authorizationPolicy详解

最新推荐文章于 2025-11-17 01:44:19 发布

原创

最新推荐文章于 2025-11-17 01:44:19 发布 · 3.7k 阅读

3 ·

CC 4.0 BY-SA版权

文章标签：

#云原生

本文深入探讨了Istio在多集群环境下的配置和管理，包括部署策略和链路追踪。同时，详细介绍了Istio的授权策略，如ACTION类型、请求来源和目标的匹配条件，以及请求头、源IP、远程IP等条件的使用，展示了如何实现细粒度的访问控制。此外，还涉及了JWT令牌的验证和自定义插件的使用，为实现安全的微服务网格提供了全面指导。

欢迎关注我的公众号：

目前刚开始写一个月，一共写了18篇原创文章，文章目录如下：

istio多集群探秘，部署了50次多集群后我得出的结论

istio多集群链路追踪，附实操视频

istio防故障利器，你知道几个,istio新手不要读，太难！

istio业务权限控制，原来可以这么玩

istio实现非侵入压缩，微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

学习目标

什么是AuthorizationPolicy

授权功能是 Istio 中安全体系的一个重要组成部分，它用来实现访问控制的功能，即判断一个请求是否允许通过，这个请求可以是从外部进入 Istio 内部的请求，也可以是在 Istio 内部从服务 A 到服务 B 的请求。可以把授权功能近似地认为是一种四层到七层的“防火墙”，它会像传统防火墙一样，对数据流进行分析和匹配，然后执行相应的动作。

流程

Authorization policies support ALLOW, DENY and CUSTOM actions. The policy precedence is CUSTOM, DENY and ALLOW. The following graph shows the policy precedence in detail:

资源详解

Field	Type	Description	Required
`selector`	`WorkloadSelector`	Optional. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.	No
`rules`	`Rule[]`	Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads.	No
`action`	`Action`	Optional. The action to take if the request is matched with the rules.	No
`provider`	`ExtensionProvider (oneof)`	Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.	No

允许nothing

allow-nothing.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-nothing
spec:
  # This matches nothing, the action defaults to ALLOW if not specified.
  {}

The following example shows an ALLOW policy that matches nothing. If there are no other ALLOW policies, requests will always be denied because of the “deny by default” behavior.

默认拒绝，有通过则通过

全局拒绝所有

kubectl apply -f global-deny-all.yaml -n istio-system

global-deny-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: istio-system
spec:
  action: DENY
  # This matches everything.
  rules:
  - {}

名称空间拒绝所有

deny-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
spec:
  action: DENY
  # This matches everything.
  rules:
  - {}

名称空间级别

名称空间允许所有

allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-all
spec:
 action: ALLOW
 rules:
 - {}

名称空间级别

selector

productpage-allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       methods: ["GET", "POST"]

action

Name	Description
`ALLOW`	Allow a request only if it matches the rules. This is the default type.
`DENY`	Deny a request if it matches any of the rules.
`AUDIT`	Audit a request if it matches any of the rules.
`CUSTOM`	The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true. The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the authorization decision made by ALLOW and DENY action. Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to the extension by specifying the name of the provider. One example use case of the extension is to integrate with a custom external authorization system to delegate the authorization decision to it.Note: The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

ALLOW

productpage-allow-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
 - to:
   - operation:
       methods: ["GET", "POST"]

DENY

1删除deny all

kubectl delete -f deny-all.yaml -n istio

2禁止访问produtpage

productpage-deny-allyaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: DENY
 rules:
 - {}

AUDIT

productpage-audit-all.yaml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-allow-all
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: AUDIT
 rules:
 - {}

the only supported plugin is the Stackdriver plugin

需要安装audit插件

CUSTOM

The CUSTOM action is currently an experimental feature and is subject to breaking changes in later versions.

1创建opa策略

opa介绍

OPA-重新定义规则引擎-入门篇 | 菜鸟Miao

验证opa

The Rego Playground

policy.rego

package envoy.authz

import input.attributes.request.http as http_request

default allow = false

token = {"payload": payload} {
    [_, encoded] := split(http_request.headers.authorization, " ")
    [_, payload, _] := io.jwt.decode(encoded)
}

allow {
    action_allowed
}


bar := "bar"

action_allowed {
  bar ==token.payload.foo
}

2创建secret

kubectl create secret generic opa-policy --from-file policy.rego -n istio

3创建opa

opa-deployment.yaml

apiVersion: v1
kind: Service
metadata:
  name: opa
  labels:
    app: opa
spec:
  ports:
  - name: grpc
    port: 9191
    targetPort: 9191
  selector:
    app: opa
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: opa
  labels:
    app: opa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opa
  template:
    metadata:
      labels:
        app: opa
    spec:
      containers:
        - name: opa
          image: openpolicyagent/opa:latest-envoy
          securityContext:
            runAsUser: 1111
       &nbs