k8s istio 外部权限控制(业务系统权限控制)

1. 创建namespace

kubectl create ns auth-system
kubectl label ns auth-system istio-injection=enabled

2. 部署业务系统服务

kubectl apply -f samples/httpbin/httpbin.yaml -n auth-system

httpbin.yaml文件内容:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
    nodePort: 30020
  selector:
    app: httpbin
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: 10.7.198.110:5000/library/kennethreitz/httpbin:latest
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

3.部署权限认证服务

kubectl apply -f samples/extauthz/ext-authz.yaml
-n auth-system

ext-authz.yaml文件内容:

apiVersion: v1
kind: Service
metadata:
 name: ext-authz
 labels:
   app: ext-authz
spec:
 ports:
 - name: http
   port: 8000
   targetPort: 8000
 - name: grpc
   port: 9000
   targetPort: 9000
 selector:
   app: ext-authz
---
apiVersion: apps/v1
kind: Deployment
metadata:
 name: ext-authz
spec:
 replicas: 1
 selector:
   matchLabels:
     app: ext-authz
 template:
   metadata:
     labels:
       app: ext-authz
   spec:
     containers:
     - image: 10.7.198.110:5000/library/gcr.io/istio-testing/ext-authz:latest
       imagePullPolicy: IfNotPresent
       name: ext-authz
       ports:
       - containerPort: 8000
       - containerPort: 9000

4.权限控制

访问业务系统httpbin服务先经过ext-authz服务对权限进行验证

4.1使用以下命令对Config Maps 进行配置

kubectl edit configmap istio -n istio-system

 extensionProviders:
    - name: "sample-ext-authz-grpc"
      envoyExtAuthzGrpc:
        service: "ext-authz.auth-system.svc.cluster.local"
        port: "9000"
    - name: "sample-ext-authz-http"
      envoyExtAuthzHttp:
        service: "ext-authz.auth-system.svc.cluster.local"
        port: "8000"
        #includeRequestHeadersInCheck: ["x-ext-authz"]

在这里插入图片描述

4.2 执行以下命令重启istio以使更改配置生效

kubectl apply -n auth-system -f sample-ext-authz-grpc.yaml

4.3 执行以下yaml,ext-authz对headers开头的链接进行权限校验

sample-ext-authz-grpc.yaml内容:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz
spec:
  selector:
    matchLabels:
      app: httpbin
  action: CUSTOM
  provider:
    # The provider name must match the extension provider defined in the mesh config.
    # You can also replace this with sample-ext-authz-http to test the other external authorizer definition.
    name: sample-ext-authz-grpc
  rules:
  # The rules specify when to trigger the external authorizer.
  - to:
    - operation:
        paths: ["/headers"]

5.测试

1.未通过权限校验测试
在这里插入图片描述
2.通过权限测试
在这里插入图片描述

6. ext-authz权限系统代码参考

git@github.com:jpmoc/istio-ext-authz.git

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐