Istio(1.2.2)-同一端口,具有不同策略的不同路径

时间:2019-08-06 18:20:21

标签: istio

在一个应用程序中,我有2个api在不同的路径(相同的端口)上服务

  • / base
  • / base / jclient / remoting

我正在尝试将标准JWT身份验证策略应用于/ base / jclient / remoting而不是/ base

我已经设置了标准网关和以下虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: jm-gateway-vs
spec:
  hosts:
  - "*"
  gateways:
  - jm-gateway
  http:
  - match:
    - uri:
        exact: /base/jclient/remoting
    route:
    - destination:
        host: jclient-remoting
        port:
          number: 8080
  - match:
    - uri:
        prefix: /base
    route:
    - destination:
        host: jm-cc-service
        port:
          number: 8080

服务设置为...

---
apiVersion: v1
kind: Service
metadata:
  name: jm-cc-service
spec:
  ports:
  - port: 8080
    name: http-jm-cc-service
  selector:
    app: jm-cc-pod
---
apiVersion: v1
kind: Service
metadata:
  name: jclient-remoting
spec:
  ports:
  - port: 8080
    name: http-jclient-remoting
  selector:
    app: jm-cc-pod
---    

目的地规则...

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: jclient-remoting
spec:
  host: jclient-remoting
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: jm-cc-service
spec:
  host: jm-cc-service
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
---      

...最后是政策...

---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: jclient-remoting
spec:
  targets:
  - name: jclient-remoting
  peers:
  - mtls: {}
  origins:
  - jwt:
      issuer: "https://xxx-jm.eu.auth0.com/"
      jwksUri: "https://xxx-jm.eu.auth0.com/.well-known/jwks.json"
  principalBinding: USE_ORIGIN
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: jm-cc-service
spec:
  targets:
  - name: jm-cc-service
  peers:
  - mtls: {}
---

无论我做什么,两条路径都给出“原始身份验证失败”。但我希望/ base / jclient / remoting给出“原始身份验证失败”。而不是/ base路径?

任何想法如何实现这一目标?

非常感谢。

1 个答案:

答案 0 :(得分:1)

我以错误的方式解决了这个问题。创建2个击中相同Pod的服务没有任何意义。

我只需要1个服务。然后在策略中添加触发规则,以便该策略仅适用于特定路径

{
  request1: { key: '1', value: 'a' },
  request2: { key: '2', value: 'b' },
  request3: { key: '3', value: 'c' }
}

欢呼