如何在Minikube集群(本地)上部署OPA(开放策略代理)适配器

时间:2019-11-26 07:48:15

标签: adapter istio opa

https://github.com/istio/istio/tree/master/mixer/adapter/opa 我已经部署了bookinfo示例应用程序,并希望通过OPA实施策略。 并设置此配置-

apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
  name: opa
  namespace: istio-system
spec:
  compiledAdapter: opa
  params:
    policy:
      - |+
        package mixerauthz
        default allow = false
    checkMethod: "data.mixerauthz.allow"
    failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
 name: authorization
 namespace: istio-system
spec:
 actions:
 - handler: opa.istio-system
   instances:
   - authzinstance.authorization
 selector: "true"
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: authzinstance
  namespace: istio-system
spec:
  template: authorization
  params:
    subject:
      user: source.uid | ""
    action:
      namespace: destination.namespace | "default"
      service: destination.service | ""
      method: request.method | ""
      path: request.path | ""
EOF

在这里,在Handler中,allow是错误的,因此它应该向User显示任何内容,但不会影响任何内容。(意味着没有强制执行)。应用程序仍然像以前一样显示所有内容。

0 个答案:

没有答案