带通配符的 Istio AuthorizationPolicy
Istio AuthorizationPolicy with Wildcard
授权策略不支持路径上的任何通配符模式?
我有以下端点:
/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)
第一个将获得所有活动文档,第二个将 activate/deactivate 特定文档。
我试过在授权策略上设置它,但由于 willdcard,它似乎忽略了这个策略。
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ "default" ]
to:
- operation:
methods: ["GET"]
paths: ["/my-service/docs/active"]
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
除了更新我的所有端点之外,还有其他解决方案吗?
10 倍
正如我在评论中提到的
根据 istio documentation:
Rule
Rule matches requests from a list of sources that perform a list of
operations subject to a list of conditions. A match occurs when at
least one source, operation and condition matches the request. An
empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and
Presence match:
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
- Suffix match: “*abc” will match on value “abc” and “xabc”.
- Presence match: “*” will match when value is not empty.
因此授权策略确实支持通配符,但我认为问题出在 */activate/* 路径上,因为路径只能在开头、结尾或整个字符串使用通配符,双通配符不起作用。
有相关的未解决 github 问题:
授权策略不支持路径上的任何通配符模式?
我有以下端点:
/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)
第一个将获得所有活动文档,第二个将 activate/deactivate 特定文档。 我试过在授权策略上设置它,但由于 willdcard,它似乎忽略了这个策略。
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ "default" ]
to:
- operation:
methods: ["GET"]
paths: ["/my-service/docs/active"]
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
除了更新我的所有端点之外,还有其他解决方案吗?
10 倍
正如我在评论中提到的
根据 istio documentation:
Rule
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
- Suffix match: “*abc” will match on value “abc” and “xabc”.
- Presence match: “*” will match when value is not empty.
因此授权策略确实支持通配符,但我认为问题出在 */activate/* 路径上,因为路径只能在开头、结尾或整个字符串使用通配符,双通配符不起作用。
有相关的未解决 github 问题: