ran.lu问题
想明白平台中的 external auth
related files
InstallationYTung/manifests/infra-charts/istio-controller/templates/configmap.yaml
{{- if .Values.global.enableExtAuthz }}
extensionProviders:
- name: "aaa-authz-grpc"
envoyExtAuthzGrpc:
service: "pch-bff-pipeline.apulis.svc.cluster.local"
port: "9000"
includeHeadersInCheck: ["Authorization"]
{{- end }}InstallationYTung/manifests/infra-charts/istio-controller/templates/authz-grpc.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: aaa-grpc
namespace: istio-system
spec:
action: CUSTOM
provider:
# The provider name must match the extension provider defined in the mesh config.
name: aaa-authz-grpc
rules:
- when:
- key: request.headers[From]
values: ["fronted"]
to:
- operation:
paths: ["/api/v1*"]background
https://istio.io/latest/blog/2021/better-external-authz/
remark: well-written
Cluster Discovery Service.
The External authorization filter calls an authorization service to check if the incoming request is authorized or not. The filter can be either configured as a network filter, or as a HTTP filter or both. If the request is deemed unauthorized by the network filter then the connection will be closed. If the request is deemed unauthorized at the HTTP filter the request will be denied with 403 (Forbidden) response. The external authorization service cluster may be either statically configured or configured via the Cluster Discovery Service. If the external service is not available when a request comes in then whether the request is authorized or not is defined by the configuration setting of failure_mode_allow configuration in the applicable network filter or HTTP filter. If it is set to true then the request will be permitted (fail open) otherwise it will be denied. The default setting is false.
Cluster Discovery Service?