istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing deploy OPA in a separate pod tab (#13284)

This commit is contained in:
Chaitanya Tyagi 2023-11-09 06:44:39 +05:30 committed by GitHub
parent fa46df27c1
commit 0034b7d111
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
content/en/blog/2021/better-external-authz/index.md
View File

@ -490,34 +490,101 @@ EOF
The `path` claim has value `L2hlYWRlcnM=` which is the base64 encode of `/headers`. The `path` claim has value `L2hlYWRlcnM=` which is the base64 encode of `/headers`.
1. Send a request to path `/headers` without a token. This should be rejected with 403 because there is no JWT token: 1. Send a request to path `/headers` without a token. This should be rejected with 403 because there is no JWT token:
{{< tabset category-name="opa-deploy" >}}
{{< tab name="Deploy OPA in the same pod" category-value="opa-same" >}}
{{< text bash >}} {{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w "%{http_code}\n" $ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w "%{http_code}\n"
403 403
{{< /text >}} {{< /text >}}
{{< /tab >}}
{{< tab name="Deploy OPA in a separate pod" category-value="opa-standalone" >}}
{{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/headers -s -o /dev/null -w "%{http_code}\n"
403
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Send a request to path `/get` with a valid token. This should be rejected with 403 because the path `/get` is not matched with the token `/headers`: 1. Send a request to path `/get` with a valid token. This should be rejected with 403 because the path `/get` is not matched with the token `/headers`:
{{< tabset category-name="opa-deploy" >}}
{{< tab name="Deploy OPA in the same pod" category-value="opa-same" >}}
{{< text bash >}} {{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n" $ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
403 403
{{< /text >}} {{< /text >}}
{{< /tab >}}
{{< tab name="Deploy OPA in a separate pod" category-value="opa-standalone" >}}
{{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
403
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Send a request to path `/headers` with valid token. This should be allowed with 200 because the path is matched with the token: 1. Send a request to path `/headers` with valid token. This should be allowed with 200 because the path is matched with the token:
{{< tabset category-name="opa-deploy" >}}
{{< tab name="Deploy OPA in the same pod" category-value="opa-same" >}}
{{< text bash >}} {{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n" $ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
200 200
{{< /text >}} {{< /text >}}
{{< /tab >}}
{{< tab name="Deploy OPA in a separate pod" category-value="opa-standalone" >}}
{{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
200
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Send request to path `/ip` without token. This should be allowed with 200 because the path `/ip` is excluded from 1. Send request to path `/ip` without token. This should be allowed with 200 because the path `/ip` is excluded from
authorization: authorization:
{{< tabset category-name="opa-deploy" >}}
{{< tab name="Deploy OPA in the same pod" category-value="opa-same" >}}
{{< text bash >}} {{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w "%{http_code}\n" $ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w "%{http_code}\n"
200 200
{{< /text >}} {{< /text >}}
{{< /tab >}}
{{< tab name="Deploy OPA in a separate pod" category-value="opa-standalone" >}}
{{< text bash >}}
$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/ip -s -o /dev/null -w "%{http_code}\n"
200
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Check the proxy and OPA logs to confirm the result. 1. Check the proxy and OPA logs to confirm the result.
## Summary ## Summary