latest/docs/reference/config/security/conditions/

NameDescriptionSupported ProtocolsExample
request.headersHTTP request headers. The header name is surrounded by [] without any quotesHTTP onlykey: request.headers[User-Agent] values: ["Mozilla/*"]
source.ipSource workload instance IP address, supports single IP or CIDRHTTP and TCPkey: source.ip values: ["10.1.2.3", "10.2.0.0/16"]
remote.ipOriginal client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDRHTTP and TCPkey: remote.ip values: ["10.1.2.3", "10.2.0.0/16"]
source.namespaceSource workload instance namespace, requires mutual TLS enabledHTTP and TCPkey: source.namespace values: ["default"]
source.principalThe identity of the source workload, requires mutual TLS enabledHTTP and TCPkey: source.principal values: ["cluster.local/ns/default/sa/productpage"]
request.auth.principalThe principal of the authenticated JWT token, constructed from the JWT claims in the format of /, requires request authentication policy appliedHTTP onlykey: request.auth.principal values: ["issuer.example.com/subject-admin"]
request.auth.audiencesThe intended audiences of the authenticated JWT token, constructed from the JWT claim `, requires request authentication policy applied | HTTP only |key: request.auth.audiencesvalues: ["example.com"]`
request.auth.presenterThe authorized presenter of the authenticated JWT token, constructed from the JWT claim `, requires request authentication policy applied | HTTP only |key: request.auth.presentervalues: ["123456789012.example.com"]`
request.auth.claimsRaw claims of the authenticated JWT token. The claim name is surrounded by [] without any quotes, nested claim can also be used, requires request authentication policy applied. Note only support claim of type string or list of stringHTTP onlykey: request.auth.claims[iss] values: ["*@foo.com"]key: request.auth.claims[nested1][nested2] values: ["some-value"]
destination.ipDestination workload instance IP address, supports single IP or CIDRHTTP and TCPkey: destination.ip values: ["10.1.2.3", "10.2.0.0/16"]
destination.portDestination workload instance port, must be in the range [0, 65535]. Note this is not the service portHTTP and TCPkey: destination.port values: ["80", "443"]
connection.sniThe server name indication, requires TLS enabledHTTP and TCPkey: connection.sni values: ["www.example.com"]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listHTTP and TCPkey: experimental.envoy.filters.network.mysql_proxy[db.table] values: ["[update]"]
fieldsub fieldJWT claims
from.sourcerequestPrincipalsiss/sub
from.sourcenotRequestPrincipalsiss/sub
when.keyrequest.auth.principaliss/sub
when.keyrequest.auth.audiencesaud
when.keyrequest.auth.presenterazp
when.keyrequest.auth.claims[key]JWT 全部属性

request.headers

values

productpage-rules-when-request-headers-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.headers[test]
  14.      values:
  15.      - "test"

curl 192.168.198.154:30986/productpage --header "test:test"

notValues

productpage-rules-when-request-headers-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.headers[test]
  14.      notValues:
  15.      - "test"

curl 192.168.198.154:30986/productpage --header "test:test"

curl 192.168.198.154:30986/productpage --header "test:test2"

source.ip

values

productpage-when-source-ip-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: ALLOW
  10.  rules:
  11.  - when:
  12.    - key: source.ip
  13.      values:
  14.      - "172.20.0.0/16"

notValues

productpage-when-source-ip-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: ALLOW
  10.  rules:
  11.  - when:
  12.    - key: source.ip
  13.      notValues:
  14.      - "172.20.0.0/16"

remote.ip

修改svc

kubectl edit svc istio-ingressgateway -n istio-system

externalTrafficPolicy: Local

黑白名单

values

productpage-when-remote-ip-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: DENY
  10.  rules:
  11.  - when:
  12.    - key: remote.ip
  13.      values:
  14.      - "192.168.198.1/32"

notValues

productpage-when-remote-ip-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: ALLOW
  10.  rules:
  11.  - when:
  12.    - key: remote.ip
  13.      notValues:
  14.      - "192.168.198.1/32"

source.namespace

values

productpage-when-source-namespace-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: ALLOW
  10.  rules:
  11.  - when:
  12.    - key: source.namespace
  13.      values:
  14.      - "istio-system"

notValues

productpage-when-source-namespace-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.  action: ALLOW
  10.  rules:
  11.  - when:
  12.    - key: source.namespace
  13.      notValues:
  14.      - "istio-system"

source.principal

values

productpage-when-source-principal-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: source.principal
  14.      values: 
  15.      - "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"

notValues

productpage-when-source-principal-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: source.principal
  14.      notValues: 
  15.      - "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"

request.auth.principal

jwt相关

values

productpage-when-request-auth-principal-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.principal
  14.      values: 
  15.      - "testing@secure.istio.io/testing@secure.istio.io"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-principal-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.principal
  14.      notValues: 
  15.      - "testing@secure.istio.io/testing@secure.istio.io"

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.audiences

相当于request.auth.claims[aud]

values

productpage-when-request-auth-audiences-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.audiences
  14.      values: 
  15.      - "app"
  16.      - “web”

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-audiences-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.audiences
  14.      notValues: 
  15.      - "app"
  16.      - “web”

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.presenter

相当于request.auth.claims[azp]

authorized presenter

values

productpage-when-request-auth-presenter-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.presenter
  14.      values: 
  15.      - "app"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-presenter-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.presenter
  14.      notValues: 
  15.      - "app"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

request.auth.claims

jwt相关

values

productpage-when-request-auth-claims-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.claims[groups]
  14.      values: 
  15.      - "group1"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

notValues

productpage-when-request-auth-claims-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: request.auth.claims[groups]
  14.      notValues: 
  15.      - "group1"

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

destination.ip

values

productpage-when-destination-ip-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: destination.ip
  14.      values: 
  15.      - "172.20.0.0/16"

notValues

productpage-when-destination-ip-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: destination.ip
  14.      notValues: 
  15.      - "172.20.0.0/16"

destination.port

values

productpage-when-destination-port-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: destination.port
  14.      values: 
  15.      - "9080"

notValues

productpage-when-destination-port-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: destination.port
  14.      notValues: 
  15.      - "9080"

connection.sni

values

productpage-when-connection-sni-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: connection.sni
  14.      values: 
  15.      - "outbound_.9080_._.productpage.istio.svc.cluster.local"

requestedServerName的值

notValues

productpage-when-connection-sni-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: connection.sni
  14.      notValues: 
  15.      - "outbound_.9080_._.productpage.istio.svc.cluster.local"

experimental.envoy.filters.*

试验性的

暂时不验证

values

productpage-when-envoy-filters-mysql_proxy-values.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: experimental.envoy.filters.network.mysql_proxy[db.table]
  14.      values: 
  15.      - "[update]"

notValues

productpage-when-envoy-filters-mysql_proxy-notValues.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: productpage
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: productpage
  9.      version: v1
  10.  action: ALLOW
  11.  rules:
  12.  - when:
  13.    - key: experimental.envoy.filters.network.mysql_proxy[db.table]
  14.      notValues: 
  15.      - "[update]"

组合配置

productpage-complex.yaml

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   name: productpage
  5. spec:
  6.   action: ALLOW
  7.   rules:
  8.   - from:
  9.     - source:
  10.         principals: 
  11.         - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
  12.         namespaces: 
  13.         - istio-system
  14.     to:
  15.     - operation:
  16.         methods: ["GET"]
  17.         paths: ["/productpage"]
  18.     - operation:
  19.         methods: ["GET"]
  20.         paths: ["/static/*"]
  21.     - operation:
  22.         methods: ["GET"]
  23.         paths: ["/api/v1/products/*"]
  24.     - operation:
  25.         methods: ["GET"]
  26.         paths: ["/logout"]
  27.     - operation:
  28.         methods: ["POST"]
  29.         paths: ["/login"]
  30.     when:
  31.     - key: source.ip
  32.       values:
  33.       - "172.20.0.0/16"

Dependency on mutual TLS

Istio uses mutual TLS to securely pass some information from the client to the server. Mutual TLS must be enabled before using any of the following fields in the authorization policy:

  • the principals and notPrincipals field under the source section

  • the namespaces and notNamespaces field under the source section

  • the source.principal custom condition

  • the source.namespace custom condition

Mutual TLS is not required if you don’t use any of the above fields in the authorization policy.

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/从前慢现在也慢/article/detail/181797
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号