istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix command in the ext-authz blog (#8972)

This commit is contained in:
Yangmin Zhu 2021-02-15 07:02:14 -08:00 committed by GitHub
parent bb65083266
commit f336766828
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/blog/2021/better-external-authz/index.md
View File

@ -71,7 +71,7 @@ spec:
# talk to the external auth service. We will cover this more later.
provider:
name: "my-ext-authz-service"
# The rule specifies that the access control is triggered only if the request path has the prefix "/admin".
# The rule specifies that the access control is triggered only if the request path has the prefix "/admin/".
# This allows you to easily enable or disable the external authorization based on the requests, avoiding the external
# check request if it is not needed.
rules:
@ -125,7 +125,7 @@ Run the following command create an OPA policy that allows the request if the pr
claim "path" (base64 encoded) in the JWT token:
{{< text bash >}}
$ kubectl create secret generic opa-policy -f - <<EOF
$ cat > policy.rego <<EOF
package envoy.authz
import input.attributes.request.http as http_request
@ -153,6 +153,7 @@ action_allowed {
startswith(http_request.path, base64url.decode(token.payload.path))
}
EOF
$ kubectl create secret generic opa-policy --from-file policy.rego
{{< /text >}}
### Deploy httpbin and OPA