时间戳

首页 > 解决方案 > 如果来自跨域,Istio 1.6 AuthorizationPolicy 没有正确的响应代码

kubernetes - 如果来自跨域,Istio 1.6 AuthorizationPolicy 没有正确的响应代码

问题描述

我们已经实现了这个安全过滤器,以便在 JWT 令牌到达后端服务之前对其进行预验证。它可以检查一些条件,这些条件将成为您接受或拒绝请求的标准,这很有帮助。

我们现在的问题是,当您将请求发送到不同的 URL(我们已经在 中配置了 CORS 策略VirtualService)时,该策略拒绝了请求并且不会Access-Control-Allow-Origin在触发 Chrome 浏览器中的 CORS 阻止的标头中返回。

以下是一些示例定义:

自定义 Ingress Gateway 的策略

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: custom-ingress
  namespace: istio-system
spec:
  selector:
    matchLabels:
      gateway-name: custom-ingress
  jwtRules:
  - issuer: https://some-issuer.com/
    jwksUri: https://some-issuer.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: custom-ingress
  namespace: istio-system
spec:
  selector:
    matchLabels:
      gateway-name: custom-ingress
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
    to: 
    - operation:
        methods: ["POST"]
        paths:
        - /restricted/path/A
        - /restricted/path/B
        - /restricted/path/C

服务虚拟服务

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
    - some-host.com
  gateways:
    - istio-system/custom-gateway
  http:
    - name: my-service-route
      match:
        - uri:
            exact: /restricted/path/A
      rewrite:
        uri: /A
      route:
        - destination:
            host: my-service
            subset: stable
            port:
              number: 8080
      corsPolicy:
        allowOrigins:
        - prefix: https://some-origin.com
        allowMethods:
        - OPTIONS
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        allowCredentials: false
        allowHeaders:
        - authorization
        - content-type
        - accept
        - origin
        - grpc-timeout
        - keep-alive
        - user-agent
        - cache-control
        - content-transfer-encoding
        - x-accept-content-transfer-encoding
        - x-accept-response-streaming
        - x-user-agent
        - x-grpc-web
        maxAge: "1h"

当 Chrome 浏览器请求:

  1. OPTIONS /restricted/path/A - 返回 200 以及类似的标题Access-Control-Allow-Origin
  2. POST /restricted/path/A - 返回 403,没有其他标题

你觉得我应该怎么做?

标签: kubernetesistio

解决方案

推荐阅读