peerauthentication
以下策略允许在命名空间foo的所有工作负载MTLS流量:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
对于网格级别,请根据您的Istio安装方式将策略放在root-namespace中.允许名称空间foo下的所有工作负载同时使用mTLS和纯文本流量的策略,但需要mTLS进行工作负载融资。
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
允许对所有工作负载严格执行mTLS的策略,但将端口8080保留为纯文本格式:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: DISABLE
从名称空间(或网格)设置继承mTLS模式的策略,并覆盖端口8080的设置
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: UNSET
portLevelMtls:
8080:
mode: DISABLE
Last updated
Was this helpful?