https://github.com/istio/istio/tree/master/mixer/adapter/opa 我已经部署了bookinfo示例应用程序,并希望通过OPA实施策略。 并设置此配置-
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: opa
namespace: istio-system
spec:
compiledAdapter: opa
params:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: authorization
namespace: istio-system
spec:
actions:
- handler: opa.istio-system
instances:
- authzinstance.authorization
selector: "true"
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: authzinstance
namespace: istio-system
spec:
template: authorization
params:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service | ""
method: request.method | ""
path: request.path | ""
EOF
在这里,在Handler中,allow是错误的,因此它应该向User显示任何内容,但不会影响任何内容。(意味着没有强制执行)。应用程序仍然像以前一样显示所有内容。