入口网关背后的单一服务的istio JWT身份验证

时间:2020-11-11 22:19:20

标签: kubernetes jwt istio

我在AKS(v1.16.13)上运行了2个服务,并部署了以下istio(v1.7.3)配置。第一个是我在其中调用OIDC流并获取JWT令牌的UI,第二个是应要求有效JWT令牌的后端服务。

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: myapp-gateway
  namespace: "istio-system"
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - myapp.com
    port:
      name: http-myapp
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - myapp.com
    port:
      name: https-myapp
      number: 443
      protocol: HTTPS
    tls:
      credentialName: myapp-credential
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
  namespace: myapp
spec:
  gateways:
  - istio-system/myapp-gateway
  hosts:
  - myapp.com
  http:
  - match:
    - uri:
        prefix: /ui
    route:
    - destination:
        host: myapp-ui.myapp.svc.cluster.local
        port:
          number: 4200
  - match:
    - uri:
        prefix: /backend/
    rewrite:
      uri: /
    route:
    - destination:
        host: myapp-service-backend.myapp.svc.cluster.local
        port:
          number: 8080
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: myapp-jwt-backend
  namespace: myapp
spec:
  jwtRules:
  - issuer: https://oktapreview.com
  selector:
    matchLabels:
      app: myapp-service-backend

使用该配置,如果我调用 myapp.com/backend ,我希望得到401,但事实并非如此。请求身份验证未生效。

经过进一步研究(https://discuss.istio.io/t/cannot-use-jwt-policy-with-an-externalname-virtualservice-target/2794/3),我发现我无法在VirtualService上应用RequestAuthentication,而只能在网关上应用,这对我来说很奇怪,但是还可以。我已将RequestAuthentication更改为以下内容,但调用后端后仍未更改:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: myapp-jwt-backend
  namespace: istio-system
spec:
  jwtRules:
  - issuer: https://oktapreview.com
  selector:
    matchLabels:
      istio: myapp-gateway

您知道如何为用例设置istio吗?假设RequestAuthentication可以在网关上工作,我是否需要2个网关? 1个用于UI,第二个用于后端?似乎是一种过度杀伤力。

1 个答案:

答案 0 :(得分:2)

感谢sachin的评论,并再次浏览了文档,使我意识到我需要在RequestAuthentication之上使用AuthorizationPolicy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:    
  name: myapp-require-jwt-backend
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals:
        - https://xxx/*
  selector:
    matchLabels:
      app: myapp-service-backend

请求身份验证仅确保提供JWT令牌时,它必须是有效的令牌。如果没有令牌,它将直接通过请求。

相关问题
最新问题