RequestAuthentication定义工作负载支持哪些请求身份验证方法。如果请求包含无效的身份验证信息,则根据配置的身份验证规则,If将拒绝该请求。不包含任何身份验证凭据的请求将被接受,但不具有任何身份验证身份。要仅限制对经过身份验证的请求的访问,应随附授权规则。例子:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: "issuer-foo"
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["*"]
以下示例说明如何为不同主机设置不同的JWT要求.RequestAuthentication声明它可以接受由issuer-foo或issuer-bar发出的JWT(公共密钥集是根据OpenID Connect规范隐式设置的)。
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: "issuer-foo"
- issuer: "issuer-bar"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["issuer-foo/*"]
to:
hosts: ["example.com"]
- from:
- source:
requestPrincipals: ["issuer-bar/*"]
to:
hosts: ["another-host.com"]
您可以微调授权策略以为每个路径设置不同的要求。例如,要在/ healthz以外的所有路径上都要求JWT,可以使用相同的RequestAuthentication,但是授权策略可以是:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/healthz"]