Kubernetes Istio:RequestAuthentication jwksUri不解析内部服务名称 通知
其根本原因与相同,但在进一步诊断后,我将其改写为Simple(试图获得帮助) 问题 我试图在Istio网格中配置RequestAuthentication(和AuthorizationPolicy)。我的JWK令牌由内部OAUTH服务器(基于CloudFoundry)提供,该服务器可以很好地用于其他服务。 当我配置uri以获取签名密钥、链接到内部pod时,问题就出现了。此时,Istio没有解析内部pod的名称。我感到困惑,因为微服务能够连接到我所有的内部POD(mongodb、mysql、rabbitmq),包括uaa。为什么RequestAuthentication不能做同样的事情 UAA服务配置(注意:我还创建了一个用于外部访问的虚拟服务,现在运行良好) RequestAuthentication:注意参数jwksUri,查找Kubernetes Istio:RequestAuthentication jwksUri不解析内部服务名称 通知,kubernetes,istio,kubernetes-pod,kubernetes-dns,istio-gateway,Kubernetes,Istio,Kubernetes Pod,Kubernetes Dns,Istio Gateway,其根本原因与相同,但在进一步诊断后,我将其改写为Simple(试图获得帮助) 问题 我试图在Istio网格中配置RequestAuthentication(和AuthorizationPolicy)。我的JWK令牌由内部OAUTH服务器(基于CloudFoundry)提供,该服务器可以很好地用于其他服务。 当我配置uri以获取签名密钥、链接到内部pod时,问题就出现了。此时,Istio没有解析内部pod的名称。我感到困惑,因为微服务能够连接到我所有的内部POD(mongodb、mysql、rab
uaaapiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "ra-product-composite"
spec:
selector:
matchLabels:
app: "product-composite"
jwtRules:
- issuer: "http://uaa:8090/uaa/oauth/token"
jwksUri: "http://uaa:8090/uaa/token_keys"
forwardOriginalToken: true
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: "ap-product-composite"
spec:
selector:
matchLabels:
app: "product-composite"
action: ALLOW
rules:
- to:
- operation:
methods: ["GET","POST","DELETE","HEAD","PUT"]
paths: ["*"]
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: se-auth
spec:
hosts:
- "host.docker.internal"
ports:
- number: 8090
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs-auth
spec:
hosts:
- "kubernetes.example.com"
gateways:
- gw-ingress
http:
- match:
- uri:
prefix: /oauth
rewrite:
uri: "/uaa/oauth"
route:
- destination:
port:
number: 8090
host: "host.docker.internal"
- match:
- uri:
prefix: /uaa
rewrite:
uri: "/uaa"
route:
- destination:
port:
number: 8090
host: "host.docker.internal"
---
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "ra-product-composite"
spec:
selector:
matchLabels:
app: "product-composite"
jwtRules:
- issuer: "http://uaa:8090/uaa/oauth/token"
jwksUri: "http://host.docker.internal:8090/uaa/token_keys"
forwardOriginalToken: true
jwksUri: "http://uaa.mynamespace.svc.cluster.local:8090/uaa/token_keys"
jwksUri:“http://uaa:8090/uaa/token_keys“http://uaahttp://uaa.istio-system.svc.cluster.local我不明白为什么您的变通方法2不是一个充分的解决方案。假设您的uaa服务在命名空间
authuaa.auth.svc.cluster.localjwksUriuaauaa.authuaa.auth.svcuaa.auth.svc.cluster.localuaaauthhttp://uaauaa..svc.cluster.localistiod.svc.cluster.localapiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: se-auth
spec:
hosts:
- "host.docker.internal"
ports:
- number: 8090
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs-auth
spec:
hosts:
- "kubernetes.example.com"
gateways:
- gw-ingress
http:
- match:
- uri:
prefix: /oauth
rewrite:
uri: "/uaa/oauth"
route:
- destination:
port:
number: 8090
host: "host.docker.internal"
- match:
- uri:
prefix: /uaa
rewrite:
uri: "/uaa"
route:
- destination:
port:
number: 8090
host: "host.docker.internal"
---
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "ra-product-composite"
spec:
selector:
matchLabels:
app: "product-composite"
jwtRules:
- issuer: "http://uaa:8090/uaa/oauth/token"
jwksUri: "http://host.docker.internal:8090/uaa/token_keys"
forwardOriginalToken: true
jwksUri: "http://uaa.mynamespace.svc.cluster.local:8090/uaa/token_keys"