Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/image-processing/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Kubernetes 为什么未应用我的ISTIO策略配置?_Kubernetes_Istio - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • Kubernetes 为什么未应用我的ISTIO策略配置?

Kubernetes 为什么未应用我的ISTIO策略配置?

kubernetes

Kubernetes 为什么未应用我的ISTIO策略配置?,kubernetes,istio,Kubernetes,Istio,我正在使用Istio-1.0.6实现身份验证/授权。我正在尝试使用Jason Web令牌(JWT)。我遵循了文档中的大多数示例,但没有得到预期的结果。以下是我的设置: 服务 kubectl describe services hello Name: hello Namespace: agud Selector: app=hello Type: ClusterIP IP: 10.24

我正在使用Istio-1.0.6实现身份验证/授权。我正在尝试使用Jason Web令牌(JWT)。我遵循了文档中的大多数示例,但没有得到预期的结果。以下是我的设置:

服务

kubectl describe services hello
Name:              hello
Namespace:         agud
Selector:          app=hello
Type:              ClusterIP
IP:                10.247.173.177
Port:              <unset>  8080/TCP
TargetPort:        8080/TCP
Endpoints:         172.16.0.193:8080
Session Affinity:  None
虚拟服务

kubectl describe virtualservices
Name:         hello
Namespace:    agud
API Version:  networking.istio.io/v1alpha3
Kind:         VirtualService
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-03-18T07:38:52Z
  Generation:          0
  Resource Version:    2329507
  Self Link:           
/apis/networking.istio.io/v1alpha3/namespaces/agud/virtualservices/hello
  UID:                 e099b560-4950-11e9-82a1-fa163ee249a9
Spec:
  Gateways:
    hello-gateway
  Hosts:
    *
  Http:
    Match:
      Uri:
        Exact:  /hello
      Uri:
        Exact:  /secured
    Route:
      Destination:
        Host:  hello.agud.svc.cluster.local
        Port:
          Number:  8080
政策

kubectl describe policies
Name:         jwt-hello
Namespace:    agud
API Version:  authentication.istio.io/v1alpha1
Kind:         Policy
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-03-18T07:45:33Z
  Generation:          0
  Resource Version:    2331381
  Self Link:           
/apis/authentication.istio.io/v1alpha1/namespaces/agud/policies/jwt-hello
  UID:                 cf9ed2aa-4951-11e9-9f64-fa163e804eca
Spec:
  Origins:
    Jwt:
      Audiences:
        hello
      Issuer:         testing@secure.istio.io
      Jwks Uri:       https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json
  Principal Binding:  USE_ORIGIN
  Targets:
    Name:  hello.agud.svc.cluster.local
结果

我希望得到一个401错误,但我得到一个200。我的配置有什么问题,如何解决

curl $INGRESS_HOST/hello -s -o /dev/null -w "%{http_code}\n"
200
你有:

Port:              <unset>  8080/TCP

端口:8080/TCP
对于Istio路由和安全性,必须将端口名设置为
http
http-

我试过使用Istio 1.1。我得到了一个
503
而不是
401

Hi@esnible,我添加了8080端口,但没有帮助。你的Kubernetes服务“hello”将有一个端口。在Kubernetes中,端口有一个名称字段,但它只是一个标签。该名称对Istio有意义。尝试
kubectl编辑您的hello服务,并将端口命名为
http
。不幸的是,这也没有帮助。kubectl描述服务hello Name:hello命名空间:agud标签:注释:选择器:app=hello类型:ClusterIP IP:10.247.174.223端口:http 8080/TCP TargetPort:8080/TCP端点:172.16.0.163:8080会话关联:无事件:请通过提供yaml文件而不是descripe命令使其更简单

Port:              <unset>  8080/TCP