Istio 提供了底层的安全通信通道,并管理服务通信的身份验证、授权和加密
介绍
安全策略包括:
- 授权(
AuthorizationPolicy
)对网格中的流量启用访问控制。组成包括:- Action:CUSTOM, DENY and ALLOW
- rule
- From(来源)
- To(目的、操作)
- When(条件)
- 对等(
PeerAuthentication
)定义是否将流量代理到sidecar,策略包括:PERMISSIVE
宽容(默认)STRICT
严格DISABLE
取消
- 请求认证(
RequestAuthentication
JWT)定义工作负载支持哪些请求身份验证方法
AuthorizationPolicy
参考
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
action: DENY
rules:
- from:
- source:
namespaces: ["dev"]
to:
- operation:
methods: ["POST"]
PeerAuthentication
参考
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
说明:
- foo ns 中允许 mTLS & plaintext 流量
- foo ns 中带
app: finance
标签的使用 mTLS 流量通信
RequestAuthentication
参考
- 对于所有带标签
app:httpbin
的工作负载请求,都要求使用JWT
认证
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: "issuer-foo"
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["*"]