Kubernetes istio JWT认证,用于入口网关后面的单个服务
我在AKS(v1.16.13)上运行了2个服务,并部署了以下istio(v1.7.3)配置。第一个是我调用OIDC流并获取JWT令牌的UI,第二个是需要有效JWT令牌的后端服务Kubernetes istio JWT认证,用于入口网关后面的单个服务,kubernetes,jwt,istio,Kubernetes,Jwt,Istio,我在AKS(v1.16.13)上运行了2个服务,并部署了以下istio(v1.7.3)配置。第一个是我调用OIDC流并获取JWT令牌的UI,第二个是需要有效JWT令牌的后端服务 apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: myapp-gateway namespace: "istio-system" spec: selector: istio: ingressg
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: myapp-gateway
namespace: "istio-system"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- myapp.com
port:
name: http-myapp
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- myapp.com
port:
name: https-myapp
number: 443
protocol: HTTPS
tls:
credentialName: myapp-credential
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: myapp
namespace: myapp
spec:
gateways:
- istio-system/myapp-gateway
hosts:
- myapp.com
http:
- match:
- uri:
prefix: /ui
route:
- destination:
host: myapp-ui.myapp.svc.cluster.local
port:
number: 4200
- match:
- uri:
prefix: /backend/
rewrite:
uri: /
route:
- destination:
host: myapp-service-backend.myapp.svc.cluster.local
port:
number: 8080
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: myapp-jwt-backend
namespace: myapp
spec:
jwtRules:
- issuer: https://oktapreview.com
selector:
matchLabels:
app: myapp-service-backend
如果我调用myapp.com/backend的话,使用这个配置我会得到401,但事实并非如此。请求身份验证不起作用
在进一步研究()之后,我发现我不能在VirtualService上应用RequestAuthentication,而只能在网关上应用RequestAuthentication,这对我来说很奇怪,但还行。我已将RequestAuthentication更改为以下内容,但在调用后端后仍然没有任何更改:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: myapp-jwt-backend
namespace: istio-system
spec:
jwtRules:
- issuer: https://oktapreview.com
selector:
matchLabels:
istio: myapp-gateway
你知道如何为我的用例设置istio吗?假设RequestAuthentication在网关上工作,我是否需要2个网关?1个用于UI,第二个用于后端?似乎有点过头了。多亏了sachin的评论,再看一遍文档,我意识到我需要在RequestAuthentication之上的授权策略:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myapp-require-jwt-backend
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals:
- https://xxx/*
selector:
matchLabels:
app: myapp-service-backend
请求身份验证只是确保当提供JWT令牌时,它必须是有效的。如果没有令牌,它将只通过请求。您可以对istio服务网格中的服务应用requestauth(网关验证不是必需的)。如果传入请求包含无效令牌,则会发生错误。如果没有身份验证令牌,默认情况下它会将请求传递到后端。若要更改该行为,请同时应用授权策略。非常感谢。糟糕的是,我应该更详细地阅读文档:。添加AuthorizationPolicy后,它现在可以工作。你想发布一个答案来获得奖励吗?我很高兴它有帮助。