searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

istio支持jwt配置介绍

2023-11-22 01:29:44
23
0

一、JWT规则

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http头部

默认位置,yaml不需特别指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query参数

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromParams:
    - "abc"

三、JWT Claim转换

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、请求匹配模式

(1)白名单模式

http:斜杠aaa.example1.com/abc,不校验JWT
http:斜杠aaa.example1.com/xxx,校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名单模式

http:斜杠aaa.example1.com/abc,校验JWT
http:斜杠aaa.example1.com/xxx,不校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
0条评论
作者已关闭评论
a****k
16文章数
0粉丝数
a****k
16 文章 | 0 粉丝
原创

istio支持jwt配置介绍

2023-11-22 01:29:44
23
0

一、JWT规则

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http头部

默认位置,yaml不需特别指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query参数

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromParams:
    - "abc"

三、JWT Claim转换

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、请求匹配模式

(1)白名单模式

http:斜杠aaa.example1.com/abc,不校验JWT
http:斜杠aaa.example1.com/xxx,校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名单模式

http:斜杠aaa.example1.com/abc,校验JWT
http:斜杠aaa.example1.com/xxx,不校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
文章来自个人专栏
云组件
16 文章 | 1 订阅
0条评论
作者已关闭评论
作者已关闭评论
0
0