使用JWT的Istio原始身份验证不起作用 [英] Istio Origin Authentication Using JWT does not work

问题描述

我一直在使用JWT将身份验证策略应用于我的测试服务.我遵循了本指南，它确实起作用了如预期的那样.但是，当我尝试使用其他Pod图像时，即使几乎所有内容都相同，它也无法正常工作.

I’ve been applying Authentication Policy to my testing service using JWT. I have followed this guide and it did work as expected. But, when I tried to using a different pod image, it did not work even though almost everything is the same.

有人遇到这个问题吗?还是知道在我的情况下它不起作用的原因?

Is there anyone facing this issue? or know the reason why it did not work in my case?

非常感谢您！

这些是我的配置文件:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hostname
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hostname
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: hostname
        version: v1
    spec:
      containers:
      - image: rstarmer/hostname:v1
        imagePullPolicy: Always
        name: hostname
        resources: {}
      restartPolicy: Always

服务

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hostname
  name: hostname
spec:
  ports:
  - name: http
    port: 8001
    targetPort: 80
  selector:
    app: hostname

网关

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hostname-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

VirtualService

---
piVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hostname-vs
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - hostname-gateway
  http:
  - route:
    - destination:
        port:
          number: 8001
        host: hostname.foo.svc.cluster.local

政策

---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  targets:
  - name: hostname
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN

推荐答案

如OP在命名约定用于服务的端口名称.
它可以是"http" 或"http2" .

As stated by OP on the Istio forums you need to respect the naming convention for the port name of your service.
It can either be "http" or "http2".

例如，这是有效的

For instance this is valid

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000
    name: http

---

这不是

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000

未指定端口名称无效.

这篇关于使用JWT的Istio原始身份验证不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！