Istio Service Mesh Security with AuthorizationPolicy &请求认证 [英] Istio Service Mesh Security with AuthorizationPolicy & RequestAuthentication
问题描述
使用 kyecloak 的身份验证没有按预期工作,它已被使用 Istio 与 Keycloak.配置的 Istio 组件:Gateway、Virtualservice、AuthorizationPolicy、RequestAuthentication
The authentication using kyecloak isn't working as expected, it been used Istio vs Keycloak. Istio components configured : Gateway, Virtualservice, AuthorizationPolicy, RequestAuthentication
使用有效令牌:401 Jwt 颁发者未配置
ISTIO 安全配置:
ISTIO CONFIGURATION FOR SECURITY:
---
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "http://localhost:30080/auth/realms/master"
jwksUri: "http://localhost:30080/auth/realms/master/protocol/openid-connect/certs"
forwardOriginalToken: true
outputPayloadToHeader: x-jwt-payload
EOF
---
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
principalBinding: USE_ORIGIN
EOF
---
一旦没有授权承载
为了仔细检查,我使用了 istio 的例子并且工作了:
for double check i used istio's example and worked :
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
EOF
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
EOF
ISTIO GTW 和 VS :
ISTIO GTW and VS :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: keycloak-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: enterprise-vs
spec:
hosts:
- '*'
gateways:
- default/keycloak-gateway
http:
- match:
- uri:
prefix: '/enterprise/'
rewrite:
uri: /
fault:
delay:
fixedDelay: 1s
route:
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s1
weight: 90
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s2
weight: 10
推荐答案
我遇到了类似的问题.
JWT 令牌对发行者具有以下价值:iss":http://localhost:8080/auth/realms/dev"
The JWT token had following value for issuer: "iss": "http://localhost:8080/auth/realms/dev"
我在 JwtRules 中匹配了相同的值,即 localhost.但是我将 jwksUri 更改为 Keycloak 的集群 IP 地址.这似乎奏效了.
I matched the same value in my JwtRules i.e. localhost. However I changed jwksUri to cluster IP address of Keycloak. This seems to have worked.
jwtRules:
- issuer: 'http://localhost:8080/auth/realms/dev'
jwksUri: 'http://10.105.250.41:8080/auth/realms/dev/protocol/openid-connect/certs'
这篇关于Istio Service Mesh Security with AuthorizationPolicy &请求认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!