Istio 排除匹配不适用于没有 jwt 主体的 healthz api
Istio Exclusion matching not working for healthz api without jwt principal
我的 RequestAuthentication 是这个
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
jwksUri: "https://securetoken.google.com/<project-name>"
我的授权策略是这样的
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-authorizer-all-svc
namespace: dev
spec:
action: ALLOW
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
notPaths: ["/message/ping"]
我的要求是我不想让 jwt auth 签入 healthz(我的情况是 /message/ping),但我总是
上面的响应是“RBAC:访问被拒绝”
I wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time
我已经重现了你的问题,我认为它正在按照你希望的方式工作。
有我的 RequestAuthentication 和 AuthorizationPolicy yaml。
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
- to:
- operation:
paths: ["/api/v1/products"]
您可以使用以下内容从 JWT 中排除路径(例如“/api/v1/products”),当“/productpage”需要 JWT 时,将拒绝所有没有令牌的请求。
如果您想排除多个路径,那么这应该可行:
paths: ["/api/v1/products","/login"]
所以在你的情况下会是
paths: ["/user/ping", "/message/ping"]
我已经在 bookinfo 应用程序上测试了以上配置。
有我用过的token
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s)
测试:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
您还提到您想在特定命名空间中执行此操作,那么您可以尝试使用这些 RequestAuthentication 和 AuthorizationPolicy yaml。
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: dev
spec:
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-only-authorized-api
namespace: dev
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
同样基于 bookinfo 申请。
测试:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
其他资源:
我的 RequestAuthentication 是这个
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
jwksUri: "https://securetoken.google.com/<project-name>"
我的授权策略是这样的
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-authorizer-all-svc
namespace: dev
spec:
action: ALLOW
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
notPaths: ["/message/ping"]
我的要求是我不想让 jwt auth 签入 healthz(我的情况是 /message/ping),但我总是 上面的响应是“RBAC:访问被拒绝”
I wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time
我已经重现了你的问题,我认为它正在按照你希望的方式工作。
有我的 RequestAuthentication 和 AuthorizationPolicy yaml。
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
- to:
- operation:
paths: ["/api/v1/products"]
您可以使用以下内容从 JWT 中排除路径(例如“/api/v1/products”),当“/productpage”需要 JWT 时,将拒绝所有没有令牌的请求。
如果您想排除多个路径,那么这应该可行:
paths: ["/api/v1/products","/login"]
所以在你的情况下会是
paths: ["/user/ping", "/message/ping"]
我已经在 bookinfo 应用程序上测试了以上配置。
有我用过的token
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s)
测试:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
您还提到您想在特定命名空间中执行此操作,那么您可以尝试使用这些 RequestAuthentication 和 AuthorizationPolicy yaml。
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: dev
spec:
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-only-authorized-api
namespace: dev
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
同样基于 bookinfo 申请。
测试:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
其他资源: