问题描述
能否请您帮助我理解RequestAuthentication?当我应用简单的RequestAuthentication并重新启动Pod时,envoy sidecar的就绪状态为false,并且日志抛出 warn Envoy代理未就绪:未从Pilot接收配置(Pilot是否正在运行?):cds更新:1成功,0被拒绝;lds更新:0成功,1被拒绝尽快删除RequestAuthentication并重新创建pod-可以正常运行
Istio 1.8.3
Could you please help me in understanding RequestAuthentication?when I apply simple RequestAuthentication and restart Pod, envoy sidecar's ready state is false, and logs throw warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejectedas soon I delete RequestAuthentication and recreate pod - works OK
Istio 1.8.3
apiVersion: 'security.istio.io/v1beta1'
kind: RequestAuthentication
metadata:
name: jwt-validator
spec:
selector:
matchLabels:
role: api
jwtRules:
- issuer: "https://mykeycloak.com/auth/realms/myrealm"
当代理处于LDS过时状态时以下日志以istiod显示
When proxy is in LDS stale statethe following log is shown in istiod
2021-04-10T17:30:53.326877Z warn ads ADS:LDS: ACK ERROR sidecar~10.238.2.69~PODNAME.NS~NS.svc.cluster.local-60 Internal:Error adding/updating listener(s) vi ││ rtualInbound: Issuer 'MY_JWT_ISSUER_URL' in jwt_authn config has invalid local jwks: Jwks RSA [n] or [e] field is missing or has a parse error
已解决
这里的Issuer不仅是在JWT中要匹配的字符串,而且是必须从istiod进行访问并带有有效SSL证书的真实URL
Resolved
Issuer here is not just a string to match in JWT, but the real URL that must be accessible from istiod, and with a valid SSL certificate
推荐答案
我正在放置此答案以提高可见性.
I'm placing this answer for better visibility.
正如@Yegor Lopatin在编辑中提到的那样,该问题已通过修复发行人得到解决:
As @Yegor Lopatin mentioned in edit, the issue was solved by fixing the issuer:
issuer必须是有效且可访问的链接.我以为这只是一个字符串,您在阅读JWT时会与之比较
issuer must be a valid and accessible link. I thought it is just an string, which you compare with when reading JWT
例如
jwtRules:
- issuer: "[email protected]"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"
使用istio设置JWT时,可能会参考一些教程:
There are tutorials you might refer to when you're seting up JWT with istio:
这篇关于Istio RequestAuthentication阻止特使sidecar的就绪状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!