ISTIO MIXER ADAPTER-无法使OPA适配器与最简单的示例一起使用

时间:2019-08-12 16:20:26

标签: istio open-policy-agent

我正在尝试使用最简单的规则在Istio中设置OPA适配器,以默认情况下拒绝所有内容:

select_related()

当我应用它时,Istio的政策抱怨找不到--- apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata: name: authz-instance namespace: istio-demo spec: subject: user: source.uid | "" action: namespace: destination.namespace | "default" service: destination.service | "" method: request.method | "" path: request.path | "" --- apiVersion: "config.istio.io/v1alpha2" kind: opa metadata: name: opa-handler namespace: istio-demo spec: policy: - |+ package mixerauthz default allow = false checkMethod: "data.mixerauthz.allow" failClose: true --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: authz-rule namespace: istio-demo spec: match: "true" actions: - handler: opa-handler.opa.istio-demo instances: - authz-instance.authorization.istio-demo 

handler

我尝试将其应用到istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798783Z info Built new config.Snapshot: id='9' istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798819Z error 2 errors occurred: istio-system/istio-policy-7f86484668-fc8lv[mixer]: * action='authz-rule.rule.istio-demo[0]': Handler not found: handler='opa-handler.opa.istio-demo' istio-system/istio-policy-7f86484668-fc8lv[mixer]: * rule=authz-rule.rule.istio-demo: No valid actions found in rule 命名空间中,但存在相同的问题。

有人可以在这里帮忙吗?

谢谢。

2 个答案:

答案 0 :(得分:2)

我将其与通过演示配置文件安装的Istio 1.4一起使用。 还需要通过运行以下命令来启用策略检查:

istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true

在下面找到handlerauthorization templaterule配置

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: opa-handler
  namespace: istio-system
spec:
  compiledAdapter: opa
  params:
    policy:
      - |+
        package mixerauthz
        default allow = false
    checkMethod: "data.mixerauthz.allow"
    failClose: true

---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: authz-instance
  namespace: istio-system
spec:
  compiledTemplate: authorization
  params:
    subject:
      user: source.uid | ""
    action:
      namespace: destination.namespace | "default"
      service: destination.service.host | ""
      path: request.path | ""
      method: request.method | ""

---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
 name: auth
 namespace: istio-system
spec:
 actions:
 - handler: opa-handler.handler.istio-system
   instances:
   - authz-instance.instance.istio-system

然后我在Web服务(httpbin)中收到了403条消息

PERMISSION_DENIED:opa-handler.istio-system:opa: request was rejected, opa-handler.istio-system:opa: request was rejected

答案 1 :(得分:1)

或者,您可以尝试在代理层上实施相同类型策略的OPA/Istio/Envoy integration

相关问题
最新问题