第四章:安全策略¶
Istio 提供了强大的安全功能,包括服务间 mTLS 加密、身份认证和访问授权。
安全架构¶
Istio 安全由三个部分组成:
┌─────────────────────────────────────────────────┐
│ 安全架构 │
├─────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────┐ │
│ │ 身份认证 │ │ 访问授权 │ │ 加密 │ │
│ │ (Peer/Auth) │ │ (Authorization)│ (mTLS) │ │
│ └─────────────┘ └─────────────┘ └─────────┘ │
│ │
│ ┌─────────────────────────────────────────────┐│
│ │ Istiod (CA) ││
│ │ 证书签发 & 策略分发 ││
│ └─────────────────────────────────────────────┘│
└─────────────────────────────────────────────────┘
mTLS 双向认证¶
宽松模式(Permissive)¶
默认模式,允许 mTLS 和明文流量:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
严格模式(Strict)¶
强制要求 mTLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
命名空间级别¶
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
工作负载级别¶
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: my-service
namespace: production
spec:
selector:
matchLabels:
app: my-service
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: PERMISSIVE # 特定端口允许明文
身份认证¶
JWT 认证¶
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: production
spec:
selector:
matchLabels:
app: my-service
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences:
- "my-api"
forwardOriginalToken: true
多 JWT 提供者¶
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: multi-jwt-auth
spec:
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
fromHeaders:
- name: Authorization
prefix: "Bearer "
- issuer: "https://api.auth0.com"
jwksUri: "https://api.auth0.com/.well-known/jwks.json"
fromHeaders:
- name: X-Auth-Token
授权策略¶
基本结构¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-policy
namespace: production
spec:
selector:
matchLabels:
app: my-service
action: ALLOW # ALLOW, DENY, AUDIT, CUSTOM
rules:
- to:
- operation:
methods: ["GET"]
paths: ["/api/*"]
拒绝策略¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: production
spec:
action: DENY
rules:
- to:
- operation:
methods: ["DELETE"]
允许特定来源¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-from-namespace
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["frontend", "api-gateway"]
基于主体的授权¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-admin
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/admin"]
基于 JWT Claims 授权¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["https://auth.example.com/*"]
when:
- key: request.auth.claims[roles]
values: ["admin", "editor"]
完整示例¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-policy
namespace: production
spec:
selector:
matchLabels:
app: my-api
action: ALLOW
rules:
# 允许健康检查
- to:
- operation:
paths: ["/health", "/ready"]
# 允许内部服务访问
- from:
- source:
namespaces: ["production"]
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
paths: ["/api/*"]
# 允许管理员访问
- from:
- source:
requestPrincipals: ["https://auth.example.com/*"]
when:
- key: request.auth.claims[role]
values: ["admin"]
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
操作符条件¶
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: conditional-policy
spec:
rules:
- when:
# 等于
- key: request.headers[x-user]
values: ["admin"]
# 不等于
- notValues: ["guest"]
# 存在
- key: request.auth.claims[org]
notValues: [""]
外部授权¶
集成外部授权服务:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ext-auth
spec:
action: CUSTOM
provider:
name: external-auth
rules:
- to:
- operation:
paths: ["/api/*"]
配置外部授权提供者:
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: external-auth
spec:
selector:
matchLabels:
istio: ingressgateway
url: oci://ghcr.io/istio-ecosystem/authservice/plugin:v1.0.0
pluginConfig:
auth_service:
address: auth-service.default.svc.cluster.local
port: 10003
证书管理¶
查看证书¶
# 查看 mTLS 状态
istioctl authn tls-check <pod-name>
# 查看证书详情
istioctl proxy-config secret <pod-name> -o json
自定义 CA¶
apiVersion: v1
kind: Secret
metadata:
name: cacerts
namespace: istio-system
type: Opaque
data:
ca-cert.pem: <base64-encoded-cert>
ca-key.pem: <base64-encoded-key>
root-cert.pem: <base64-encoded-root-cert>
cert-chain.pem: <base64-encoded-chain>
最佳实践¶
1. 渐进式启用 mTLS¶
# 第一步:启用宽松模式
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
EOF
# 第二步:验证所有服务支持 mTLS
istioctl authn tls-check-all
# 第三步:启用严格模式
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
EOF
2. 最小权限原则¶
# 默认拒绝所有
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
spec:
action: DENY
rules:
- {}
---
# 明确允许需要的访问
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-specific
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["frontend"]
小结¶
Istio 安全功能提供了:
- mTLS:自动的服务间加密通信
- 身份认证:JWT、mTLS 双向认证
- 授权策略:细粒度的访问控制
- 证书管理:自动证书轮换
下一章我们将学习 Istio 的可观测性功能。