istio AuthorizationPolicy拒绝规则问题 [英] istio AuthorizationPolicy deny rule question
本文介绍了istio AuthorizationPolicy拒绝规则问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我定义了以下第一个策略,以拒绝对名称空间foo中对工作负载1的所有请求,除非它们来自工作负载2或工作负载3 我得到RBAC:尝试从工作负载2访问工作负载1时,访问被拒绝.但是,当使用下面显示的ALLOW策略重写它们时,从工作负载2到工作负载1的访问成功.
I defined the following first policy to deny all requests to workload1 in namespace foo unless they come from workload2 or workload3 I get RBAC: access denied when trying to access from workload2 to workload1. But when rewritten them with ALLOW policy shown below the access from workload2 to workload1 succeeded.
I wonder why is that as the two rules should be equivalent (taken from https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule where Fields in the source are ANDed together.)
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: foo
spec:
selector:
matchLabels:
app: workload1
action: DENY
rules:
- from:
- source:
notPrincipals: ["cluster.local/ns/foo/sa/workload2"]
- source:
notPrincipals: ["cluster.local/ns/foo/sa/workload3"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: foo
spec:
selector:
matchLabels:
app: workload1
action: ALLOW
rules:
- from:
- source:
Principals: ["cluster.local/ns/foo/sa/workload2"]
- source:
Principals: ["cluster.local/ns/foo/sa/workload3"]
推荐答案
rules:
- from:
- source:
principals: ["cluster.local/ns/foo/sa/workload2","cluster.local/ns/foo/sa/workload3"]
代替此:
rules:
- from:
- source:
notPrincipals: ["cluster.local/ns/foo/sa/workload2"]
- source:
notPrincipals: ["cluster.local/ns/foo/sa/workload3"]
rules:
- from:
- source:
principals: ["cluster.local/ns/foo/sa/workload2"]
- source:
principals: ["cluster.local/ns/foo/sa/workload3"]
测试结果.
DENY - > notPrincipals[workload2,workload3] -> workload2 -> 200, workload3 -> 200
DENY - > Principals[workload2,workload3] -> workload2 -> 403, workload3 -> 403
ALLOW -> notPrincipals[workload2,workload3] -> workload2 -> 403, workload3 -> 403
ALLOW -> Principals[workload2,workload3] -> workload2 -> 200, workload3 -> 200
这篇关于istio AuthorizationPolicy拒绝规则问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文