1

我正在尝试使用最简单的规则在 Istio 中设置 OPA 适配器以默认拒绝所有内容:

---
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
  name: authz-instance
  namespace: istio-demo
spec:
  subject:
    user: source.uid | ""
  action:
    namespace: destination.namespace | "default"
    service: destination.service | ""
    method: request.method | ""
    path: request.path | ""

---
apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
  name: opa-handler
  namespace: istio-demo
spec:
  policy:
    - |+
      package mixerauthz

      default allow = false
  checkMethod: "data.mixerauthz.allow"
  failClose: true

---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: authz-rule
  namespace: istio-demo
spec:
  match: "true"
  actions:
  - handler: opa-handler.opa.istio-demo
    instances:
    - authz-instance.authorization.istio-demo

当我应用它时,Istio 的策略抱怨找不到handler

istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798783Z  info    Built new config.Snapshot: id='9'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798819Z  error   2 errors occurred:
istio-system/istio-policy-7f86484668-fc8lv[mixer]:      * action='authz-rule.rule.istio-demo[0]': Handler not found: handler='opa-handler.opa.istio-demo'
istio-system/istio-policy-7f86484668-fc8lv[mixer]:      * rule=authz-rule.rule.istio-demo: No valid actions found in rule

我试图在istio-system命名空间中应用它,但同样的问题。

任何人都可以在这里帮忙吗?

提前致谢。

4

2 回答 2

2

I got this to work with Istio 1.4 installed with demo profile. It was also necessary to enable policies check by running:

istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true

Find handler, authorization template and rule configuration below

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: opa-handler
  namespace: istio-system
spec:
  compiledAdapter: opa
  params:
    policy:
      - |+
        package mixerauthz
        default allow = false
    checkMethod: "data.mixerauthz.allow"
    failClose: true

---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: authz-instance
  namespace: istio-system
spec:
  compiledTemplate: authorization
  params:
    subject:
      user: source.uid | ""
    action:
      namespace: destination.namespace | "default"
      service: destination.service.host | ""
      path: request.path | ""
      method: request.method | ""

---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
 name: auth
 namespace: istio-system
spec:
 actions:
 - handler: opa-handler.handler.istio-system
   instances:
   - authz-instance.instance.istio-system

Then I got 403 with this message in my web service (httpbin)

PERMISSION_DENIED:opa-handler.istio-system:opa: request was rejected, opa-handler.istio-system:opa: request was rejected
于 2019-11-27T13:56:11.460 回答
1

或者,您可以尝试在代理层强制执行相同类型策略的OPA/Istio/Envoy 集成

于 2019-08-16T14:45:21.573 回答