[英]Istio Service Mesh Security with AuthorizationPolicy & RequestAuthentication
使用 kyecloak 的身份驗證沒有按預期工作,它被用於 Istio vs Keycloak。 配置的 Istio 組件:Gateway、Virtualservice、AuthorizationPolicy、RequestAuthentication
使用有效令牌: 401 Jwt 發行者未配置
ISTIO 安全配置:
---
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "http://localhost:30080/auth/realms/master"
jwksUri: "http://localhost:30080/auth/realms/master/protocol/openid-connect/certs"
forwardOriginalToken: true
outputPayloadToHeader: x-jwt-payload
EOF
---
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
principalBinding: USE_ORIGIN
EOF
---
一旦沒有授權 Bearer
為了仔細檢查,我使用了 istio 的示例並工作:
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
EOF
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
EOF
ISTIO GTW 和 VS:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: keycloak-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: enterprise-vs
spec:
hosts:
- '*'
gateways:
- default/keycloak-gateway
http:
- match:
- uri:
prefix: '/enterprise/'
rewrite:
uri: /
fault:
delay:
fixedDelay: 1s
route:
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s1
weight: 90
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s2
weight: 10
我遇到了類似的問題。
JWT 令牌對發行者具有以下值:“iss”:“http://localhost:8080/auth/realms/dev”
我在我的 JwtRules 即 localhost 中匹配了相同的值。 但是我將 jwksUri 更改為集群 Keycloak 的 IP 地址。 這似乎奏效了。
jwt規則:
- issuer: 'http://localhost:8080/auth/realms/dev'
jwksUri: 'http://10.105.250.41:8080/auth/realms/dev/protocol/openid-connect/certs'
您可以檢查 ingressgateway 是否可以實際訪問您的 jwks_uri。 我猜你會得到 404,因為它在不同的集群上或在本地 docker 等上旋轉。 人。
kubectl exec -i -t -n istio-system YOUR_ISTIOINGRESS_GATEWAY_POD -c istio-proxy -- sh -c "clear; (bash || ash || sh)"
> curl -i http://YOUR_DOMAIN:YOUR_PORT/auth/realms/master/protocol/openid-connect/certs
HTTP/1.1 404 Not Found
date: Thu, 23 Dec 2021 16:11:17 GMT
server: istio-envoy
content-length: 0
我的本地測試解決方法是運行 ngrok 以公開在端口 8080 上運行的 keycloak。
npm install -g ngrok
ngrok http 8080
將jwksUri
中的 localhost 替換為對我有用的RequestAuthentication
資源中生成的 ngrok 域。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.