k8s istio 外部权限控制(业务系统权限控制)

1. 创建namespace

kubectl create ns auth-system
kubectl label ns auth-system istio-injection=enabled

2. 部署业务系统服务

kubectl apply -f samples/httpbin/httpbin.yaml -n auth-system

httpbin.yaml文件内容:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
    nodePort: 30020
  selector:
    app: httpbin
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: 10.7.198.110:5000/library/kennethreitz/httpbin:latest
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

3.部署权限认证服务

kubectl apply -f samples/extauthz/ext-authz.yaml
-n auth-system

ext-authz.yaml文件内容:

apiVersion: v1
kind: Service
metadata:
 name: ext-authz
 labels:
   app: ext-authz
spec:
 ports:
 - name: http
   port: 8000
   targetPort: 8000
 - name: grpc
   port: 9000
   targetPort: 9000
 selector:
   app: ext-authz
---
apiVersion: apps/v1
kind: Deployment
metadata:
 name: ext-authz
spec:
 replicas: 1
 selector:
   matchLabels:
     app: ext-authz
 template:
   metadata:
     labels:
       app: ext-authz
   spec:
     containers:
     - image: 10.7.198.110:5000/library/gcr.io/istio-testing/ext-authz:latest
       imagePullPolicy: IfNotPresent
       name: ext-authz
       ports:
       - containerPort: 8000
       - containerPort: 9000

4.权限控制

访问业务系统httpbin服务先经过ext-authz服务对权限进行验证

4.1使用以下命令对Config Maps 进行配置

kubectl edit configmap istio -n istio-system

 extensionProviders:
    - name: "sample-ext-authz-grpc"
      envoyExtAuthzGrpc:
        service: "ext-authz.auth-system.svc.cluster.local"
        port: "9000"
    - name: "sample-ext-authz-http"
      envoyExtAuthzHttp:
        service: "ext-authz.auth-system.svc.cluster.local"
        port: "8000"
        #includeRequestHeadersInCheck: ["x-ext-authz"]

在这里插入图片描述

4.2 执行以下命令重启istio以使更改配置生效

kubectl apply -n auth-system -f sample-ext-authz-grpc.yaml

4.3 执行以下yaml,ext-authz对headers开头的链接进行权限校验

sample-ext-authz-grpc.yaml内容:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz
spec:
  selector:
    matchLabels:
      app: httpbin
  action: CUSTOM
  provider:
    # The provider name must match the extension provider defined in the mesh config.
    # You can also replace this with sample-ext-authz-http to test the other external authorizer definition.
    name: sample-ext-authz-grpc
  rules:
  # The rules specify when to trigger the external authorizer.
  - to:
    - operation:
        paths: ["/headers"]

5.测试

1.未通过权限校验测试
在这里插入图片描述
2.通过权限测试
在这里插入图片描述

6. ext-authz权限系统代码参考

git@github.com:jpmoc/istio-ext-authz.git

# kubernetes # istio # 运维
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes