使用JWT进行Istio Origin身份验证不起作用

问题描述 投票:2回答:1

我一直在使用JWT将身份验证策略应用于我的测试服务。我已按照此链接上的指南:https://istio.io/docs/tasks/security/authn-policy/#end-user-authentication。是的,它确实按预期工作。但是当我尝试使用不同的pod图像时,即使几乎所有内容都相同,它也不起作用。有没有人面临这个问题?或者知道为什么它在我的情况下不起作用?非常感谢你!

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hostname
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hostname
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: hostname
        version: v1
    spec:
      containers:
      - image: rstarmer/hostname:v1
        imagePullPolicy: Always
        name: hostname
        resources: {}
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hostname
  name: hostname
spec:
  ports:
  - name: http
    port: 8001
    targetPort: 80
  selector:
    app: hostname
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hostname-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
piVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hostname-vs
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - hostname-gateway
  http:
  - route:
    - destination:
        port:
          number: 8001
        host: hostname.foo.svc.cluster.local
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  targets:
  - name: hostname
  origins:
  - jwt:
      issuer: "[email protected]"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN
kubernetes jwt policy istio
1个回答
0
投票

正如OP在Istio forums上所述,您需要尊重naming convention作为您服务的端口名称。 它可以是“http”或“http2”。

例如,这是有效的

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000
    name: http

而事实并非如此

apiVersion: v1
kind: Service
metadata:
  name: somename
  namespace: auth
spec:
  selector:
    app: someapp
  ports:
  - port: 80
    targetPort: 3000

未指定端口名称无效。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.