peerauthentication

以下策略允许在命名空间foo的所有工作负载MTLS流量:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
    mode: STRICT

对于网格级别,请根据您的Istio安装方式将策略放在root-namespace中.允许名称空间foo下的所有工作负载同时使用mTLS和纯文本流量的策略,但需要mTLS进行工作负载融资。

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
    mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  selector:
    matchLabels:
      app: finance
  mtls:
    mode: STRICT

允许对所有工作负载严格执行mTLS的策略,但将端口8080保留为纯文本格式:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  selector:
    matchLabels:
      app: finance
  mtls:
    mode: STRICT
  portLevelMtls:
    8080:
      mode: DISABLE

从名称空间(或网格)设置继承mTLS模式的策略,并覆盖端口8080的设置

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  selector:
    matchLabels:
      app: finance
  mtls:
    mode: UNSET
  portLevelMtls:
    8080:
      mode: DISABLE

Previousauthorizationpolicies Nextgateway

Last updated 4 years ago

Was this helpful?