如何解决istio从ext-auth排除服务
大家好,我在minikube上设置了istio并在网关上设置了envoy ext-auth过滤器。我有两个运行在不同Pod中的微服务,将虚拟服务/ auther和/ appone暴露给外界。我设置的ext-auth过滤器会将每个单个请求发送到/ auther / auth进行身份验证,如果响应为200,则让该请求通过并到达其他所需的服务。 问题是istio正在向所有端点(甚至/ auther)验证每个单个请求。我想排除发送到/ auther的请求进行身份验证的请求(因为auther服务将自行处理身份验证)。但是它不起作用。 所以这是我的ext-auth过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
http_service:
server_uri:
uri: http://auther.default.svc.cluster.local
cluster: outbound|3000||auther.default.svc.cluster.local
timeout: 1.5s
path_prefix: /auther/auth?user=
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "authorization"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "set-cookie"
- exact: "authorization"
这是我试图实现的异常过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-filter
namespace: default
spec:
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
routeConfiguration:
vhost:
name: auther
route:
name: auther
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
disabled: true
第一个过滤器工作正常。但是第二个将从身份验证ext-filter排除身份验证服务的服务无效。
解决方法
您已将@type
设置为envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
,但是正确的路径是envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
。
此外,路由名称必须与虚拟服务中的名称匹配。并且必须将其作为istio-system
部署到authn-filter
命名空间。此配置对我有用:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-authn
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
route:
name: my-route #from virtual service http route name
patch:
operation: MERGE
value:
name: envoy.ext_authz_disabled
typed_per_filter_config:
envoy.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。