istio.io/archive/v1.20/zh/blog/2019/app-identity-and-access-ada.../index.html

100 lines
29 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="APP 身份和访问适配器"><meta name=description content="使用 Istio 实现零代码改动保护多云 Kubernetes 应用。"><meta name=author content="Anton Aleksandrov (IBM)"><meta name=keywords content="microservices,services,mesh,security,oidc,jwt,policies"><meta property="og:title" content="APP 身份和访问适配器"><meta property="og:type" content="website"><meta property="og:description" content="使用 Istio 实现零代码改动保护多云 Kubernetes 应用。"><meta property="og:url" content="/v1.20/zh/blog/2019/app-identity-and-access-adapter/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.20 / APP 身份和访问适配器</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.20/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.20/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.20/feed.xml><link rel="shortcut icon" href=/v1.20/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.20/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.20/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.20/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.20/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.20/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.20/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.20/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.20/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.20/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.20/favicons/favicon.svg><link rel=icon type=image/png href=/v1.20/favicons/favicon.png><link rel=mask-icon href=/v1.20/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.20/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.20/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.20/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.20",docTitle="APP 身份和访问适配器",iconFile="/v1.20//img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.20/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.20/zh/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.20/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.20/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.20/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.20/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.20/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>APP 身份和访问适配器</h1><p>使用 Istio 实现零代码改动保护多云 Kubernetes 应用。</p></div><p class=post-author>Sep 18, 2019 <span>| </span>By Anton Aleksandrov - IBM</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.20/img/icons.svg#callout-warning"/></svg></div><div class=content>该博客文章是在 Istio 1.3 的版本下编写的,因此其中某些内容现在可能已过时。</div></aside></div><div><p>如果在 Kubernetes 以容器化的方式运行应用,就可以使用 App 身份和访问适配器获得抽象级别的安全性,而无需更改代码或重新部署。</p><p>无论您的运行环境是单云提供商,还是多个云提供商的组合或者遵循混合云的方式,集中式身份管理都可以帮助您维护现有基础设施并避免被云供应商绑定。</p><p>有了 <a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App 身份和访问适配器</a>,就可以使用以下 OAuth2/OIDC 提供商IBM Cloud App ID、Auth0、Okta、Ping Identity、AWS Cognito、Azure AD B2 等。身份和授权策略可以以高效的方式应用在所有环境(包括前端和后端应用程序),而无需修改代码或重新部署。</p><h2 id=understanding-Istio-and-the-adapter>了解 Istio 和其适配器</h2><p><a href=/v1.20/zh/docs/concepts/what-is-istio/>Istio</a> 是一个开源的服务网格,它对分布式应用来说是一个透明层,它可以和 Kubernetes 无缝集成。为了降低布署复杂性 Istio 提供了对整个服务网格的行为洞察和操作控制。详见 <a href=/v1.20/zh/docs/ops/deployment/architecture/>Istio 架构</a></p><p>Istio 使用 [Envoy sidecar 代理] 来调整服务网格中所有 Pod 的入站和出站流量。Istio 从 Envoy sidecar 中提取遥测数据,并将其发送到负责收集遥测数据和执行策略的 Istio 组件 Mixer。</p><p>APP 身份和访问适配器通过分析针对服务网格上各种访问控制策略的遥测数据(属性)扩展 Mixer 的功能。访问控制策略可以关联到具体的 Kubernetes 服务,并且可以微调到特定的服务端点。关于策略和遥测信息的详情请看 Istio 的文档。</p><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App 身份和访问适配器</a>结合到 Istio 中后,为多云架构提供可扩展的、集成身份和访问解决方案,而且不需要修改任何应用程序代码。</p><h2 id=installation>安装</h2><p>可以直接使用 <code>github.com</code> 仓库中的 Helm 来安装 APP 身份和访问适配器。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ helm repo add appidentityandaccessadapter https://raw.githubusercontent.com/ibm-cloud-security/app-identity-and-access-adapter/master/helm/appidentityandaccessadapter
$ helm install --name appidentityandaccessadapter appidentityandaccessadapter/appidentityandaccessadapter
</code></pre><p>另外,可以从 <code>github.com</code> 仓库 clone 下来,在本地用 Helm chart 进行安装。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ git clone git@github.com:ibm-cloud-security/app-identity-and-access-adapter.git
$ helm install ./helm/appidentityandaccessadapter --name appidentityandaccessadapter.
</code></pre><h2 id=protecting-web-applications>保护 web 应用程序</h2><p>Web 应用程序通常是由 OpenID Connect (OIDC) 工作流保护,也被叫做 <code>authorization_code</code>。当检测到未经认证或未经授权的用户时,它们会自动重定向到所选择的身份服务并展示认证页面。身份验证完成后,浏览器将重定向回适配器拦截的隐式 <code>/oidc/callback</code> 端点。此时,适配器从身份服务获取访问和身份令牌,然后将用户重定向回 Web 应用程序中最初请求的 URL。</p><p>身份状态和令牌是由适配器维护管理的。适配器处理的每个请求会包含访问和身份令牌的认证头,其格式是:<code>Authorization: Bearer &lt;access_token> &lt;id_token></code></p><p>开发者可以根据读取令牌token信息调整应用程序的用户体验比如显示用户名根据用户角色适配用户界面等。</p><p>为了终止经过身份验证的会话并且清除令牌(即用户注销),只需将浏览器重定向到受保护服务下的 <code>/oidc/logout</code> 端点即可。例如,从 <code>https://example.com/myapp</code> 中将应用程序重定向到 <code>https://example.com/myapp/oidc/logout</code></p><p>无论何时访问令牌过期了,系统都会通过刷新令牌自动获取一个新的访问和身份令牌,而无需重新进行身份验证。如果已配置的身份认证提供商返回一个刷新令牌,适配器会将其持久保存,用于老令牌过期时,重新获取新的访问和身份令牌。</p><h3 id=applying-web-application-protection>应用 web 应用程序保护</h3><p>保护 web 应用程序需要创建 2 种类型的资源 - <code>OidcConfig</code> 资源用于定义各种 OIDC 服务提供商,<code>Policy</code> 资源用于定义 web 应用保护策略。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: OidcConfig
metadata:
name: my-oidc-provider-config
namespace: sample-namespace
spec:
discoveryUrl: &lt;discovery-url-from-oidc-provider&gt;
clientId: &lt;client-id-from-oidc-provider&gt;
clientSecretRef:
name: &lt;kubernetes-secret-name&gt;
key: &lt;kubernetes-secret-key&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-web-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /webapp
method: ALL
policies:
- policyType: oidc
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- openid
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>阅读更多关于如何保护 web 应用程序</a></p><h2 id=protecting-backend-application-and-APIs>保护后端应用程序和 API</h2><p>后端应用程序和 API 的保护是使用 Bearer Token 工作流对特定的策略验证传入的令牌。Bearer Token 授权流程需要在请求中包含 <code>Authorization</code> 头,这个头以 JWT 格式包含了有效的访问令牌。需要的头结构是:<code>Authorization: Bearer {access_token}</code>。如果令牌验证成功请求会被发往被请求的服务。如果令牌验证失败会给客户端返回 HTTP 401 以及访问这个 API 所需要的权限列表。</p><h3 id=applying-backend-application-and-APIs-protection>应用后端程序和 API 保护</h3><p>保护后端程序和 API 需要创建 2 种类型的资源 - <code>JwtConfig</code> 用于定义各种 JWT 服务提供者,<code>Policy</code> 用于定义后端应用保护策略。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: JwtConfig
metadata:
name: my-jwt-config
namespace: sample-namespace
spec:
jwksUrl: &lt;the-jwks-url&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-backend-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /api/files
method: ALL
policies:
- policyType: jwt
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- files.read
- files.write
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>阅读更多如何保护后端应用程序</a></p><h2 id=known-limitations>已知的局限性</h2><p>在写这篇博客的时候,有 2 个关于 APP 身份和访问适配器的已知局限性问题:</p><ul><li><p>如果在 Web 应用程序上启用 APP 身份和访问适配器,只能创建 1 个适配器的副本。由于 Envoy 代理处理 HTTP 头的方式Mixer 有可能给 Envoy 返回多个 <code>Set-Cookie</code> 头。因此,不能设置 Web 应用程序想要设置的所有 cookie。这个问题最近在 Envoy 和 Mixer 的开发上被讨论,计划在后期适配器的版本中解决。<strong>注意这个问题只影响 Web 应用程序,并不会以任何方式影响后端 APP 和 API</strong></p></li><li><p>作为一般最佳实践,集群内通信应该永远考虑使用双向 TLS 通信。现在 Mixer 与 APP 身份和访问适配器之间的通信通道并没有使用双端 TLS 通信。未来计划根据 <a href=https://github.com/istio/istio/wiki/Mixer-Out-of-Process-Adapter-Walkthrough#step-7-encrypt-connection-between-mixer-and-grpc-adapter>Mixer 适配器开发指引</a>实现解决这个问题。</p></li></ul><h2 id=summary>总结</h2><p>当多云部署实施时,随着环境的发展和多样性,安全也会变得复杂起来。当云提供商提供协议和工具来确保其产品的安全性,开发团队仍然要负责应用程序级别的安全,比如基于 OAuth2 的 API 访问控制,通过流量加密防御中间人攻击以及为服务访问控制提供双向 TLS。但是在多云环境中这会变得复杂因为可能要为分别为每个服务定义它的安全策略。有了适当的安全协议这些外部和内部的威胁就可以减轻了。</p><p>开发团队花时间让服务能够移植到不同的云提供商,在同等情况下,安全应该更灵活而不依赖基础设施。</p><p>Istio 和 APP 身份和访问适配器可以加固 Kubernetes app 的安全性,并且无关编程语言和框架,不需要修改任何一行代码并重新部署。使用这种方式保证了 app 的最大可移植性,并且可以在多个环境中方便的去执行相同的安全策略。</p><p>可以在<a href=https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change>发布博客</a>上阅读更多关于 APP 身份和访问适配器的信息。</p></div><nav class=pagenav><div class=left><a title="如何使用 Istio 去监控被阻止的和透传的外部服务流量。" href=/v1.20/zh/blog/2019/monitoring-external-service-traffic/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.20/img/icons.svg#left-arrow"/></svg>监控被阻止的和透传的外部服务流量</a></div><div class=right><a title="本文演示 Mixer 进程外适配器实现 Knative scale-from-zero 逻辑的具体过程。" href=/v1.20/zh/blog/2019/knative-activator-adapter/ class=next-link>适用于 Knative 的 Mixer 适配器<svg class="icon right-arrow"><use xlink:href="/v1.20/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.20/img/icons.svg#github"/></svg>
</a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.20/img/icons.svg#drive"/></svg>
</a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.20/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.20/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.20/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.20/zh/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.20/img/icons.svg#tick"/></svg>
中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>商标
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.20/content/zh/index>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>版本
Istio 归档
1.20.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2019/app-identity-and-access-adapter/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2019/app-identity-and-access-adapter/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.20/img/icons.svg#top"/></svg></button></div></body></html>