istio 从 ext-auth 中排除服务
istio exclude service from ext-auth
大家好,我已经在 minikube 上设置了 istio,并在网关上设置了 envoy ext-auth 过滤器。我在不同的 pods 中有两个微服务 运行,将虚拟服务 /auther 和 /appone 暴露给外界。我设置的 ext-auth 过滤器会将每个请求发送到 /auther/auth 进行身份验证,如果响应为 200,则让请求通过并到达它想要的其他服务。
问题是 istio 正在对所有端点甚至 /auther 的每个请求进行身份验证。我想排除发送到/auther 的请求以进行身份验证(因为 auther 服务将自行处理身份验证)。但它不起作用。
所以这是我的 ext-auth 过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
http_service:
server_uri:
uri: http://auther.default.svc.cluster.local
cluster: outbound|3000||auther.default.svc.cluster.local
timeout: 1.5s
path_prefix: /auther/auth?user=
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "authorization"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "set-cookie"
- exact: "authorization"
这里是我试图实现的异常过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-filter
namespace: default
spec:
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
routeConfiguration:
vhost:
name: auther
route:
name: auther
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
disabled: true
第一个过滤器工作正常。但是第二个将从身份验证 ext-filter 中排除 auther 服务的方法不起作用。
您已将 @type 设置为 envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute,但正确的路径是 envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute。
此外,路由名称必须与虚拟服务中的名称相匹配。并且它必须作为您的 authn-filter 部署到 istio-system 命名空间。这个配置对我有用:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-authn
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
route:
name: my-route #from virtual service http route name
patch:
operation: MERGE
value:
name: envoy.ext_authz_disabled
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
大家好,我已经在 minikube 上设置了 istio,并在网关上设置了 envoy ext-auth 过滤器。我在不同的 pods 中有两个微服务 运行,将虚拟服务 /auther 和 /appone 暴露给外界。我设置的 ext-auth 过滤器会将每个请求发送到 /auther/auth 进行身份验证,如果响应为 200,则让请求通过并到达它想要的其他服务。 问题是 istio 正在对所有端点甚至 /auther 的每个请求进行身份验证。我想排除发送到/auther 的请求以进行身份验证(因为 auther 服务将自行处理身份验证)。但它不起作用。 所以这是我的 ext-auth 过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
http_service:
server_uri:
uri: http://auther.default.svc.cluster.local
cluster: outbound|3000||auther.default.svc.cluster.local
timeout: 1.5s
path_prefix: /auther/auth?user=
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "authorization"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "set-cookie"
- exact: "authorization"
这里是我试图实现的异常过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-filter
namespace: default
spec:
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
routeConfiguration:
vhost:
name: auther
route:
name: auther
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
disabled: true
第一个过滤器工作正常。但是第二个将从身份验证 ext-filter 中排除 auther 服务的方法不起作用。
您已将 @type 设置为 envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute,但正确的路径是 envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute。
此外,路由名称必须与虚拟服务中的名称相匹配。并且它必须作为您的 authn-filter 部署到 istio-system 命名空间。这个配置对我有用:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-authn
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
route:
name: my-route #from virtual service http route name
patch:
operation: MERGE
value:
name: envoy.ext_authz_disabled
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true