如何为 tcp_proxy 过滤器添加外部授权?
How to add external authorization for tcp_proxy filter?
我使用 Envoy 为 TCP 代理了一项服务。我怎样才能添加 external authorization 呢?
以下是我的 envoy.yaml:
{
"static_resources": {
"listeners": [
{
"name": "listener_0",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 10001
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"stat_prefix": "downstream_cx_total",
"cluster": "service_j"
}
}
]
}
]
}
],
"clusters": [
{
"name": "service_j",
"connect_timeout": "30s",
"type": "LOGICAL_DNS",
"dns_lookup_family": "V4_ONLY",
"load_assignment": {
"cluster_name": "service_j",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "jitsi",
"port_value": 443
}
}
}
}
]
}
]
},
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext"
}
}
},
]
}
}
您需要在 envoy.filters.network.tcp_proxy 之前将 envoy.filters.network.ext_authz 过滤器插入到过滤器链中,并设置一个 cluster 来实际做出 Authz 决定。
envoy docs有一个很好的榜样。
我使用 Envoy 为 TCP 代理了一项服务。我怎样才能添加 external authorization 呢?
以下是我的 envoy.yaml:
{
"static_resources": {
"listeners": [
{
"name": "listener_0",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 10001
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"stat_prefix": "downstream_cx_total",
"cluster": "service_j"
}
}
]
}
]
}
],
"clusters": [
{
"name": "service_j",
"connect_timeout": "30s",
"type": "LOGICAL_DNS",
"dns_lookup_family": "V4_ONLY",
"load_assignment": {
"cluster_name": "service_j",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "jitsi",
"port_value": 443
}
}
}
}
]
}
]
},
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext"
}
}
},
]
}
}
您需要在 envoy.filters.network.tcp_proxy 之前将 envoy.filters.network.ext_authz 过滤器插入到过滤器链中,并设置一个 cluster 来实际做出 Authz 决定。
envoy docs有一个很好的榜样。