Istio- 请求认证基于Keycloak案例-[提供身份管理和访问管理]【十一】
认证服务开源解决方案:KeyCloak
配置服务基于OIDC将最终用户的认证机制委托给第三方(KeyCloak)有两种实现方案
(1)使用oauth2代理
(2)v1.19版本之后支持的auth2 filter
对JWT认证功能的演示分两步进行:
(1) 由Client自行向Issuer请求Token,并自行附带Token认证到Server;
(2) 使用oauth2代理,由Server自动返回认证界面给客户端;
PDF - Istio服务网格(2022-09-17).pdf - Page 35部署keycloak
[root@xksmaster1 04-RequestAuthn-and-AuthzPolicy]# cat 01-deploy-keycloak.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: keycloak
---
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:16.1.1
#image: quay.io/keycloak/keycloak:18.0.0-legacy
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
[root@xksmaster1 keycloak]# kubectl get pods -n keycloak
NAME READY STATUS RESTARTS AGE
keycloak-57bbb98956-zgrwl 1/1 Running 0 41m暴露服务一、
#开放网关 访问 keycloak
[root@xksmaster1 keycloak]# cat keycloak-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: keycloak-gateway
namespace: istio-system
spec:
selector:
app: istio-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "keycloak.magedu.com"
---
[root@xksmaster1 keycloak]# cat keycloak-destinationrule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: keycloak
namespace: keycloak
spec:
host: keycloak
trafficPolicy:
tls:
mode: DISABLE
---
[root@xksmaster1 keycloak]# cat keycloak-virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: keycloak-virtualservice
namespace: keycloak
spec:
hosts:
- "keycloak.magedu.com"
gateways:
- "istio-system/keycloak-gateway"
http:
- match:
- uri:
prefix: /
route:
- destination:
host: keycloak
port:
number: 8080
---
[root@xksmaster1 keycloak]# kubectl apply -f ./
destinationrule.networking.istio.io/keycloak created
gateway.networking.istio.io/keycloak-gateway created
virtualservice.networking.istio.io/keycloak-virtualservice created
#前提保证 istio-ingressgateway 开通了外部External-IP 192.168.19.190是一个keepalived 的VIP
[root@xksmaster1 keycloak]# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 10.106.118.36 <none> 80/TCP,443/TCP 81d
istio-ingressgateway LoadBalancer 10.108.113.206 192.168.19.190 15021:31695/TCP,80:31246/TCP,443:30196/TCP,31400:30817/TCP,15443:31775/TCP 81d本地解析地址
#Windows hosts 编辑
192.168.19.190 keycloak.magedu.com
暴露服务二、
#xksnode2上配置一个子接口 192.168.19.185 ens33:1
ifconfig ens33:1 192.168.19.185 netmask 255.255.255.0 up
[root@xksmaster1 keycloak]# kubectl get svc -n keycloak
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
keycloak LoadBalancer 10.109.154.247 <pending> 8080:30917/TCP 61m
[root@xksmaster1 keycloak]# kubectl edit svc keycloak -n keycloak
externalIPs:
- 192.168.19.185
service/keycloak edited
[root@xksmaster1 keycloak]# kubectl get svc -n keycloak
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
keycloak LoadBalancer 10.109.154.247 192.168.19.185 8080:30917/TCP 62m
添加域名解析
192.168.19.185 keycloak.magedu.com
#浏览器访问
keycloak.magedu.com:8080登陆配置Keycloak
1.账户密码-admin/admin
2.修改语言
3.添加域 - Realm
4.创建客户端
5.添加用户
6.添加凭据
7.获取Token
"token_endpoint":"http://keycloak.magedu.com:8080/auth/realms/istio/protocol/openid-connect/token"8.模拟使用tom登陆
8.1管理界面登陆
8.2客户端模拟登陆
#使用sleep客户端模拟
[root@xksmaster1 keycloak]# kubectl exec -it sleep-bc9998558-bl49z /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ $ curl -sS -d "username=tom&password=magedu.com&grant_type=password&client_id=istio" http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1Mzg1MDksImlhdCI6MTY4NjUzODIwOSwianRpIjoiODJlYzhhMmMtNmIyYS00NzllLWE0ZDktMGNhY2Y1YjE0OGIwIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiZjgxODZiMWYtYzczYy00YmEyLThmN2QtZjVhZDk0M2NlMzI5IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImY4MTg2YjFmLWM3M2MtNGJhMi04ZjdkLWY1YWQ5NDNjZTMyOSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJpcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.VINa_TlWxAWv6RVAfacHzndpy_Y-2cx7zrTG7iz3KEHxNZTiMhfFGC7TbVo9BSmHDw9Y6VSWNnkglrNMAgUXh1MiX62casgaaqPqfiWIN_kmJlTrW9LrFJhdqeS_YEZLMhwUzldonYgwhqKzQtkR-89rFC3I4wR0wMDkjk8DT_EfA37xmYGJTT5g7NMgkGZleSzs6rwkcUcisyiK3ln_xxrzbdn6TOqyXUEiTLZtAsGOztr5ngEAW50wBbTbwIxep9NFc7RhwF5rWoyXHH--3GCHsca2VEDrkhZa6M3SPldDX4DvVy9Or2FObVSVt9uBKS2x9aqvbqiVDSDEDq-2Rg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMmIyMTQ3Ni1jNTViLTQ2YzItOGVkMy00NmJjY2Q2MjU5MTUifQ.eyJleHAiOjE2ODY1NDAwMDksImlhdCI6MTY4NjUzODIwOSwianRpIjoiODUzM2Y2NDYtMzljOC00ZWU0LWE2OGEtMzQzNzVjNDY5Nzc2IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6Ijg2YzU2MzZmLTEyYTEtNDg2MS04OTI4LWNjYzM5ODQ4M2MyYiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3RpbyIsInNlc3Npb25fc3RhdGUiOiJmODE4NmIxZi1jNzNjLTRiYTItOGY3ZC1mNWFkOTQzY2UzMjkiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJmODE4NmIxZi1jNzNjLTRiYTItOGY3ZC1mNWFkOTQzY2UzMjkifQ.G0zJQH8nFUZT8lWj-8R7kOiwukHEVh2aL66FS8yfj3w","token_type":"Bearer","not-before-policy":0,"session_state":"f8186b1f-c73c-4ba2-8f7d-f5ad943ce329","scope":"profile email"}/ $网站 解码 https://json2yaml.com/
---
access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1Mzg3MTEsImlhdCI6MTY4NjUzODQxMSwianRpIjoiNTA0YzA0NjEtZjc1YS00YjAwLWE0NjktMjM4ZTFmNGFmZjk5IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiYWIyOGM4MzItN2U1OS00YThjLThmZTAtN2Y2NDQ4Njc2MWEyIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiMjhjODMyLTdlNTktNGE4Yy04ZmUwLTdmNjQ0ODY3NjFhMiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJpcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.o3qOlkg53G1yl8NLUCCTZwkWOfaz4QAoTEaMtdpHS3TGdqMFYJzeuX3vpsioqctJBhiYwSBAaOKEpm5SWDqvxpY3BQPJYgljD8rSqK4ZhbTdY-yrlQWQXUQHwcQzWraXzouCCpQln7vboece184zVAD-NYoH8RmdCUMSElO3hnOUCyZ3vrG2uo-FC8Rq1nI0tL3V9ecZGT2i75DIN7JDMhoeUBeHP3mX4ibL10PAY1LtlrMRpXtltZLupmuxcU6ZIlX9AxxVkOyt2Bt99P2j1GeMwuCkC_bwTQIzYtDNJK_gL1G74BnT-FOjG5586rLrHYD-7oasYc8rNAkfUjto6g
expires_in: 300
refresh_expires_in: 1800
refresh_token: eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMmIyMTQ3Ni1jNTViLTQ2YzItOGVkMy00NmJjY2Q2MjU5MTUifQ.eyJleHAiOjE2ODY1NDAyMTEsImlhdCI6MTY4NjUzODQxMSwianRpIjoiNTY5ODUxYjItNjgzMy00MzNjLThiOTgtOGUyZTk1NjcyYjgyIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6Ijg2YzU2MzZmLTEyYTEtNDg2MS04OTI4LWNjYzM5ODQ4M2MyYiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3RpbyIsInNlc3Npb25fc3RhdGUiOiJhYjI4YzgzMi03ZTU5LTRhOGMtOGZlMC03ZjY0NDg2NzYxYTIiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJhYjI4YzgzMi03ZTU5LTRhOGMtOGZlMC03ZjY0NDg2NzYxYTIifQ.U4Q7KQUk3_bEFgjC_ladyNSevz7LFI3KkY0P5Ew1Rsw
token_type: Bearer
not-before-policy: 0
session_state: ab28c832-7e59-4a8c-8fe0-7f64486761a2
scope: profile email
#使用jwt.io进行解码,复制access_token
{
"exp": 1686538711,
"iat": 1686538411,
"jti": "504c0461-f75a-4b00-a469-238e1f4aff99",
"iss": "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio",
"aud": "account",
"sub": "86c5636f-12a1-4861-8928-ccc398483c2b",
"typ": "Bearer",
"azp": "istio",
"session_state": "ab28c832-7e59-4a8c-8fe0-7f64486761a2",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-istio"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile email",
"sid": "ab28c832-7e59-4a8c-8fe0-7f64486761a2",
"email_verified": false,
"name": "Tom Birkhoff",
"preferred_username": "tom",
"given_name": "Tom",
"family_name": "Birkhoff",
"email": "tom@magedu.com"
}
02-requestauthn-policy.yaml
[root@xksmaster1 04-RequestAuthn-and-AuthzPolicy]# cat 02-requestauthn-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
jwtRules:
- issuer: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio"
jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
methods: ["GET"]
paths: ["/*"]
[root@xksmaster1 04-RequestAuthn-and-AuthzPolicy]# kubectl apply -f 02-requestauthn-policy.yaml
requestauthentication.security.istio.io/demoapp created
authorizationpolicy.security.istio.io/demoapp created
#此时应用就访问不了 ,因为指定访问demoapp时必须携带 JWT格式的token才可以 访问 Get /*
/ $ curl demoapp:8080
RBAC: access denied/ $
#使用JWT进行登陆 此时携带token 进行访问
/ $ curl -sS -d "username=tom&password=magedu.com&grant_type=password&client_id=istio" http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-
connect/token
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1NDAxMzgsImlhdCI6MTY4NjUzOTgzOCwianRpIjoiZTdlNDEwMmYtMmVkMy00ZjVhLWExZjktMTUwMzExY2ViZGYwIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiYjE3ZWQwOGMtNjBhMi00OTk4LTljOWYtNmZmMzI0YThkOWQwIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImIxN2VkMDhjLTYwYTItNDk5OC05YzlmLTZmZjMyNGE4ZDlkMCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJpcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.nj0qv8UGM-0pROWrnQt7qImxx8-hh7kI5gncpoWAb-I6rb4w5Ny3-eBJLJOtMTQjszGDMYFBzNchBmqj1-9p3U-Ng_zVYgJUzPE0rugVtNkcRgHq9YvJY74hsupj5M8gS3fZpXgOaw70kLystWFDwR9Fwy0LqfwjOI3ydMVfkN8QjSJQp9VCwcaME5uAPsn7yDz0cwLGyyimM_Sq9ssJKsa7Au1jHyLtVTeF1v7t3gq5cehQocP56ePUls_t2k2T0sBnop20fPqTdNpbUF1d5sYvkx9KR3JJT3lW-1AYiR6IVwL-5VMwzKqy1dIjzqVsOvrrq653Ge382EiB2NmB8Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMmIyMTQ3Ni1jNTViLTQ2YzItOGVkMy00NmJjY2Q2MjU5MTUifQ.eyJleHAiOjE2ODY1NDE2MzgsImlhdCI6MTY4NjUzOTgzOCwianRpIjoiNzNhNjczMjUtYTg4NC00MmVhLWJjMGYtZmI5MzJjNGRiMWI1IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6Ijg2YzU2MzZmLTEyYTEtNDg2MS04OTI4LWNjYzM5ODQ4M2MyYiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3RpbyIsInNlc3Npb25fc3RhdGUiOiJiMTdlZDA4Yy02MGEyLTQ5OTgtOWM5Zi02ZmYzMjRhOGQ5ZDAiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJiMTdlZDA4Yy02MGEyLTQ5OTgtOWM5Zi02ZmYzMjRhOGQ5ZDAifQ.1ah5I0xzovlGuP--41iGmTqYxSxoS9fwf2VRkzrS0X0","token_type":"Bearer","not-before-policy":0,"session_state":"b17ed08c-60a2-4998-9c9f-6ff324a8d9d0","scope":"profile email"}/ $
#将access_token进行解码赋值为TOKEN
/ $ TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1NDAwMjEsImlhdCI6MTY4NjUzOTcyMS
wianRpIjoiOGY1YWY5NWQtOTBkYy00Njg4LWFmZTYtNGZiYzBhMmY1YTk1IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJ
hY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiNWRmMjRmYjItOTJmNi00YTM0LWIzZDYtYzIy
ZjQ5YWQ5YjliIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7I
mFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjVkZjI0ZmIyLTkyZjYtNGEzNC
1iM2Q2LWMyMmY0OWFkOWI5YiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJ
pcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.JZol588Yossocl6tY_9Xy0UvhWQ_zulvlDed04I72LYm8gzZgY22X4shmcDwqr1SsZbZKi7jk0c6sG8lF8RogwTcaCDiJDaH_sB2fEOadj9CywivXOENoziqVzG
VOlfrGMHyFxiBrUEEEKcVdrTvWwGsFnoqNGRDIk91LCQvFcm1hICC-lGpk-Q2tYqflOKN_VJNMbdmanMmcmZdZHP4AOMOJRn7XP-toZydH75LkVq1MeyM1HaxWrZoIR0YAzPyxsTcx-Q8aM5Gzr53WzqsxR_Fn2Lfdfo9l3jm
DOl3NdFUERfZSa2XDJENoC8m1iYsV2qCgHOY0wka1y0uHXgCQw"
/ $ curl -H "Authorization: Bearer $TOKEN" demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-mzvrh, ServerIP: 10.244.182.13!
/ $ curl -H "Authorization: Bearer $TOKEN" demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-cq4v4, ServerIP: 10.244.207.77!
/ $ curl -H "Authorization: Bearer $TOKEN" demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-mzvrh, ServerIP: 10.244.182.13!
/ $ curl -H "Authorization: Bearer $TOKEN" demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-cq4v4, ServerIP: 10.244.207.77!
#POST 访问 livez 同样被拒绝 demoapp:8080/livez
/ $ curl -H "Authorization: Bearer $TOKEN" -XPOST -d 'livez=FAILURE' demoapp:8080/livez
RBAC: access denied/ $03-request-and-peer-authn-policy.yaml
1.访问demoapp get方法 只要通常 通过了 peerauthentication 认证都允许
2.如果使用POST方法,既要通过Peerauthentication 也要通过最终用户认证,并且通过最终用户的时候那个token签发者必须是我们指定的签发者,才允许使用POST方法 得到 livez和readyz
3.两个source 表示或关系
[root@xksmaster1 04-RequestAuthn-and-AuthzPolicy]# cat 03-request-and-peer-authn-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
jwtRules:
- issuer: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio"
jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: demoapp
namespace: default
spec:
selector:
matchLabels:
app: demoapp
rules:
- from:
#两个source 表示或关系
- source:
principals: ["cluster.local/ns/default/sa/default"]
- source:
namespaces: ["default", "dev", "istio-system"]
to:
- operation:
methods: ["GET"]
paths: ["/*"]
- from:
# 这里表示 和 关系
- source:
requestPrincipals: ["*"]
principals: ["cluster.local/ns/default/sa/default"]
to:
- operation:
methods: ["POST"]
paths: ["/livez", "/readyz"]
when:
- key: request.auth.claims[iss]
values: ["http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio"]
[root@xksmaster1 04-RequestAuthn-and-AuthzPolicy]# kubectl apply -f 03-request-and-peer-authn-policy.yaml
requestauthentication.security.istio.io/demoapp unchanged
authorizationpolicy.security.istio.io/demoapp configured
#【实验测试1】
#此时不加TOKEN也可以进行访问
[root@demoappv11-6b479f5664-fblqm /]# curl -sS -d "username=tom&password=magedu.com&grant_type=password&client_id=istio" http://keycloak.keycloak.svc.cluster.local:8080/
auth/realms/istio/protocol/openid-connect/token
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1NDgwMDEsImlhdCI6MTY4NjU0NzcwMSwianRpIjoiMTIxMDkwOWMtYjYwZC00OWQwLThjNDMtOGExM2FiMTI4NTA3IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiNjc0NDA4YzAtZTM4ZS00NzE2LTlhNDktZTkyZWYzOThhZjcyIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjY3NDQwOGMwLWUzOGUtNDcxNi05YTQ5LWU5MmVmMzk4YWY3MiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJpcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.U6qrbugi6zIyhP1D5PB6_MjRYpO7Q66bPHUCX283wqPJzGD2YOsrPC8W6tJUpb1F40BpP51J4VVCR8fWB_0t3VtN_AVWuuXKBGqKLEer-7KJXf76hHEp0e9gIw9HTdbVmeS11RCAZK22AOJUrhp7fqzqZZDNwlMcqhuE1xNbcpu7tr2Ns6g5ueywSBXTmTrKrJb0Vc9mFiffk1DK5uuTA_w9vdjOTGt7wEd6zx_QzNGaaiOw7lnGqnFL5CFmX2zl33kMfpE-0Z8kF6xlMQxQJco6mAbFZwd_LHh7TFNagvLaN2alrogVwR9wqafOCkZsRcoDRk7OWj1lFxae3wuICg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMmIyMTQ3Ni1jNTViLTQ2YzItOGVkMy00NmJjY2Q2MjU5MTUifQ.eyJleHAiOjE2ODY1NDk1MDEsImlhdCI6MTY4NjU0NzcwMSwianRpIjoiZmI4ZGRlMzktZWVhZi00MTRkLWIyODItZGUzNmVmMmIzMWE1IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6Ijg2YzU2MzZmLTEyYTEtNDg2MS04OTI4LWNjYzM5ODQ4M2MyYiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3RpbyIsInNlc3Npb25fc3RhdGUiOiI2NzQ0MDhjMC1lMzhlLTQ3MTYtOWE0OS1lOTJlZjM5OGFmNzIiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI2NzQ0MDhjMC1lMzhlLTQ3MTYtOWE0OS1lOTJlZjM5OGFmNzIifQ.tJamlsFv1n8YMLlpJbXU-WBnfcFPrURVAW45eDt6iuA","token_type":"Bearer","not-before-policy":0,"session_state":"674408c0-e38e-4716-9a49-e92ef398af72","scope":"profile email"}[root@demoappv11-6b479f5664-fblqm /]#
获取access_token内容赋值给TOKEN
/ $ TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYbkpnV2Z1SFpzSUl1TEdiVEFoaDFaSWhBc1JXMGhDTlRpbUtMSnVIVDFzIn0.eyJleHAiOjE2ODY1NDcyODMsImlhdCI6MTY4NjU0Njk4My
wianRpIjoiOTkwYzdjM2EtMjJmMy00NTZhLThhZmItN2ZmMTYxODRmZmRkIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJ
hY2NvdW50Iiwic3ViIjoiODZjNTYzNmYtMTJhMS00ODYxLTg5MjgtY2NjMzk4NDgzYzJiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8iLCJzZXNzaW9uX3N0YXRlIjoiNzdkNDAxNDctOTBmNy00NTA0LTkzYzQtOTU3
YTllM2ZlYTYyIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1pc3RpbyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7I
mFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6Ijc3ZDQwMTQ3LTkwZjctNDUwNC
05M2M0LTk1N2E5ZTNmZWE2MiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBCaXJraG9mZiIsInByZWZlcnJlZF91c2VybmFtZSI6InRvbSIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJ
pcmtob2ZmIiwiZW1haWwiOiJ0b21AbWFnZWR1LmNvbSJ9.fmpiYL44arbTNZhHpPCTBpVlXxOlD94-yR996pfOGxdNWs9Os0VzcH4LyTfjNYURkeFesZwRke4glTAzrHvCssJsXFfMeGoxBMC_cOn5HHEgJgHFygzHJoGc26Y
DaAX3Xh0vs87TVDXWP7ghrY19ZPgX3JbjRFILMrYUuV9NPoaTiDqjSosCgv19WjoLBEsYE4nirKButUHE3sgr6XnHdAsbJTX2yavn53-LmVrYSTCyaiJIIHpeTeDmjRMjaBf0E-dHy9sVJPsNy-fg2D4vWLNVG9QBnBpcYV_W
KN4kBL8i0Il_Lor-qoqH5g344DAmmYmM_sHdiJ0vVoaSSAgxeA"
/ $ curl -H "Authorization: Bearer $TOKEN" demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-9sq6h, ServerIP: 10.244.182.14!
/ $ curl demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-mzvrh, ServerIP: 10.244.182.13!
/ $ curl demoapp:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-54757f48d6-mzvrh, ServerIP: 10.244.182.13!
#【实验测试2】
#curl -XPOST -d 'livez=FAIL' demoapp:8080/livez 因为没有携带TOKEN 无法进行 POST请求
/ $ curl -XPOST -d 'livez=FAIL' demoapp:8080/livez
RBAC: access denied/ $
#此时加入TOKEN 进行访问 POST
#apk运行如下命令,先安装jq:
~$ apk add jq
【使用jq保存token】
#获取token信息并赋值给变量TOKEN:
~$ TOKEN=$(curl -sS -d "username=tom&password=magedu.com&grant_type=password&client_id=istio" http://keycloak.keycloak.svc.cluster.local:8080/auth/real
ms/istio/protocol/openid-connect/token | jq .access_token)
#测试访问:
~$ curl -XPOST -d 'livez=FAIL' -H "Authorization: Bearer $TOKEN" demoapp:8080/livez
AuthorizationPolicy
鉴权功能配置 快速微服务体系添加权限
浙公网安备 33010602011771号