0

遵循https://github.com/ibm-cloud-security/app-identity-and-access-adapter上的安装文档。一切似乎都已正确安装(尽管我确实必须更新 oidc-config.yaml 和 policy.yaml 模板文件以防止 discoveryUrl 模式出现错误。

我正在使用示例文件夹中的 OIDC 示例策略,并使用我的 URL 和客户端密码进行更新。

在混音器中,我收到以下错误:

2020-01-11T16:26:43.920036Z info    grpc: addrConn.createTransport failed to connect to {svc-appidentityandaccessadapter:47304 0  <nil>}. Err :connection error: desc = "transport: Error while dialing dial tcp 10.43.152.188:47304: i/o timeout". Reconnecting...
2020-01-11T16:26:43.920168Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, TRANSIENT_FAILURE
2020-01-11T16:26:44.920497Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, CONNECTING
2020-01-11T16:26:44.920804Z info    roundrobinPicker: newPicker called with readySCs: map[]
2020-01-11T16:26:44.924250Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, READY
2020-01-11T16:26:44.924615Z info    roundrobinPicker: newPicker called with readySCs: map[{svc-appidentityandaccessadapter:47304 0  <nil>}:0xc000646bc0]

看起来它处于就绪状态,但是当我在网络浏览器中加载应用程序时,没有任何反应,我可以直接访问应用程序。

适配器日志:

2020-01-11T16:26:24.518Z    info    initializer/policyinitializer.go:112    Successfully constructed k8s client {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z    info    web/web.go:390  Synced secret: appidentityandaccessadapter-cookie-sig-enc-keys  {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z    info    adapter/adapter.go:142  Listening on: [::]:47304    {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:33.160Z    info    keyset/keyset.go:117    Synced public keys  {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z    info    keyset/keyset.go:50 Synced JWKs successfully.   {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z    info    crdeventhandler/add_event.go:55 OidcConfig created/updated  {"source": "appidentityandaccessadapter-adapter", "ID": "5b90d600-0ed4-4a42-b97f-379a502732f4", "name": "oidc-provider-config", "namespace": "default"}
2020-01-11T16:26:37.091Z    info    crdeventhandler/add_event.go:67 Policy created/updated  {"source": "appidentityandaccessadapter-adapter", "ID": "440e5c32-fb39-4e24-8f99-eab62dcf2502"}
4

1 回答 1

0

disablePolicyCheck通过运行检查

kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

如果返回disablePolicyCheck: true,请运行以下命令:

istioctl manifest apply --set values.global.disablePolicyChecks=false \
 --set values.mixer.policy.enabled=true \
 --set values.pilot.policy.enabled=true

Istio 目前不尊重global.disablePolicyCheck配置而不设置pilot.policy.enabled=true.

此外,出于性能原因 ,Istio 中的默认配置文件设置mixer.policy.enabled为。false

运行上述命令后,kubectl返回的命令disablePolicyChecks: false

于 2020-01-22T17:32:44.203 回答