Istio 授权策略通配符说明

Istio authorization policy wildcard clarification

官方文档报告 link

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched. Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

Exact match: “abc” will match on value “abc”.
Prefix match: “abc*” will match on value “abc” and “abcd”.
Suffix match: “*abc” will match on value “abc” and “xabc”.
Presence match: “*” will match when value is not empty.

这是否意味着我可以只在开头或结尾应用 *,所以这些路径将不起作用?

   - operation:
       methods: ["POST"]
       paths: ["/example-service/test/*/operation"]

听起来是个限制,不是吗?

It sounds a limitation, isn't it?

是的,目前不支持这样的路径/example-service/test/*/operation

您只能在开头、结尾或整个字符串中使用通配符。您不能在字符串中使用很多通配符。

您可以在 github 上找到问题 Support regex for ServiceRole spec.rules.paths,但它目前处于打开状态。最后一句:

Is there any update for this feature? The support for /foo/id/*/bar would be a great plus.

遗憾的是,目前不支持此类使用,但将来可能会有所改变。另请参阅 this github issue and

有关可能的解决方法,请参阅 this github topic