我正在尝试使用 istio 和 oauth2-proxy 设置 authn/authz 流程。这个流程包括:
下面是EnvoyFilter和AuthorizationPolicy
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: "ext-authz-myapp"
spec:
workloadSelector:
labels:
app: "myapp"
configPatches:
- applyTo: CLUSTER
match:
cluster:
service: "oauth2-proxy.{{.Env.ARGOCD_ENV_NAMESPACE}}.svc.cluster.local"
patch:
operation: MERGE
value:
name: "myapp.oauth2-proxy.{{.Env.ARGOCD_ENV_NAMESPACE}}.svc.cluster.local" # see https://github.com/istio/istio/issues/30271
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 5678 # service or pod port?!
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typedConfig:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
httpService:
authorizationRequest:
allowedHeaders:
patterns:
- exact: cookie
- exact: x-forwarded-access-token
headersToAdd:
- key: X-Auth-Request-Redirect
value: "https://%REQ(Host)%%REQ(:PATH)%"
authorizationResponse:
allowedUpstreamHeaders:
patterns:
- exact: authorization
- exact: x-auth-request-user
- exact: x-auth-request-email
allowedClientHeaders:
patterns:
- exact: content-type
- exact: set-cookie
serverUri:
cluster: "myapp.oauth2-proxy.{{.Env.ARGOCD_ENV_NAMESPACE}}.svc.cluster.local"
timeout: 15s
uri: http://oauth2-proxy.{{.Env.ARGOCD_ENV_NAMESPACE}}.svc.cluster.local:80
statusOnError:
code: Forbidden
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myapp
spec:
action: DENY
selector:
matchLabels:
app: myapp
rules:
- from:
- source:
principals: ["cluster.local/ns/istio-gateway/sa/istio-gateway"]
when:
- key: request.headers[x-auth-request-user]
notValues:
- "[email protected]"
我还没有设法让这个工作流程正常工作。特别是,AuthorizationPolicy 似乎在 EnvoyFilter 之前运行。有什么方法可以确保正确的顺序吗?还是有更好的方法来实现我在这里想要做的事情?