mirror of https://github.com/istio/istio.io.git
363 lines
45 KiB
HTML
363 lines
45 KiB
HTML
<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="更好的外部授权方式集成"><meta name=description content="AuthorizationPolicy 现在支持以 CUSTOM 自定义方式委托外部系统进行授权操作。"><meta name=author content="Yangmin Zhu (Google); Translated by Wilson Wu (DaoCloud)"><meta name=keywords content="microservices,services,mesh,authorization,access control,opa,oauth2"><meta property="og:title" content="更好的外部授权方式集成"><meta property="og:type" content="website"><meta property="og:description" content="AuthorizationPolicy 现在支持以 CUSTOM 自定义方式委托外部系统进行授权操作。"><meta property="og:url" content="/v1.24/zh/blog/2021/better-external-authz/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.24 / 更好的外部授权方式集成</title>
|
||
<script async src="https://www.googletagmanager.com/gtag/js?id=G-5XBWY4YJ1E"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-5XBWY4YJ1E")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.24/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.24/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.24/feed.xml><link rel="shortcut icon" href=/v1.24/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.24/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.24/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.24/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.24/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.24/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.24/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.24/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.24/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.24/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.24/favicons/favicon.svg><link rel=icon type=image/png href=/v1.24/favicons/favicon.png><link rel=mask-icon href=/v1.24/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.24/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.24/css/style.min.38f1afbdf6f8efdb4fe991ff2a53ca1c801b5c4602dea2963da44df7ceaacfb8.css integrity="sha256-OPGvvfb479tP6ZH/KlPKHIAbXEYC3qKWPaRN986qz7g=" crossorigin=anonymous><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.24/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.24",docTitle="更好的外部授权方式集成",iconFile="/v1.24//img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.24/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.24/zh/ aria-label=logotype><span class=logo><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
|
||
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
|
||
<svg class="icon menu-hamburger"><use xlink:href="/v1.24/img/icons.svg#menu-hamburger"/></svg>
|
||
</button>
|
||
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.24/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.24/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.24/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button>
|
||
<a href=/v1.24/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
||
<input type=hidden name=ie value=utf-8>
|
||
<input type=hidden name=hl value=zh>
|
||
<input type=hidden id=search-page-url value=/zh/search>
|
||
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
|
||
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>更好的外部授权方式集成</h1><p>AuthorizationPolicy 现在支持以 CUSTOM 自定义方式委托外部系统进行授权操作。</p></div><p class=post-author>Feb 9, 2021 <span>| </span>作者 Yangmin Zhu - Google; Translated by Wilson Wu - DaoCloud</p><div><h2 id=background>背景</h2><p>Istio 的授权策略为网格中的服务提供访问控制。它速度快、功能强大且使用广泛。
|
||
自 Istio 1.4 首次发布以来,我们不断改进策略以使其更加灵活,
|
||
包括 <a href=/v1.24/zh/docs/tasks/security/authorization/authz-deny/><code>DENY</code> 操作</a>、
|
||
<a href=/v1.24/zh/docs/tasks/security/authorization/authz-deny/>排除语义</a>、
|
||
<a href=/v1.24/zh/docs/tasks/security/authorization/authz-ingress/><code>X-Forwarded-For</code> 头信息支持</a>、
|
||
<a href=/v1.24/zh/docs/tasks/security/authorization/authz-jwt/>嵌套 JWT 声明支持</a>等等。
|
||
这些特性提高了授权策略的灵活性,但仍有许多场景无法通过该模型支持,例如:</p><ul><li><p>您拥有自己的内部授权系统,该系统无法轻松地被迁移或替换到授权策略中。</p></li><li><p>您想与使用 Istio 中的<a href=/v1.24/zh/docs/reference/config/networking/envoy-filter/>底层 Envoy 配置 API</a>
|
||
(例如 <a href=https://www.openpolicyagent.org/docs/latest/envoy-introduction/>Open Policy Agent</a>
|
||
或 <a href=https://github.com/oauth2-proxy/oauth2-proxy><code>oauth2</code> 代理</a>)
|
||
或者根本无法正常工作的第三方解决方案进行集成。</p></li><li><p>授权策略缺少在您场景中所需的语义内容。</p></li></ul><h2 id=solution>解决方案</h2><p>在 Istio 1.9 中,我们通过引入
|
||
<a href=/v1.24/zh/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> 操作</a>实现了授权策略的可扩展性,
|
||
它允许您将访问控制决策委托给外部授权服务。</p><p><code>CUSTOM</code> 操作允许您将 Istio 与外部授权系统集成,
|
||
该系统实现了自己的自定义授权逻辑。下图展示了此集成方式的顶层架构:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:48.573838213459645%><a data-skipendnotes=true href=/v1.24/zh/blog/2021/better-external-authz/external_authz.svg title=外部授权架构><img class=element-to-stretch src=/v1.24/zh/blog/2021/better-external-authz/external_authz.svg alt=外部授权架构></a></div><figcaption>外部授权架构</figcaption></figure><p>在进行配置时,网格管理员使用 <code>CUSTOM</code> 操作对授权策略进行配置,
|
||
用于在代理(网关或 Sidecar)上启用外部授权。
|
||
管理员应确认外部身份验证服务已启动且正在运行。</p><p>在运行时中:</p><ol><li><p>请求被代理拦截,代理将根据用户在授权策略中的配置向外部授权服务发送检查请求。</p></li><li><p>外部授权服务将决定是否允许请求通过。</p></li><li><p>如果允许,请求将被继续执行,并将由 <code>ALLOW</code>/<code>DENY</code> 操作定义的任意本地授权强制执行。</p></li><li><p>如果被拒绝,请求将立即被终止。</p></li></ol><p>让我们看一下带有 <code>CUSTOM</code> 操作的示例授权策略:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: ext-authz
|
||
namespace: istio-system
|
||
spec:
|
||
# selector 适用于 istio-system 命名空间中的入口网关。
|
||
selector:
|
||
matchLabels:
|
||
app: istio-ingressgateway
|
||
# “CUSTOM” 操作将访问控制委托给外部授权者,
|
||
# 这与在代理内部强制执行访问控制权的 ALLOW/DENY 操作不同。
|
||
action: CUSTOM
|
||
# provider 指定在 meshconfig 中定义的外部授权者的名称,
|
||
# 从这个名称可以告知在哪里以及如何与外部身份验证服务通信。我们稍后会详细介绍这一点。
|
||
provider:
|
||
name: "my-ext-authz-service"
|
||
# 这条规则指定只有请求路径有前缀 “/admin/” 时才触发访问控制。
|
||
# 这允许您轻松地根据请求启用或禁用外部授权,避免在不需要时进行外部检查请求。
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
paths: ["/admin/*"]</code></pre><p>此示例引用了一个在网格配置中定义的、名为 <code>my-ext-authz-service</code> 的提供程序:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>extensionProviders:
|
||
# name 是 “my-ext-authz-service”,被其提供程序字段中的授权策略引用。
|
||
- name: "my-ext-authz-service"
|
||
# “envoyExtAuthzGrpc” 字段指定 Envoy ext-authz 过滤器 gRPC API 实现的外部授权服务的类型。
|
||
# 另一种支持的类型是 Envoy ext-authz 过滤器 HTTP API。
|
||
# See more in https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter.
|
||
# 更多信息请参见 https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter。
|
||
envoyExtAuthzGrpc:
|
||
# service 和 port 指定外部 auth 服务的地址,
|
||
# “ext-authz.istio-system.svc.cluster.local” 表示该服务部署在网格中。
|
||
# 它也可以在网格之外定义,甚至可以在 Pod 内部定义为单独的容器。
|
||
service: "ext-authz.istio-system.svc.cluster.local"
|
||
port: 9000</code></pre><p>授权策略中的 <a href=/v1.24/zh/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> 操作</a>表示在运行时中启用外部授权,
|
||
可以配置为根据请求有条件地触发外部授权,
|
||
并且使用您已经用于其他操作的相同规则进行外部授权。</p><p>外部授权服务当前在 <a href=/v1.24/zh/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider><code>meshconfig</code> API</a>
|
||
中定义并通过其名称进行引用。它可以部署在任何使用或不使用代理的网格环境中。
|
||
如果使用代理,您可以进一步使用 <code>PeerAuthentication</code>
|
||
配置在代理和外部授权服务之间开启 mTLS。</p><p><code>CUSTOM</code> 操作目前仍然处于<strong>实验阶段</strong>;API
|
||
可能会基于用户反馈针对后续版本进行不兼容的修改。当授权策略规则与 <code>CUSTOM</code>
|
||
操作一起使用时,其目前不支持身份验证字段(例如源主体或 JWT 声明)。
|
||
在单独的工作负载中只允许使用一个提供程序,但您仍然可以在不同的工作负载上使用不同的提供程序。</p><p>有关详细信息,请参阅 <a href=https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit>Better External Authorization 设计文档</a>。</p><h2 id=example-with-opa>OPA 示例</h2><p>在本节中,我们将演示如何使用 <code>CUSTOM</code> 操作以及
|
||
Open Policy Agent 作为入口网关上的外部授权程序。我们将有条件地在除
|
||
<code>/ip</code> 之外的所有路径上启用外部授权。</p><p>您还可以参考<a href=/v1.24/zh/docs/tasks/security/authorization/authz-custom/>外部授权任务</a>来获得使用
|
||
<code>ext-authz</code> 服务器示例的更基础介绍。</p><h3 id=create-the-example-opa-policy>创建 OPA 策略示例</h3><p>运行以下命令创建一个 OPA 策略,如果路径的前缀与 JWT
|
||
令牌中的声明“path”(base64 编码)匹配,则允许该请求:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat > policy.rego <<EOF
|
||
package envoy.authz
|
||
|
||
import input.attributes.request.http as http_request
|
||
|
||
default allow = false
|
||
|
||
token = {"valid": valid, "payload": payload} {
|
||
[_, encoded] := split(http_request.headers.authorization, " ")
|
||
[valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"})
|
||
}
|
||
|
||
allow {
|
||
is_token_valid
|
||
action_allowed
|
||
}
|
||
|
||
is_token_valid {
|
||
token.valid
|
||
now := time.now_ns() / 1000000000
|
||
token.payload.nbf <= now
|
||
now < token.payload.exp
|
||
}
|
||
|
||
action_allowed {
|
||
startswith(http_request.path, base64url.decode(token.payload.path))
|
||
}
|
||
EOF
|
||
$ kubectl create secret generic opa-policy --from-file policy.rego</code></pre><h3 id=deploy-httpbin-and-opa>部署 httpbin 和 OPA</h3><p>启用 Sidecar 注入:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label ns default istio-injection=enabled</code></pre><p>运行以下命令部署 httpbin 示例应用程序和 OPA。
|
||
OPA 可以作为单独的容器部署在 httpbin Pod 中,也可以完全独立部署在单独的 Pod 中:</p><div id=tabset-zhblog2021better-external-authz-1 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-1-0-panel id=tabset-zhblog2021better-external-authz-1-0-tab role=tab><span>在同一 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-1-1-panel id=tabset-zhblog2021better-external-authz-1-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-1-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: httpbin-with-opa
|
||
labels:
|
||
app: httpbin-with-opa
|
||
service: httpbin-with-opa
|
||
spec:
|
||
ports:
|
||
- name: http
|
||
port: 8000
|
||
targetPort: 80
|
||
selector:
|
||
app: httpbin-with-opa
|
||
---
|
||
# 在 9191 端口为本地 OPA 服务定义服务条目。
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: local-opa-grpc
|
||
spec:
|
||
hosts:
|
||
- "local-opa-grpc.local"
|
||
endpoints:
|
||
- address: "127.0.0.1"
|
||
ports:
|
||
- name: grpc
|
||
number: 9191
|
||
protocol: GRPC
|
||
resolution: STATIC
|
||
---
|
||
kind: Deployment
|
||
apiVersion: apps/v1
|
||
metadata:
|
||
name: httpbin-with-opa
|
||
labels:
|
||
app: httpbin-with-opa
|
||
spec:
|
||
replicas: 1
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin-with-opa
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: httpbin-with-opa
|
||
spec:
|
||
containers:
|
||
- image: docker.io/kennethreitz/httpbin
|
||
imagePullPolicy: IfNotPresent
|
||
name: httpbin
|
||
ports:
|
||
- containerPort: 80
|
||
- name: opa
|
||
image: openpolicyagent/opa:latest-envoy
|
||
securityContext:
|
||
runAsUser: 1111
|
||
volumeMounts:
|
||
- readOnly: true
|
||
mountPath: /policy
|
||
name: opa-policy
|
||
args:
|
||
- "run"
|
||
- "--server"
|
||
- "--addr=localhost:8181"
|
||
- "--diagnostic-addr=0.0.0.0:8282"
|
||
- "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
|
||
- "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
|
||
- "--set=decision_logs.console=true"
|
||
- "--ignore=.*"
|
||
- "/policy/policy.rego"
|
||
livenessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
readinessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
volumes:
|
||
- name: proxy-config
|
||
configMap:
|
||
name: proxy-config
|
||
- name: opa-policy
|
||
secret:
|
||
secretName: opa-policy
|
||
EOF</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-1-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: opa
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
ports:
|
||
- name: grpc
|
||
port: 9191
|
||
targetPort: 9191
|
||
selector:
|
||
app: opa
|
||
---
|
||
kind: Deployment
|
||
apiVersion: apps/v1
|
||
metadata:
|
||
name: opa
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
replicas: 1
|
||
selector:
|
||
matchLabels:
|
||
app: opa
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
containers:
|
||
- name: opa
|
||
image: openpolicyagent/opa:latest-envoy
|
||
securityContext:
|
||
runAsUser: 1111
|
||
volumeMounts:
|
||
- readOnly: true
|
||
mountPath: /policy
|
||
name: opa-policy
|
||
args:
|
||
- "run"
|
||
- "--server"
|
||
- "--addr=localhost:8181"
|
||
- "--diagnostic-addr=0.0.0.0:8282"
|
||
- "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
|
||
- "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
|
||
- "--set=decision_logs.console=true"
|
||
- "--ignore=.*"
|
||
- "/policy/policy.rego"
|
||
ports:
|
||
- containerPort: 9191
|
||
livenessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
readinessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
volumes:
|
||
- name: proxy-config
|
||
configMap:
|
||
name: proxy-config
|
||
- name: opa-policy
|
||
secret:
|
||
secretName: opa-policy
|
||
EOF</code></pre><p>同样部署 httpbin:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.24/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/httpbin/httpbin.yaml@</code></pre></div></div></div></div><h3 id=define-external-authorizer>定义外部授权程序</h3><p>运行以下命令来编辑 <code>meshconfig</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl edit configmap istio -n istio-system</code></pre><p>将以下 <code>extensionProviders</code> 添加到 <code>meshconfig</code> 中:</p><div id=tabset-zhblog2021better-external-authz-2 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-2-0-panel id=tabset-zhblog2021better-external-authz-2-0-tab role=tab><span>在同一 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-2-1-panel id=tabset-zhblog2021better-external-authz-2-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-2-0-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
|
||
data:
|
||
mesh: |-
|
||
# Add the following contents:
|
||
extensionProviders:
|
||
- name: "opa.local"
|
||
envoyExtAuthzGrpc:
|
||
service: "local-opa-grpc.local"
|
||
port: "9191"</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-2-1-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
|
||
data:
|
||
mesh: |-
|
||
# Add the following contents:
|
||
extensionProviders:
|
||
- name: "opa.default"
|
||
envoyExtAuthzGrpc:
|
||
service: "opa.default.svc.cluster.local"
|
||
port: "9191"</code></pre></div></div></div><h3 id=create-an-authorizationpolicy-with-a-custom-action>使用 CUSTOM 操作创建 AuthorizationPolicy</h3><p>运行以下命令创建授权策略,在除 <code>/ip</code> 之外的所有路径上启用外部授权:</p><div id=tabset-zhblog2021better-external-authz-3 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-3-0-panel id=tabset-zhblog2021better-external-authz-3-0-tab role=tab><span>在同一 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-3-1-panel id=tabset-zhblog2021better-external-authz-3-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-3-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin-opa
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin-with-opa
|
||
action: CUSTOM
|
||
provider:
|
||
name: "opa.local"
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
notPaths: ["/ip"]
|
||
EOF</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-3-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin-opa
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
action: CUSTOM
|
||
provider:
|
||
name: "opa.default"
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
notPaths: ["/ip"]
|
||
EOF</code></pre></div></div></div><h3 id=test-the-opa-policy>测试 OPA 策略</h3><ol><li><p>创建一个客户端 Pod 来发送请求:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.24/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/sleep/sleep.yaml@
|
||
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})</code></pre></div></li><li><p>使用由 OPA 签发的测试 JWT 令牌:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export TOKEN_PATH_HEADERS="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiTDJobFlXUmxjbk09IiwibmJmIjoxNTAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9.9yl8LcZdq-5UpNLm0Hn0nnoBHXXAnK4e8RSl9vn6l98"</code></pre><p>测试 JWT 令牌具有以下声明:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
||
"path": "L2hlYWRlcnM=",
|
||
"nbf": 1500000000,
|
||
"exp": 1900000000
|
||
}</code></pre><p><code>path</code> 声明的值为 <code>L2hlYWRlcnM=</code>,它是 <code>/headers</code> 的 base64 编码格式。</p></li><li><p>在不携带令牌时向路径 <code>/headers</code> 发送请求。
|
||
因为没有 JWT 令牌,请求会以 403 状态方式被拒绝:</p><div id=tabset-zhblog2021better-external-authz-4 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-4-0-panel id=tabset-zhblog2021better-external-authz-4-0-tab role=tab><span>在同一个 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-4-1-panel id=tabset-zhblog2021better-external-authz-4-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-4-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-4-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w "%{http_code}\n"
|
||
403</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-4-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-4-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/headers -s -o /dev/null -w "%{http_code}\n"
|
||
403</code></pre></div></div></div></li><li><p>携带有效令牌向路径 <code>/get</code> 发送请求。因为路径为 <code>/get</code>
|
||
与令牌中 <code>/headers</code> 路径不匹配,请求也会以 403 状态方式被拒绝:</p><div id=tabset-zhblog2021better-external-authz-5 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-5-0-panel id=tabset-zhblog2021better-external-authz-5-0-tab role=tab><span>在同一个 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-5-1-panel id=tabset-zhblog2021better-external-authz-5-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-5-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-5-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
||
403</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-5-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-5-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
||
403</code></pre></div></div></div></li><li><p>携带有效令牌向路径 <code>/headers</code> 发送请求。
|
||
由于路径与令牌匹配,请求会以 200 状态被允许:</p><div id=tabset-zhblog2021better-external-authz-6 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-6-0-panel id=tabset-zhblog2021better-external-authz-6-0-tab role=tab><span>在同一个 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-6-1-panel id=tabset-zhblog2021better-external-authz-6-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-6-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-6-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
||
200</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-6-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-6-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
||
200</code></pre></div></div></div></li><li><p>不携带令牌向路径 <code>/ip</code> 发送请求。由于路径 <code>/ip</code>
|
||
被排除在授权之外,请求也会以 200 状态被允许:</p><div id=tabset-zhblog2021better-external-authz-7 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-zhblog2021better-external-authz-7-0-panel id=tabset-zhblog2021better-external-authz-7-0-tab role=tab><span>在同一个 Pod 中部署 OPA</span>
|
||
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-zhblog2021better-external-authz-7-1-panel id=tabset-zhblog2021better-external-authz-7-1-tab role=tab><span>在单独的 Pod 中部署 OPA</span></button></div><div class=tab-content><div id=tabset-zhblog2021better-external-authz-7-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-7-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w "%{http_code}\n"
|
||
200</code></pre></div><div hidden id=tabset-zhblog2021better-external-authz-7-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-zhblog2021better-external-authz-7-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin:8000/ip -s -o /dev/null -w "%{http_code}\n"
|
||
200</code></pre></div></div></div></li><li><p>检查代理和 OPA 日志以确认结果。</p></li></ol><h2 id=summary>总结</h2><p>在 Istio 1.9 中,授权策略中的 <code>CUSTOM</code> 操作允许您轻松地将
|
||
Istio 与任何外部授权系统集成,并具备以下优势:</p><ul><li><p>该模式是授权策略 API 中的推荐支持方式</p></li><li><p>易于使用:只需使用 URL 定义外部授权程序并启用授权策略,
|
||
不再需要使用繁琐的 <code>EnvoyFilter</code> API</p></li><li><p>根据条件触发,可以提高性能</p></li><li><p>支持外部授权方的各种部署类型:</p><ul><li><p>开启或不开启代理的 Pod 或普通服务</p></li><li><p>在工作负载 Pod 内作为一个单独的容器方式</p></li><li><p>位于网格外部</p></li></ul></li></ul><p>我们正努力在后续版本中将此功能提升到更稳定的阶段,
|
||
并欢迎您在 <a href=https://discuss.istio.io/c/security/>discuss.istio.io</a> 上提供反馈。</p><h2 id=acknowledgements>致谢</h2><p>感谢 <code>Craig Box</code>、<code>Christian Posta</code> 和 <code>Limin Wang</code> 对本博客的初稿进行审核。</p></div><div class=share-social><div class=heading>Share this post</div><div class=share-buttons><a href="https://www.linkedin.com/shareArticle?mini=true&url=%2fv1.24%2fzh%2fblog%2f2021%2fbetter-external-authz%2f" target=_blank><img class=share-icon src=/v1.24/img/social/linkedin.svg alt="Share to LinkedIn">
|
||
</a><a href="https://twitter.com/intent/tweet?text=%e6%9b%b4%e5%a5%bd%e7%9a%84%e5%a4%96%e9%83%a8%e6%8e%88%e6%9d%83%e6%96%b9%e5%bc%8f%e9%9b%86%e6%88%90&url=%2fv1.24%2fzh%2fblog%2f2021%2fbetter-external-authz%2f" target=_blank><img class=share-icon src=/v1.24/img/social/twitterx.svg alt="Share to X">
|
||
</a><a href="https://www.facebook.com/sharer/sharer.php?u=%2fv1.24%2fzh%2fblog%2f2021%2fbetter-external-authz%2f" target=_blank><img class=share-icon src=/v1.24/img/social/facebook.svg alt="Share to Facebook"></a></div></div><nav class=pagenav><div class=left><a title="在 IstioCon 网站上了解会议、小组、研讨会等信息。" href=/v1.24/zh/blog/2021/istiocon-2021-program/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.24/img/icons.svg#left-arrow"/></svg>IstioCon 2021:日程已上线!</a></div><div class=right></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.24/img/icons.svg#github"/></svg>
|
||
</a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.24/img/icons.svg#drive"/></svg>
|
||
</a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.24/img/icons.svg#slack"/></svg>
|
||
</a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.24/img/icons.svg#stackoverflow"/></svg>
|
||
</a><a class=channel title='Follow us on LinkedIn to get the latest news' href=https://www.linkedin.com/company/istio/ aria-label=LinkedIn><svg class="icon linkedin"><use xlink:href="/v1.24/img/icons.svg#linkedin"/></svg>
|
||
</a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.24/img/icons.svg#twitter"/></svg>
|
||
</a><a class=channel title='Follow us on Bluesky to get the latest news' href=https://bsky.app/profile/istio.io aria-label=Bluesky><svg class="icon bluesky"><use xlink:href="/v1.24/img/icons.svg#bluesky"/></svg>
|
||
</a><a class=channel title='Follow us on Mastodon to get the latest news' href=https://mastodon.social/@istio aria-label=Mastodon rel=me><svg class="icon mastodon"><use xlink:href="/v1.24/img/icons.svg#mastodon"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.24/zh/ aria-label=logotype><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English
|
||
</a><a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.24/img/icons.svg#tick"/></svg>
|
||
中文
|
||
</a><a tabindex=-1 lang=uk id=switch-lang-uk class=footer-languages-item>Українська</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款
|
||
</a>|
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策
|
||
</a>|
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>商标
|
||
</a>|
|
||
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.24/content/zh/blog/2021/better-external-authz/index.md>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2024 the Istio Authors.</span>
|
||
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>版本
|
||
Istio 归档
|
||
1.24.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2021/better-external-authz/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2021/better-external-authz/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.24/img/icons.svg#top"/></svg></button></div></body></html> |