问题描述
authorizationpolicy在路径上不支持任何通配符模式吗?
authorizationpolicy does not supports any wildcard pattern on paths?
我有以下端点:
/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)
第一个将获取所有活动文档,第二个将激活/停用特定文档.我曾尝试将其设置为authorizationpolicy,但由于willdcard,它似乎忽略了该政策.
the first one will get all active docs, and second will activate/deactivate the specific doc.i’ve tried to set it on the authorizationpolicy and it seems to ignore this policy due to willdcard.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ "default" ]
to:
- operation:
methods: ["GET"]
paths: ["/my-service/docs/active"]
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
除了更新所有端点之外,这里还有其他解决方案吗?
any different solution here except updating all my endpoints?
10倍
推荐答案
我在评论中提到
根据istio 文档:
规则中的任何字符串字段都支持精确,前缀,后缀和在线状态匹配:
Any string field in the rule supports Exact, Prefix, Suffix andPresence match:
- 完全匹配:"abc"将与值"abc"匹配.
- 前缀匹配:"abc *"将匹配值"abc"和"abcd".
- 后缀匹配:"* abc"将匹配值"abc"和"xabc".
- 存在匹配:当值不为空时,"*"将匹配.
所以授权策略确实支持通配符,但是我认为问题出在 */activate/* 路径上,因为路径只能在开头,结尾或整个字符串中使用通配符,而双通配符只能使用通配符不起作用.
So Authorization Policy does support wildcard, but I think the issue is with the */activate/* path, because paths can use wildcards only at the start, end or whole string, double wildcard just doesn't work.
有与此相关的开放github问题:
There are related open github issues about that:
这篇关于具有通配符的Istio AuthorizationPolicy的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!