热门标签
热门文章
- 1SourceTree for windows安装并跳过注册_source tree for windows
- 2Flink原理——任务调度原理_flink任务调度原理
- 3你与网站建立的链接并非完全安全?建议全站开启https_您与此网站的连接并非完全安全
- 4【软件应用开发】小米便签APP维护开发
- 5SourceTree push 时密码错误提示解决方案(Invalid username/password)_fatal: remote error: invalid username or password
- 6SpringSecurity从0到1搭建详细教程三——添加权限RBAC权限模型详解_rbac教程
- 7求π的近似值(C语言)
- 8微信小程序中调取小程序实现报错:提示 开发版小程序已过期,请在开发者工具中重新扫码的 解决方案
- 9github中git clone需要username和password问题_git clone 的username是什么
- 10前端专业术语
当前位置: article > 正文
备考ICA----Istio实验16---HTTP流量授权
作者:盐析白兔 | 2024-04-18 22:56:47
赞
踩
备考ICA----Istio实验16---HTTP流量授权
备考ICA----Istio实验16—HTTP流量授权
1. 环境准备
kubectl apply -f istio/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio/samples/bookinfo/networking/bookinfo-gateway.yaml
- 1
- 2
访问测试
curl -I http://192.168.126.220/productpage
- 1
2. 开启mtls
mtls/mtls-default.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
部署生效
kubectl apply -f mtls/mtls-default.yaml
- 1
3. 拒绝请求
default名称空间,拒绝所有请求
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
- 1
- 2
- 3
- 4
- 5
配置生效
kubectl apply -f mtls/allow-nothing.yaml
- 1
访问测试
curl -I http://192.168.126.220/productpage
- 1
此时访问被拒绝.返回码403
4. 允许请求
4.1 productpage允许请求
允许以get方式访问productpage
auth/productpage-viewer.yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
部署生效
kubectl apply -f auth/productpage-viewer.yaml
- 1
访问测试
4.2 details允许请求
创建details-viewer允许从productpage访问到details
kubectl get pods productpage-v1-675fc69cf-xlg4x -o yaml|grep -i serviceaccount
- 1
cluster.local 本地集群
ns/default 命名空间
sa/bookinfo-productpage sa账号
auth/details-viewer.yaml
apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: details-viewer namespace: default spec: selector: matchLabels: app: details action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
部署生效
kubectl apply -f auth/details-viewer.yaml
- 1
浏览器再次访问
4.3 reviews允许请求
创建reviews-viewer允许从productpage访问到reviews
auth/reviews-viewer.yaml
apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: reviews-viewer namespace: default spec: selector: matchLabels: app: reviews action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
部署生效
kubectl apply -f auth/reviews-viewer.yaml
- 1
此时reviews已经可以正常显示,但ratings还是有问题.
4.4 ratings允许请求
创建ratings-viewer允许从productpage访问到ratings
auth/ratings-viewer.yaml
apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: ratings-viewer namespace: default spec: selector: matchLabels: app: ratings action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-reviews"] to: - operation: methods: ["GET"]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
部署生效
kubectl apply -f auth/ratings-viewer.yaml
- 1
再次访问,现在所有页面都能正常展示了
至此备考ICA----Istio实验16—HTTP流量授权实验完成
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/盐析白兔/article/detail/448662
推荐阅读
相关标签
