大家好,我已经在 minikube 上设置了 istio 并在网关上设置了 envoy ext-auth 过滤器。我有两个微服务在不同的 Pod 中运行,向外界公开虚拟服务 /auther 和 /appone 。我设置的 ext-auth 过滤器会将每个请求发送到 /auther/auth 进行身份验证,如果响应为 200,则让请求通过并到达它想要的其他服务。
问题是 istio 正在对所有端点(甚至 /auther)的每个请求进行身份验证。我想排除发送到 /auther 进行身份验证的请求(因为 auther 服务将自行处理身份验证)。但它不起作用。
这是我的 ext-auth 过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
http_service:
server_uri:
uri: http://auther.default.svc.cluster.local
cluster: outbound|3000||auther.default.svc.cluster.local
timeout: 1.5s
path_prefix: /auther/auth?user=
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "authorization"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "set-cookie"
- exact: "authorization"
这是我试图实现的异常过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-filter
namespace: default
spec:
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
routeConfiguration:
vhost:
name: auther
route:
name: auther
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
disabled: true
第一个过滤器工作正常。但第二个将从身份验证外部过滤器中排除身份验证服务的服务不起作用。
您已设置@type
to envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
,但正确的路径是envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
.
此外,路由名称必须与虚拟服务中的名称匹配。并且它必须部署到istio-system
命名空间作为你的authn-filter
。这个配置对我有用:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-authn
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
route:
name: my-route #from virtual service http route name
patch:
operation: MERGE
value:
name: envoy.ext_authz_disabled
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)