具有通配符的Istio AuthorizationPolicy [英] Istio AuthorizationPolicy with Wildcard
问题描述
authorizationpolicy在路径上不支持任何通配符模式吗?
authorizationpolicy does not supports any wildcard pattern on paths?
我有以下端点:
/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)
第一个将获取所有活动文档,第二个将激活/停用特定文档.我曾尝试将其设置为authorizationpolicy,但由于willdcard,它似乎忽略了该政策.
the first one will get all active docs, and second will activate/deactivate the specific doc. i’ve tried to set it on the authorizationpolicy and it seems to ignore this policy due to willdcard.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ "default" ]
to:
- operation:
methods: ["GET"]
paths: ["/my-service/docs/active"]
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
除了更新所有端点之外,这里还有其他解决方案吗?
any different solution here except updating all my endpoints?
10倍
推荐答案
我在评论中提到
根据istio 文档:
规则
规则匹配来自执行以下操作的列表的来源列表的请求操作需符合条件列表.比赛发生在至少一个来源,操作和条件与请求匹配.一个空规则总是匹配的.
Rule
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.
规则中的任何字符串字段都支持精确,前缀,后缀和在线状态匹配:
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- 完全匹配:"abc"将与值"abc"匹配.
- 前缀匹配:"abc *"将匹配值"abc"和"abcd".
- 后缀匹配:"* abc"将匹配值"abc"和"xabc".
- 存在匹配:当值不为空时,"*"将匹配.
所以授权策略确实支持通配符,但是我认为问题出在 */activate/* 路径上,因为路径只能在开头,结尾或整个字符串中使用通配符,而双通配符只能使用通配符不起作用.
So Authorization Policy does support wildcard, but I think the issue is with the */activate/* path, because paths can use wildcards only at the start, end or whole string, double wildcard just doesn't work.
有与此相关的开放github问题:
There are related open github issues about that:
这篇关于具有通配符的Istio AuthorizationPolicy的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
