Phawula. transl.: olu chungechunge lunikezelwe ekwazini ubunakho be-Istio kunye nokubabonisa ngokusebenza, -Indlela elungiswe kakuhle kunye nolawulo lwetrafikhi yenethiwekhi. Ngoku siza kuthetha ngokhuseleko: ukubonisa imisebenzi eyisiseko ehambelana nayo, umbhali usebenzisa inkonzo yesazisi ye-Auth0, kodwa abanye ababoneleli banokuqwalaselwa ngendlela efanayo.
Siseta iqela le-Kubernetes apho sisebenzise i-Istio kunye nomzekelo wesicelo se-microservice, Uhlalutyo lwe-Sentiment, ukubonisa amandla e-Istio.
Nge-Istio, siye sakwazi ukugcina iinkonzo zethu zincinci kuba azidingi ukuphumeza iileya ezinje ngoKuzama kwakhona, ukuphelelwa lixesha, i-Circuit Breakers, iTracing, iMonitoring. Ukongeza, sisebenzise uvavanyo oluphambili kunye nobuchule bokuhambisa: uvavanyo lwe-A / B, isipili kunye nokukhutshwa kwe-canary.
Kwizinto ezintsha, siya kujongana neengqimba zokugqibela kwindlela eya kwixabiso leshishini: ukuqinisekiswa kunye nokugunyaziswa - kwaye kwi-Istio kuyonwabisa ngokwenene!
Ukuqinisekiswa kunye nogunyaziso kwi-Istio
Andizange ndikholelwe ukuba ndingaphefumlelwa ngokuqinisekiswa kunye nogunyaziso. Yintoni enokuthi i-Istio ibonelele ngayo kumbono weteknoloji ukwenza ezi zihloko zibe mnandi kwaye, ngakumbi, zikhuthaze kuwe?
Impendulo ilula: I-Istio itshintsha uxanduva kwezi zakhono kwiinkonzo zakho ukuya kummeli womthunywa. Ngethuba izicelo zifikelela kwiinkonzo, sele ziqinisekisiwe kwaye zigunyazisiwe, ngoko konke okufuneka ukwenze kukubhala ikhowudi yoshishino.
Ivakala kamndandi? Makhe sijonge ngaphakathi!
Uqinisekiso nge-Auth0
Njengomncedisi wesazisi kunye nolawulo lofikelelo, siya kusebenzisa i-Auth0, enenguqulelo yesilingo, esebenzisekayo kwaye ndiyayithanda nje. Noko ke, imigaqo efanayo inokusetyenziswa nakweyiphi na enye : KeyCloak, IdentityServer kunye nabanye abaninzi.
Okokuqala, yiya ku ngeakhawunti yakho, yenza umqeshi (umqeshi - βumqeshiβ, iyunithi enengqiqo yokubeka wedwa, ukuze ufumane iinkcukacha ezithe vetshe jonga - malunga. guqulela.) kwaye uye ku Ii-aplikeshini > usetyenziso oluMiyoukukhetha thambeka, njengoko kubonisiwe kumfanekiso wekhusi ongezantsi:
Chaza lo mmandla kwifayile resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Ngoncedo olunjalo, uPilot (enye yezinto ezintathu ezisisiseko zePlane yoLawulo kwi-Istio - malunga nokuguqulela.) ilungiselela uMthunywa ukuqinisekisa izicelo phambi kokuba zigqithiselwe kwiinkonzo: sa-web-app ΠΈ sa-feedback. Kwangaxeshanye, uqwalaselo alusetyenziswanga kwinkonzo Abathunywa sa-frontend, esivumela ukuba sishiye i-frontend singagunyaziswanga. Ukusebenzisa iPolisi, sebenzisa umyalelo:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io βauth-policyβ createdBuyela kwiphepha kwaye wenze isicelo - uya kubona ukuba iphela ngesimo 401 Ngokungagunyaziswanga. Ngoku masenze abasebenzisi be-frontend ukuze baqinisekise nge-Auth0.
Ukuqinisekisa izicelo nge-Auth0
Ukuqinisekisa izicelo zomsebenzisi wokugqibela, kufuneka wenze i-API kwi-Auth0 eya kumela iinkonzo eziqinisekisiweyo (uphononongo, iinkcukacha, kunye nemilinganiselo). Ukwenza i-API, yiya ku I-Auth0 Portal > APIs > Yenza i-API kwaye ugcwalise ifom:
Ulwazi olubalulekileyo apha ukubona, esiya kuyisebenzisa kamva kwiscript. Masiyibhale ngolu hlobo:
- Abaphulaphuli: {ABAYIVA_Abaphulaphuli}
Iinkcukacha eziseleyo esizifunayo zifumaneka kwi-Auth0 Portal kwicandelo izicelo - khetha Uvavanyo lwesicelo (yenziwe ngokuzenzekelayo kunye ne-API).
Apha siza kubhala:
- thambeka: {YAKHO_DOMAIN}
- Isazisi soMthengi: {YAKHO_CLIENT_ID}
Skrolela ku Uvavanyo lwesicelo kwindawo yokubhaliweyo Ii-URL ezivumelekileyo zokufowunela (ii-URL ezisonjululweyo ze-callback), apho sichaza i-URL apho umnxeba kufuneka uthunyelwe emva kokuba uqinisekiso lugqityiwe. Kwimeko yethu yile:
http://{EXTERNAL_IP}/callbackKwaye ngenxa Ii-URL ezivumelekileyo zokuPhuma (ii-URL ezivumelekileyo zokuphuma) yongeza:
http://{EXTERNAL_IP}/logoutMasiqhubele phambili kwi-frontend.
Uhlaziyo lwangaphambili
Tshintshela kwisebe auth0 indawo yokugcina [istio-mastery]. Kweli sebe, ikhowudi ye-frontend iyatshintshwa ukuze iphinde iqondise abasebenzisi kwi-Auth0 yokuqinisekisa kwaye isebenzise ithokheni ye-JWT kwizicelo kwezinye iinkonzo. Le yokugqibela iphunyezwa ngolu hlobo lulandelayo ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Ukutshintsha i-frontend ukuze usebenzise idatha yomqeshi kwi-Auth0, vula sa-frontend/src/services/Auth.js kwaye ubeke endaweni yayo amaxabiso esiwabhale ngasentla ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π΄ΠΈΡΠ΅ΠΊΡΠ° ΠΏΠΎΡΠ»Π΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
}Isicelo silungile. Cacisa isazisi sakho seDocker kule miyalelo ingezantsi xa usakha kwaye uhambisa utshintsho olwenziwe:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Zama i-app! Uya kuthunyelwa kwakhona kwi-Auth0, apho kufuneka ungene khona (okanye ubhalise), emva koko uya kuthunyelwa umva kwiphepha apho izicelo esele ziqinisekisiwe ziya kwenziwa. Ukuba uzama imiyalelo ekhankanywe kwiindawo zokuqala zenqaku nge-curl, uya kufumana ikhowudi 401 Ikhowudi yeSimo, ebonisa ukuba isicelo asigunyaziswanga.
Masithathe inyathelo elilandelayo - sigunyazise izicelo.
Ugunyaziso ngoGunyaziso0
Ukuqinisekiswa kusivumela ukuba siqonde ukuba ngubani umsebenzisi, kodwa ugunyaziso luyafuneka ukuze sazi ukuba banokufikelela ntoni na. I-Istio ibonelela ngezixhobo zoku.
Njengomzekelo, masenze amaqela amabini abasebenzisi (bona umzobo ongezantsi):
- Abasebenzisi (abasebenzisi) β ngokufikelela kuphela kwiinkonzo ze-SA-WebApp kunye ne-SA-Frontend;
- Iimodareyitha (iimodareyitha) β ngokufikelela kuzo zontathu iinkonzo.
Ingqiqo yogunyaziso
Ukwenza la maqela, siya kusebenzisa i-Auth0 Authorization extension kwaye sisebenzise i-Istio ukubabonelela ngamanqanaba ahlukeneyo okufikelela.
Ufakelo kunye noqwalaselo lwe-Auth0 yoGunyaziso
Kwi-Auth0 portal, yiya kulwandiso (izandiso) kwaye ufake Ugunyaziso0. Emva kofakelo, yiya ku Ukwandiswa koGunyaziso, kwaye apho - kuqwalaselo lomqeshi ngokunqakraza ekunene kwaye ukhethe ukhetho olufanelekileyo lwemenyu. (Uqwalaselo). Vula amaqela (Amaqela) kwaye ucofe iqhosha lomthetho lokushicilela (Umgaqo wokupapasha).
Ukudala amaqela
KwiSandiso soGunyaziso yiya ku amaqela kwaye wenze iqela AbaModareli. Kuba siya kubaphatha bonke abasebenzisi abaqinisekisiweyo njengabasebenzisi abaqhelekileyo, akukho sidingo sokwenza iqela elongezelelweyo kubo.
Khetha iqela AbaModareli, Cinezela Yongeza amalungu, yongeza eyona akhawunti yakho. Shiya abanye abasebenzisi ngaphandle kwalo naliphi na iqela ukuqinisekisa ukuba balelwa ukufikelela. (Abasebenzisi abatsha banokudalwa ngesandla nge Auth0 Portal > Abasebenzisi > Yenza uMsebenzisi.)
Yongeza iBango leQela kwiToken yokuFikelela
Abasebenzisi bongezwe kumaqela, kodwa olu lwazi kufuneka lubonakaliswe kwiithokheni zokufikelela. Ukuthobela i-OpenID Connect kwaye kwangaxeshanye sibuyisele amaqela esiwafunayo, uphawu luya kufuna ukongeza olwalo. . Iphunyezwe ngemithetho ye-Auth0.
Ukwenza umthetho, yiya kwi-Auth0 Portal ukuya imithetho, Cinezela Yenza uMthetho kwaye ukhethe umthetho ongenanto kwiitemplates.
Khuphela ikhowudi engezantsi kwaye uyigcine njengomthetho omtsha Yongeza iBango leQela ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}Qaphela:: Le khowudi ithatha iqela lokuqala lomsebenzisi elichazwe kuLwandiso loGunyaziso kwaye yongeze kwithokheni yofikelelo njengebango lesiqhelo (phantsi kwendawo yayo yegama, njengoko kufunwa ngu-Auth0).
Buyela kwiphepha imithetho kwaye ujonge ukuba unemithetho emibini ebhalwe ngolu hlobo lulandelayo:
- i-auth0-ugunyaziso-ulwandiso
- Yongeza iBango leQela
Umyalelo ubalulekile kuba ibala leqela lifumana umgaqo ngokuzenzekelayo i-auth0-ugunyaziso-ulwandiso kwaye emva koko yongezwa njengebango ngumgaqo wesibini. Isiphumo luphawu lofikelelo olunje:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [ΡΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π΄Π»Ρ Π½Π°Π³Π»ΡΠ΄Π½ΠΎΡΡΠΈ]
}
Ngoku kufuneka uqwalasele umthunywa womthunywa ukujonga ukufikelela komsebenzisi, apho iqela liya kutsalwa kwibango (https://sa.io/group) kuphawu lofikelelo olubuyisiweyo. Lo ngumxholo wecandelo elilandelayo lenqaku.
Uqwalaselo logunyaziso kwi-Istio
Ukuze ugunyaziso lusebenze, kufuneka uvule i-RBAC ye-Istio. Ukwenza oku, siya kusebenzisa olu lungelelwaniso lulandelayo:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Iinkcazo:
- 1 β yenza i-RBAC isebenze kuphela kwiinkonzo kunye nezithuba zamagama ezidweliswe ebaleni
Inclusion; - 2 β sidwelisa uluhlu lweenkonzo zethu.
Masisebenzise ulungelelwaniso ngalo myalelo ulandelayo:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Zonke iinkonzo ngoku zifuna ulawulo loFikelelo oluSekwe kwindima. Ngamanye amazwi, ukufikelela kuzo zonke iinkonzo akuvumelekanga kwaye kuya kubangela impendulo RBAC: access denied. Ngoku makhe sivumele ukufikelela kubasebenzisi abagunyazisiweyo.
Ubume bokufikelela kubasebenzisi abaqhelekileyo
Bonke abasebenzisi kufuneka bafikelele kwiinkonzo ze-SA-Frontend kunye ne-SA-WebApp. Iphunyezwe kusetyenziswa ezi zixhobo zilandelayo ze-Istio:
- ServiceRole β imisela amalungelo umsebenzisi anawo;
- ServiceRoleBinding β imisela ukuba yekabani le Nkonzo.
Kubasebenzisi abaqhelekileyo siya kuvumela ukufikelela kwiinkonzo ezithile ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Kwaye ngoku regular-user-binding sebenzisa i-ServiceRole kubo bonke abatyeleli bephepha ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"Ngaba "bonke abasebenzisi" kuthetha ukuba abasebenzisi abangagunyaziswanga baya kuba nofikelelo kwiSA WebApp? Hayi, umgaqo-nkqubo uya kukhangela ukuba semthethweni kwethokheni ye-JWT.
Masisebenzise ulungelelwaniso:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdUfikelelo kubumbeko kwiimodareyitha
Kubamodareyitha, sifuna ukuvumela ukufikelela kuzo zonke iinkonzo ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Kodwa sifuna amalungelo anjalo kuphela kwabo basebenzisi abanophawu lokufikelela oluqulathe ibango https://sa.io/group ngentsingiselo Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Masisebenzise ulungelelwaniso:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdNgenxa ye-caching kubathunywa, kungathatha imizuzu embalwa ukuba imithetho yogunyaziso isebenze. Emva koko unokuqinisekisa ukuba abasebenzisi kunye neemodareyitha banamanqanaba ahlukeneyo okufikelela.
Isiphelo kweli candelo
Ngokunzulu nangona kunjalo, ngaba ukhe wayibona indlela elula, engasebenziyo, eyoyikisayo nekhuselekileyo yokuqinisekisa nogunyaziso?
Izixhobo ezintathu kuphela ze-Istio (i-RbacConfig, i-ServiceRole, kunye ne-ServiceRoleBinding) yayifuneka ukuze kuphunyezwe ulawulo olucokisekileyo malunga nokuqinisekiswa kunye nokugunyaziswa kokufikelela komsebenzisi wokugqibela kwiinkonzo.
Ukongeza, sithathele ingqalelo le miba kwiinkonzo zethu zabathunywa, sifezekise:
- ukunciphisa inani lekhowudi yegeneric enokuthi iqulathe iingxaki zokhuseleko kunye neebugs;
- ukunciphisa inani leemeko zobudenge apho enye isiphelo savela ukuba sifikeleleke ngaphandle kwaye sikhohlwe ukuyixela;
- ukuphelisa isidingo sokuhlaziya zonke iinkonzo rhoqo xa indima entsha okanye ilungelo longezwa;
- ukuba iinkonzo ezintsha zihlala zilula, zikhuselekile kwaye zikhawuleza.
isiphelo
I-Istio ivumela amaqela ukuba agxininise izixhobo zabo kwimisebenzi ebalulekileyo yezoshishino ngaphandle kokongeza ngaphezulu kwiinkonzo, ukubuyisela kwisimo esincinci.
Inqaku (ngamacandelo amathathu) linikeze ulwazi olusisiseko kunye nemiyalelo esebenzayo esele yenziwe ukuze uqalise nge-Istio kwiiprojekthi zangempela.
PS evela kumguquleli
Funda nakwibhlog yethu:
- "Buyela kwiinkonzo ezincinci kunye ne-Istio": , ;
- Β«";
- «».
umthombo: www.habr.com