Request Authentication
? Request Authentication Policy会验证JSON Web Token(JWT)中几个关键字段的值
? 请求中token所处的位置
? Issuer或者请求,定义了认可的JWT签发机构
? 公共的JWKS
?Istio检查token的方法
? 若请求报文针对request authentication policy中的rules提供了token,Istio将会核验这些token,并会拒绝无效的token;
? 但Istio默认会接受那些并未提供token的请求;若需要拒绝该类请求,则要通过相应的“授权”规则完成,由这类规则负责完成针对特定操作的限制;
?Request Authentication Policy的生效机制
? 每个JWT均使用了惟一的location时,Request Authentication Policy上甚至可以指定多个JWT;
? 多个policy匹配到了同一个workload时,Istio会将这多个policy上的规则进行合并;
? 目前,请求报文上尚不允许附带一个以上的JWT
root@master01:/opt/istio-in-practise/Security/04-RequestAuthn-and-AuthzPolicy# cat 01-deploy-keycloak.yaml --- apiVersion: v1 kind: Namespace metadata: name: keycloak --- apiVersion: v1 kind: Service metadata: name: keycloak namespace: keycloak labels: app: keycloak spec: ports: - name: http port: 8080 targetPort: 8080 selector: app: keycloak type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: keycloak namespace: keycloak labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: containers: - name: keycloak image: quay.io/keycloak/keycloak:16.1.0 env: - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD value: "admin" - name: PROXY_ADDRESS_FORWARDING value: "true" ports: - name: http containerPort: 8080 - name: https containerPort: 8443 readinessProbe: httpGet: path: /auth/realms/master port: 8080
root@master01:/opt/istio-in-practise/Security/04-RequestAuthn-and-AuthzPolicy# cat 02-requestauthn-policy.yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: demoapp namespace: default spec: selector: #用于选定策略的适用的目标workload,策略的最终生效结果由select和metadata.namespace共同决定,使用pod标签来选择workload matchLabels: app: demoapp jwtRules: - issuer: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio" #定义了认可的JWT签发机构 jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs" #定义了验证JWT签名信息时使用的密钥 --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: demoapp namespace: default spec: selector: matchLabels: app: demoapp rules: - from: - source: requestPrincipals: ["*"] #匹配的操作请求发出者 to: - operation: methods: ["GET"] paths: ["/*"] #匹配的操作目标
设置中文
添加创建realm
添加客户端
添加用户
模拟 设置密码chuan,临时关掉
root@client /# curl http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/.well-known/openid-configuration {"issuer":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio","authorization_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/auth","token_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token","introspection_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo","end_session_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs","check_session_iframe":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","offline_access","phone","microprofile-jwt","web-origins","address","email","profile"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token","revocation_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/revoke","introspection_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token/introspect","device_authorization_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/auth/device","registration_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/clients-registrations/openid-connect","userinfo_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/
root@client /# curl -s --data "username=tom&password=chuan&grant_type=password&client_id=istio-client" http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrTmhkU0NoYUlVTnlqci10TUtVbG1wTnNPcUxkdk53TUdaZHdCcW1FdHBZIn0.eyJleHAiOjE2NDQ2ODUxMzYsImlhdCI6MTY0NDY4NDgzNiwianRpIjoiODY5MWQ4MjktNGYzMC00NjRjLWI2MDctMjM2NzdmM2Q4NmE0IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjcwMDU0ZWItNWY5Ny00NjJhLWJhNDAtZWU4OTVjZDhlNTVkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8tY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjFiYWJlZjBhLWQyNzYtNGEzNC1hYzNjLWE2OGRjMTU1OGYzYSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtaXN0aW8iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiIxYmFiZWYwYS1kMjc2LTRhMzQtYWMzYy1hNjhkYzE1NThmM2EiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJUb20gY2h1YW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0b20iLCJnaXZlbl9uYW1lIjoiVG9tIiwiZmFtaWx5X25hbWUiOiJjaHVhbiIsImVtYWlsIjoiODE0NzEyNDczQHFxLmNvbSJ9.BhQr8C4OJT_xzAkz16JZMI0QAozlGSVrjfHUnCpBlyZdLtyUhC_fpoc4ssVoTSz_sCx7iy9RtgzmgDxnDwQOb4c9jZ8Z_wd5CKKUP8lhVq8AtzUWl7Paa90UD7a3M_CcXwl_6uX_lPoZf9CSGk7SLn_e4pz6saJtAsjwVKU2JH2Xd6lTm5KbR8-ZePxfgcKIUd6bGp6Q_1jUllU0lIW-ImIL7hFz4cuHlhcg3CzIwg5Gv-VN76_spGDumGbOvh5nTLMwKMUY5qyj-jgtK66WNbSgUWakck_27tJd5XpoHlf2kImnzdO8FaAzR8TU1ZCN5vzOg9lkqdPcorRgKh6l6g","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzZWE0ZDZhNy0zOTg0LTQ0ODUtOTY4OS1iZDc3OTgyN2RkY2IifQ.eyJleHAiOjE2NDQ2ODY2MzYsImlhdCI6MTY0NDY4NDgzNiwianRpIjoiMmU4ZDg5MDgtOTVjOS00NTYyLWIzOGEtZjM4M2E4MWI5NGUwIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6IjI3MDA1NGViLTVmOTctNDYyYS1iYTQwLWVlODk1Y2Q4ZTU1ZCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3Rpby1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiMWJhYmVmMGEtZDI3Ni00YTM0LWFjM2MtYTY4ZGMxNTU4ZjNhIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiMWJhYmVmMGEtZDI3Ni00YTM0LWFjM2MtYTY4ZGMxNTU4ZjNhIn0.qTX83Q60JZpNF-uDEvfl9anwjOotGW3jOySwj9c_eRY","token_type":"Bearer","not-before-policy":0,"session_state":"1babef0a-d276-4a34-ac3c-a68dc1558f3a","scope":"email profile"}
root@client /# apk add jq
root@client /# curl -s --data "username=tom&password=chuan&grant_type=password&client_id=istio-client" http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token | jq . { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrTmhkU0NoYUlVTnlqci10TUtVbG1wTnNPcUxkdk53TUdaZHdCcW1FdHBZIn0.eyJleHAiOjE2NDQ2ODU4MTQsImlhdCI6MTY0NDY4NTUxNCwianRpIjoiMTM5ZTM3MDUtNGFjZS00NGIwLWIzNDgtMTJjZjM0MjJjNmYxIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjcwMDU0ZWItNWY5Ny00NjJhLWJhNDAtZWU4OTVjZDhlNTVkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaXN0aW8tY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjcxMGNjOGZmLWFmNjQtNDdiMC1iY2NlLTFlMDRmZjEzMzc1YyIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtaXN0aW8iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI3MTBjYzhmZi1hZjY0LTQ3YjAtYmNjZS0xZTA0ZmYxMzM3NWMiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJUb20gY2h1YW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0b20iLCJnaXZlbl9uYW1lIjoiVG9tIiwiZmFtaWx5X25hbWUiOiJjaHVhbiIsImVtYWlsIjoiODE0NzEyNDczQHFxLmNvbSJ9.RQM4uayASf2gH6vUnHNdiQrRmrBzitbfpPmUKrTdKb2ukfaWsrCZUsFN_xXW_YigLxKg5zfrws1_pWJCFgqYzYLQu6IXoosVFO9SRtVPuRup4HCUEAs8mesVuJOBfE3ZI4lucSicUNCSYV6JO0jEkj1mu92vO9xrLVtty5ao-zmmR_93-cU-0A5ajDSphno2pdHShwiUa9fmtNjN_QznyaCh8wJvm3uXa49Gjyvocqxd6dvbRv55epPuWo3d0u_7S-lGLcJNqJRxCxXKe8JtGBOHRCkqAYcqG6bapqG2J7-Sr_y947aOMkYJly2k4tGBIzeEwseqWmaRhfhJgq9y3w", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzZWE0ZDZhNy0zOTg0LTQ0ODUtOTY4OS1iZDc3OTgyN2RkY2IifQ.eyJleHAiOjE2NDQ2ODczMTQsImlhdCI6MTY0NDY4NTUxNCwianRpIjoiYTBiMzdlYjktNzAxNS00MDY4LWI5NzYtMjYxNmJkYTdlMzAxIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmtleWNsb2FrLnN2Yy5jbHVzdGVyLmxvY2FsOjgwODAvYXV0aC9yZWFsbXMvaXN0aW8iLCJhdWQiOiJodHRwOi8va2V5Y2xvYWsua2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWw6ODA4MC9hdXRoL3JlYWxtcy9pc3RpbyIsInN1YiI6IjI3MDA1NGViLTVmOTctNDYyYS1iYTQwLWVlODk1Y2Q4ZTU1ZCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpc3Rpby1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNzEwY2M4ZmYtYWY2NC00N2IwLWJjY2UtMWUwNGZmMTMzNzVjIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiNzEwY2M4ZmYtYWY2NC00N2IwLWJjY2UtMWUwNGZmMTMzNzVjIn0.YXy8hJrU7NQf28dy7tAFw9lT-BYsOBN5UjFfodclNcE", "token_type": "Bearer", "not-before-policy": 0, "session_state": "710cc8ff-af64-47b0-bcce-1e04ff13375c", "scope": "email profile" }
root@client /# TOKEN=$(curl -s --data "username=tom&password=chuan&grant_type=password&client_id=istio-client" http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/token | jq .access_token) root@client /# echo $TOKEN #5分钟有效期
root@client /# curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080 iKubernetes demoapp v1.1 !! ClientIP: 127.0.0.6, ServerName: demoappv11-7984f579f5-kqfq7, ServerIP: 10.200.235.24!
root@client /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080;sleep 1;done #允许
root@client-test /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080;sleep 1;done #拒绝 RBAC: access deniedRBAC: access deniedRBAC: access deniedRBAC: access deniedRBAC: access deniedRBAC: access deniedRBAC: access denied
client数据加密
keycloak.magedu.com:59127 admin/admin
tom chuan
root@master01:/opt/istio-in-practise/Security/04-RequestAuthn-and-AuthzPolicy# kubectl delete -f 02-requestauthn-policy.yaml
Authorization Policy CR
root@master01:/opt/istio-in-practise/Security/04-RequestAuthn-and-AuthzPolicy# cat 03-request-and-peer-authn-policy.yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: demoapp namespace: default spec: selector: matchLabels: app: demoapp jwtRules: - issuer: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio" jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs" --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: demoapp namespace: default spec: selector: matchLabels: app: demoapp rules: - from: - source: principals: ["cluster.local/ns/default/sa/default"] #经放行经过验证的客户端 - source: namespaces: ["default", "dev", "istio-system"] to: - operation: methods: ["GET"] paths: ["/*"] - from: - source: requestPrincipals: ["*"] principals: ["cluster.local/ns/default/sa/default"] #持有mtls证书 to: - operation: methods: ["POST"] paths: ["/livez", "/readyz"] when: - key: request.auth.claims[iss] values: ["http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio"] #持有JWT令牌
root@master01:~# istioctl x describe po demoappv10-6ff964cbff-659v4 Pod: demoappv10-6ff964cbff-659v4 Pod Ports: 8080 (demoapp), 15090 (istio-proxy) -------------------- Service: demoapp Port: http 8080/HTTP targets pod port 8080 DestinationRule: demoapp for "demoapp" Matching subsets: v10 (Non-matching subsets v11) Traffic Policy TLS Mode: ISTIO_MUTUAL # load balancer VirtualService: demoapp Weight 60% RBAC policies: ns[default]-policy[demoapp]-rule[0] -------------------- Service: demoappv10 Port: http 8080/HTTP targets pod port 8080 RBAC policies: ns[default]-policy[demoapp]-rule[0]
root@master01:/opt/istio-in-practise/Security/01-PeerAuthentication-Policy-Basics# cat 03-destinationrule-demoapp-mtls.yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: demoapp spec: host: demoapp trafficPolicy: loadBalancer: simple: LEAST_CONN # tls: #定义客户端tls模式,disable会影响AuthenticationPolicy,关掉 # mode: ISTIO_MUTUAL subsets: - name: v10 labels: version: v1.0 - name: v11 labels: version: v1.1
root@client /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080;sleep 1;done # iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-6ff964cbff-njq8q, ServerIP: 10.200.241.82! iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-6ff964cbff-659v4, ServerIP: 10.200.59.252! root@client-test /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080;sleep 1;done #无envoy sidecar,不检查令牌 RBAC: access deniedRBAC: access deniedRBAC: access denied
root@client /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080/livez;sleep 1;done OKOKOK root@client /# while true;do curl -H "Authorization: Bearer $TOKEN" demoapp.default:8080/readyz;sleep 1;done OKOK