istio AuthorizationPolicy拒绝规则问题 [英] istio AuthorizationPolicy deny rule question

查看:482
本文介绍了istio AuthorizationPolicy拒绝规则问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我定义了以下第一个策略,以拒绝对名称空间foo中对工作负载1的所有请求,除非它们来自工作负载2或工作负载3 我得到RBAC:尝试从工作负载2访问工作负载1时,访问被拒绝.但是,当使用下面显示的ALLOW策略重写它们时,从工作负载2到工作负载1的访问成功.

I defined the following first policy to deny all requests to workload1 in namespace foo unless they come from workload2 or workload3 I get RBAC: access denied when trying to access from workload2 to workload1. But when rewritten them with ALLOW policy shown below the access from workload2 to workload1 succeeded.

我想知道为什么这两个规则应该等效(取自

I wonder why is that as the two rules should be equivalent (taken from https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule where Fields in the source are ANDed together.)

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name:  ingress-policy
  namespace: foo
spec:
 selector:
   matchLabels:
     app: workload1
 action: DENY
 rules:
   - from:
     - source:
        notPrincipals: ["cluster.local/ns/foo/sa/workload2"]
     - source:
        notPrincipals: ["cluster.local/ns/foo/sa/workload3"]
---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: foo
spec:
 selector:
   matchLabels:
     app: workload1
 action: ALLOW
 rules:
   - from:
     - source:
        Principals: ["cluster.local/ns/foo/sa/workload2"]
     - source:
        Principals: ["cluster.local/ns/foo/sa/workload3"]

推荐答案

根据

Istio授权策略可对网格中的工作负载进行访问控制.

Istio Authorization Policy enables access control on workloads in the mesh.

授权策略同时支持允许和拒绝策略. 同时将允许"和拒绝"策略用于工作负载时,将首先评估拒绝"策略.评估由以下规则决定:

Authorization policy supports both allow and deny policies. When allow and deny policies are used for a workload at the same time, the deny policies are evaluated first. The evaluation is determined by the following rules:

  • 如果有任何符合请求的DENY策略,请拒绝该请求.
  • 如果没有适用于工作负载的ALLOW策略,请允许该请求.
  • 如果有任何ALLOW策略与请求匹配,请允许该请求.
  • 拒绝请求.

因此,如果首先评估拒绝策略.您的请求可能先被拒绝,然后又被允许.因此,添加允许策略后,您从工作负载2到工作负载1的访问成功.

So if deny policies are evaluated first. Your request could have been first denied and then allowed again. That's why your access from workload2 to workload1 succeeded after you add allow policy.

我的问题是-似乎这两个AuthorizationPolicies是相同的,并且当我得到不同的行为时,我想对此进行验证.

My question was - it seems that the two AuthorizationPolicies are the same and I wanted to validate that as I get different behavior.

是的,它们是相同的,如果您删除其中一个来源,它将按预期工作.

Yes, they are the same, if you delete 1 of the sources it's gonna work as desired.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name:  ingress-policy
  namespace: foo
spec:
 selector:
   matchLabels:
     app: workload1
 action: DENY
 rules:
   - from:
     - source:
        notPrincipals: ["cluster.local/ns/foo/sa/workload2"]

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: foo
spec:
 selector:
   matchLabels:
     app: workload1
 action: ALLOW
 rules:
   - from:
     - source:
        principals: ["cluster.local/ns/foo/sa/workload2"]

测试结果.

DENY - > notPrincipals[workload2]     ->      workload2 -> 200, workload3 -> 403
DENY - > principals[workload2]        ->      workload2 -> 403, workload3 -> 200

ALLOW -> notPrincipals[workload2]     ->      workload2 -> 403, workload3 -> 200
ALLOW -> principals[workload2]        ->      workload2 -> 200, workload3 -> 403

如果要添加2个来源workload2workload3,则使用1个来源很少的主体.

If you want to add 2 sources, workload2 and workload3, then use 1 source with few principals.

使用此:

 rules:
   - from:
     - source:
        notPrincipals: ["cluster.local/ns/foo/sa/workload2","cluster.local/ns/foo/sa/workload3"]


 rules:
   - from:
     - source:
        principals: ["cluster.local/ns/foo/sa/workload2","cluster.local/ns/foo/sa/workload3"]

代替此:

rules:
  - from:
    - source:
       notPrincipals: ["cluster.local/ns/foo/sa/workload2"]
    - source:
       notPrincipals: ["cluster.local/ns/foo/sa/workload3"]


rules:
   - from:
     - source:
        principals: ["cluster.local/ns/foo/sa/workload2"]
     - source:
        principals: ["cluster.local/ns/foo/sa/workload3"]

测试结果.

DENY - > notPrincipals[workload2,workload3]     ->      workload2 -> 200, workload3 -> 200
DENY - > Principals[workload2,workload3]        ->      workload2 -> 403, workload3 -> 403

ALLOW -> notPrincipals[workload2,workload3]     ->      workload2 -> 403, workload3 -> 403
ALLOW -> Principals[workload2,workload3]        ->      workload2 -> 200, workload3 -> 200

这篇关于istio AuthorizationPolicy拒绝规则问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆