Fatal编程技术网
  • kubernetes/
  • Kubernetes istio JWT认证,用于入口网关后面的单个服务

Kubernetes istio JWT认证,用于入口网关后面的单个服务

kubernetes jwt

Kubernetes istio JWT认证,用于入口网关后面的单个服务,kubernetes,jwt,istio,Kubernetes,Jwt,Istio,我在AKS(v1.16.13)上运行了2个服务,并部署了以下istio(v1.7.3)配置。第一个是我调用OIDC流并获取JWT令牌的UI,第二个是需要有效JWT令牌的后端服务 apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: myapp-gateway namespace: "istio-system" spec: selector: istio: ingressg

我在AKS(v1.16.13)上运行了2个服务,并部署了以下istio(v1.7.3)配置。第一个是我调用OIDC流并获取JWT令牌的UI,第二个是需要有效JWT令牌的后端服务

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: myapp-gateway
  namespace: "istio-system"
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - myapp.com
    port:
      name: http-myapp
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - myapp.com
    port:
      name: https-myapp
      number: 443
      protocol: HTTPS
    tls:
      credentialName: myapp-credential
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
  namespace: myapp
spec:
  gateways:
  - istio-system/myapp-gateway
  hosts:
  - myapp.com
  http:
  - match:
    - uri:
        prefix: /ui
    route:
    - destination:
        host: myapp-ui.myapp.svc.cluster.local
        port:
          number: 4200
  - match:
    - uri:
        prefix: /backend/
    rewrite:
      uri: /
    route:
    - destination:
        host: myapp-service-backend.myapp.svc.cluster.local
        port:
          number: 8080
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: myapp-jwt-backend
  namespace: myapp
spec:
  jwtRules:
  - issuer: https://oktapreview.com
  selector:
    matchLabels:
      app: myapp-service-backend
如果我调用myapp.com/backend的话,使用这个配置我会得到401,但事实并非如此。请求身份验证不起作用

在进一步研究()之后,我发现我不能在VirtualService上应用RequestAuthentication,而只能在网关上应用RequestAuthentication,这对我来说很奇怪,但还行。我已将RequestAuthentication更改为以下内容,但在调用后端后仍然没有任何更改:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: myapp-jwt-backend
  namespace: istio-system
spec:
  jwtRules:
  - issuer: https://oktapreview.com
  selector:
    matchLabels:
      istio: myapp-gateway
你知道如何为我的用例设置istio吗?假设RequestAuthentication在网关上工作,我是否需要2个网关?1个用于UI,第二个用于后端?似乎有点过头了。

多亏了sachin的评论,再看一遍文档,我意识到我需要在RequestAuthentication之上的授权策略:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:    
  name: myapp-require-jwt-backend
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals:
        - https://xxx/*
  selector:
    matchLabels:
      app: myapp-service-backend
请求身份验证只是确保当提供JWT令牌时,它必须是有效的。如果没有令牌,它将只通过请求。

您可以对istio服务网格中的服务应用requestauth(网关验证不是必需的)。如果传入请求包含无效令牌,则会发生错误。如果没有身份验证令牌,默认情况下它会将请求传递到后端。若要更改该行为,请同时应用授权策略。非常感谢。糟糕的是,我应该更详细地阅读文档:。添加AuthorizationPolicy后,它现在可以工作。你想发布一个答案来获得奖励吗?我很高兴它有帮助。