如何让 ext_authz envoy filter 在 istio 集群上工作?
How to make the ext_authz envoy filter work on the istio cluster?
我正在尝试将 ext_authz 过滤器添加到 istio ingress-gateway 以进行请求身份验证。但是当我将这个过滤器添加到集群时,它似乎没有添加到特使配置中,即它不工作。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
filters:
- insertPosition:
index: FIRST
listenerMatch:
portNumber: 433
listenerType: GATEWAY
listenerProtocol: HTTP
filterType: HTTP
filterName: "envoy.ext_authz"
filterConfig:
http_service:
server-uri:
uri: http://auth.default.svc.cluster.local:8080
cluster: outbound|8080||auth.default.svc.cluster.local
timeout: 2s
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: auth-virtualservice
spec:
hosts:
- "*"
gateways:
- gateway.default.svc.cluster.local
http:
- match:
- uri:
prefix: "/auth"
route:
- destination:
host: auth.default.svc.cluster.local
我想通了,问题出在集群上部署的旧版本istio
我正在尝试将 ext_authz 过滤器添加到 istio ingress-gateway 以进行请求身份验证。但是当我将这个过滤器添加到集群时,它似乎没有添加到特使配置中,即它不工作。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
filters:
- insertPosition:
index: FIRST
listenerMatch:
portNumber: 433
listenerType: GATEWAY
listenerProtocol: HTTP
filterType: HTTP
filterName: "envoy.ext_authz"
filterConfig:
http_service:
server-uri:
uri: http://auth.default.svc.cluster.local:8080
cluster: outbound|8080||auth.default.svc.cluster.local
timeout: 2s
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: auth-virtualservice
spec:
hosts:
- "*"
gateways:
- gateway.default.svc.cluster.local
http:
- match:
- uri:
prefix: "/auth"
route:
- destination:
host: auth.default.svc.cluster.local
我想通了,问题出在集群上部署的旧版本istio