ISTIO MIXER ADAPTER - 无法使 OPA 适配器与最简单的示例一起使用
ISTIO MIXER ADAPTER - Cannot make OPA adapter to work with the simplest example
我正在尝试使用最简单的规则在 Istio 中设置 OPA 适配器以默认拒绝所有内容:
---
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: authz-instance
namespace: istio-demo
spec:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service | ""
method: request.method | ""
path: request.path | ""
---
apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
name: opa-handler
namespace: istio-demo
spec:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: authz-rule
namespace: istio-demo
spec:
match: "true"
actions:
- handler: opa-handler.opa.istio-demo
instances:
- authz-instance.authorization.istio-demo
当我应用它时,Istio 的策略抱怨找不到 handler:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798783Z info Built new config.Snapshot: id='9'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798819Z error 2 errors occurred:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * action='authz-rule.rule.istio-demo[0]': Handler not found: handler='opa-handler.opa.istio-demo'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * rule=authz-rule.rule.istio-demo: No valid actions found in rule
我尝试在 istio-system 命名空间中应用它,但同样的问题。
有人可以帮忙吗?
提前致谢。
或者您可以尝试 OPA/Istio/Envoy integration 在代理层
强制执行相同类型的策略
我让这个与安装了演示配置文件的 Istio 1.4 一起使用。
还需要通过 运行:
启用策略检查
istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true
在下面找到 handler、authorization template 和 rule 配置
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: opa-handler
namespace: istio-system
spec:
compiledAdapter: opa
params:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: authz-instance
namespace: istio-system
spec:
compiledTemplate: authorization
params:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service.host | ""
path: request.path | ""
method: request.method | ""
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: auth
namespace: istio-system
spec:
actions:
- handler: opa-handler.handler.istio-system
instances:
- authz-instance.instance.istio-system
然后我在我的网络服务 (httpbin) 中收到 403 消息
PERMISSION_DENIED:opa-handler.istio-system:opa: request was rejected, opa-handler.istio-system:opa: request was rejected
我正在尝试使用最简单的规则在 Istio 中设置 OPA 适配器以默认拒绝所有内容:
---
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: authz-instance
namespace: istio-demo
spec:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service | ""
method: request.method | ""
path: request.path | ""
---
apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
name: opa-handler
namespace: istio-demo
spec:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: authz-rule
namespace: istio-demo
spec:
match: "true"
actions:
- handler: opa-handler.opa.istio-demo
instances:
- authz-instance.authorization.istio-demo
当我应用它时,Istio 的策略抱怨找不到 handler:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798783Z info Built new config.Snapshot: id='9'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798819Z error 2 errors occurred:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * action='authz-rule.rule.istio-demo[0]': Handler not found: handler='opa-handler.opa.istio-demo'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * rule=authz-rule.rule.istio-demo: No valid actions found in rule
我尝试在 istio-system 命名空间中应用它,但同样的问题。
有人可以帮忙吗?
提前致谢。
或者您可以尝试 OPA/Istio/Envoy integration 在代理层
强制执行相同类型的策略我让这个与安装了演示配置文件的 Istio 1.4 一起使用。 还需要通过 运行:
启用策略检查istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true
在下面找到 handler、authorization template 和 rule 配置
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: opa-handler
namespace: istio-system
spec:
compiledAdapter: opa
params:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: authz-instance
namespace: istio-system
spec:
compiledTemplate: authorization
params:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service.host | ""
path: request.path | ""
method: request.method | ""
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: auth
namespace: istio-system
spec:
actions:
- handler: opa-handler.handler.istio-system
instances:
- authz-instance.instance.istio-system
然后我在我的网络服务 (httpbin) 中收到 403 消息
PERMISSION_DENIED:opa-handler.istio-system:opa: request was rejected, opa-handler.istio-system:opa: request was rejected