使用JWT的Istio原始身份验证不起作用

时间:2019-01-11 05:48:49

标签: kubernetes jwt policy istio

我一直在使用JWT将身份验证策略应用于我的测试服务。我已遵循以下链接上的指南:https://istio.io/docs/tasks/security/authn-policy/#end-user-authentication。是的,它确实按预期工作。但是,当我尝试使用其他Pod图像时,即使几乎所有内容都相同,它也无法正常工作。有没有人面临这个问题?还是知道为什么我的案例不起作用?非常感谢你!

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hostname
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hostname
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: hostname
        version: v1
    spec:
      containers:
      - image: rstarmer/hostname:v1
        imagePullPolicy: Always
        name: hostname
        resources: {}
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hostname
  name: hostname
spec:
  ports:
  - name: http
    port: 8001
    targetPort: 80
  selector:
    app: hostname
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hostname-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
piVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hostname-vs
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - hostname-gateway
  http:
  - route:
    - destination:
        port:
          number: 8001
        host: hostname.foo.svc.cluster.local
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  targets:
  - name: hostname
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN

1 个答案:

答案 0 :(得分:0)

如OP在Istio forums上所述,您需要遵守naming convention作为服务端口名称。
它可以是“ http” “ http2”

  

例如,这是有效的

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000
    name: http

  

这不是

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000

未指定端口名称无效。