为啥我使用 Istio AuthorizationPolicy 和 JWT 收到 403“RBAC: access denied”

Posted

技术标签:

【中文标题】为啥我使用 Istio AuthorizationPolicy 和 JWT 收到 403“RBAC: access denied”【英文标题】:Why am I getting a 403 "RBAC: access denied" with Istio AuthorizationPolicy and JWT为什么我使用 Istio AuthorizationPolicy 和 JWT 收到 403“RBAC: access denied” 【发布时间】:2022-01-14 12:54:29 【问题描述】:

我正在尝试使用 Istio 和 Azure AD 在我们的 EKS 集群中保护第 3 方应用程序。

我的配置在本地 docker-desktop K8S 集群上运行,但是当部署到我们的 EKS 时,令牌似乎从未传递给应用程序 pod 上的 istio-proxy,因此从未授权。

鉴于我的配置:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: marquez-sso
  namespace: marquez
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: marquez
  jwtRules:
    - issuer: "https://sts.windows.net/ .Values.sso.tenant /"
      audiences: [" .Values.sso.scope "]
      jwksUri: "https://login.microsoftonline.com/ .Values.sso.tenant /discovery/keys?appid= .Values.sso.appId.read "
#      forwardOriginalToken: true #forward jwt to proxy container - commented out because it didn't forward either.
      outputPayloadToHeader: "x-jwt-payload" #pass header


---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authorize-marquez-poc
  namespace: marquez
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: marquez
  action: ALLOW
  rules:
    - to:
        - operation:
            methods: ["GET"]
            paths: ["*"]
      when:
        - key: request.auth.claims[roles]
          values: ["poc.read"]

当我使用包含“poc.read”角色的有效 JWT 令牌向我的应用发出请求时,我会假设我的请求将通过身份验证和授权并到达应用程序。

这发生在我的本地集群上,但在 EKS 上尝试时,我收到 403“RBAC:访问被拒绝”响应。

查看网关的日志,我看到 JWT 已成功通过身份验证(JWT 值已编辑):

2021-12-09T16:10:28.399763Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.399806Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.399836Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.400332Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.557660Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.557857Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.558903Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.558975Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.592729Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.592773Z debug   envoy filter    tls:onServerName(), requestedServerName: redacted.com
2021-12-09T16:10:28.647901Z debug   envoy http  [C4469] new stream
2021-12-09T16:10:28.647975Z debug   envoy http  [C4469][S10542422563474009578] request headers complete (end_stream=false):
':authority', 'redacted.com'
':path', '/api/v1/namespaces/troubleshootistio'
':method', 'GET'
'authorization', 'Bearer redacted-token'
'content-type', 'application/json'
'user-agent', 'PostmanRuntime/7.28.4'
'accept', '*/*'
'cache-control', 'no-cache'
'postman-token', '3318e2c3-7a16-4f35-a4a6-03ca1c30680c'
'accept-encoding', 'gzip, deflate, br'
'connection', 'keep-alive'
'content-length', '93'
2021-12-09T16:10:28.648018Z debug   envoy jwt   Called Filter : setDecoderFilterCallbacks
2021-12-09T16:10:28.648063Z debug   envoy jwt   Called Filter : decodeHeaders
2021-12-09T16:10:28.648075Z debug   envoy jwt   Prefix requirement '/' matched.
2021-12-09T16:10:28.648081Z debug   envoy jwt   extract authorizationBearer
2021-12-09T16:10:28.648101Z debug   envoy jwt   origins-0: JWT authentication starts (allow_failed=false), tokens size=1
2021-12-09T16:10:28.648107Z debug   envoy jwt   origins-0: startVerify: tokens size 1
2021-12-09T16:10:28.648111Z debug   envoy jwt   origins-0: Parse Jwt redacted-token
2021-12-09T16:10:28.648222Z debug   envoy jwt   origins-0: Verifying JWT token of issuer https://sts.windows.net/redacted-tenant/
2021-12-09T16:10:28.648271Z debug   envoy jwt   origins-0: JWT token verification completed with: OK
2021-12-09T16:10:28.648282Z debug   envoy jwt   Jwt authentication completed with: OK
2021-12-09T16:10:28.648302Z debug   envoy filter    AuthenticationFilter::decodeHeaders with config
policy 
  origins 
    jwt 
      issuer: "https://sts.windows.net/redacted-tenant/"
    
  
  origin_is_optional: true
  principal_binding: USE_ORIGIN

skip_validate_trust_domain: true
2021-12-09T16:10:28.648309Z debug   envoy filter    No method defined. Skip source authentication.
2021-12-09T16:10:28.648313Z debug   envoy filter    Validating request path /api/v1/namespaces/troubleshootistio for jwt issuer: "https://sts.windows.net/redacted-tenant/"
2021-12-09T16:10:28.648385Z debug   envoy filter    ProcessJwtPayload: json object is "aio":"redacted-aio","appid":"redacted-appid1","appidacr":"1","aud":"redacted-aud","exp":1639068956,"iat":1639065056,"idp":"https://sts.windows.net/redacted-tenant/","iss":"https://sts.windows.net/redacted-tenant/","nbf":1639065056,"oid":"redacted-oid","rh":"redacted-rh","roles":["poc.read"],"sub":"redacted-oid","tid":"redacted-tenant","uti":"redacted-uti","ver":"1.0"
2021-12-09T16:10:28.648406Z debug   envoy filter    JWT validation succeeded
2021-12-09T16:10:28.648415Z debug   envoy filter    Set principal from origin: https://sts.windows.net/redacted-tenant//redacted-oid
2021-12-09T16:10:28.648419Z debug   envoy filter    Origin authenticator succeeded
2021-12-09T16:10:28.648524Z debug   envoy filter    Saved Dynamic Metadata:
fields 
  key: "request.auth.audiences"
  value 
    string_value: "redacted-aud"
  

fields 
  key: "request.auth.claims"
  value 
    struct_value 
      fields 
        key: "aio"
        value 
          list_value 
            values 
              string_value: "redacted-aio"
            
          
        
      
      fields 
        key: "appid"
        value 
          list_value 
            values 
              string_value: "redacted-appid1"
            
          
        
      
      fields 
        key: "appidacr"
        value 
          list_value 
            values 
              string_value: "1"
            
          
        
      
      fields 
        key: "aud"
        value 
          list_value 
            values 
              string_value: "redacted-aud"
            
          
        
      
      fields 
        key: "idp"
        value 
          list_value 
            values 
              string_value: "https://sts.windows.net/redacted-tenant/"
            
          
        
      
      fields 
        key: "iss"
        value 
          list_value 
            values 
              string_value: "https://sts.windows.net/redacted-tenant/"
            
          
        
      
      fields 
        key: "oid"
        value 
          list_value 
            values 
              string_value: "redacted-oid"
            
          
        
      
      fields 
        key: "rh"
        value 
          list_value 
            values 
              string_value: "redacted-rh"
            
          
        
      
      fields 
        key: "roles"
        value 
          list_value 
            values 
              string_value: "poc.read"
            
          
        
      
      fields 
        key: "sub"
        value 
          list_value 
            values 
              string_value: "redacted-oid"
            
          
        
      
      fields 
        key: "tid"
        value 
          list_value 
            values 
              string_value: "redacted-tenant"
            
          
        
      
      fields 
        key: "uti"
        value 
          list_value 
            values 
              string_value: "redacted-uti"
            
          
        
      
      fields 
        key: "ver"
        value 
          list_value 
            values 
              string_value: "1.0"
            
          
        
      
    
  

fields 
  key: "request.auth.principal"
  value 
    string_value: "https://sts.windows.net/redacted-tenant//redacted-oid"
  

fields 
  key: "request.auth.raw_claims"
  value 
    string_value: "\"appid\":\"redacted-appid1\",\"aud\":\"redacted-aud\",\"ver\":\"1.0\",\"sub\":\"redacted-oid\",\"nbf\":1639065056,\"rh\":\"redacted-rh\",\"uti\":\"redacted-uti\",\"exp\":1639068956,\"tid\":\"redacted-tenant\",\"iat\":1639065056,\"oid\":\"redacted-oid\",\"aio\":\"redacted-aio\",\"appidacr\":\"1\",\"iss\":\"https://sts.windows.net/redacted-tenant/\",\"idp\":\"https://sts.windows.net/redacted-tenant/\",\"roles\":[\"poc.read\"]"
  

2021-12-09T16:10:28.648551Z debug   envoy router    [C4469][S10542422563474009578] cluster 'outbound|443||marquez.marquez.svc.cluster.local' match for URL '/api/v1/namespaces/troubleshootistio'
2021-12-09T16:10:28.648603Z debug   envoy router    [C4469][S10542422563474009578] router decoding headers:
':authority', 'redacted.com'
':path', '/api/v1/namespaces/troubleshootistio'
':method', 'GET'
':scheme', 'https'
'content-type', 'application/json'
'user-agent', 'PostmanRuntime/7.28.4'
'accept', '*/*'
'cache-control', 'no-cache'
'postman-token', '3318e2c3-7a16-4f35-a4a6-03ca1c30680c'
'accept-encoding', 'gzip, deflate, br'
'content-length', '93'
'x-forwarded-for', '10.11.226.29'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '263e9f61-f6a0-4d22-bf67-c5abafcd4d6d'
'x-envoy-decorator-operation', 'marquez.marquez.svc.cluster.local:443/api/*'
'x-envoy-peer-metadata', 'ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjEwLjAK0gUKBkxBQkVMUxLHBSrEBQoXCgNhcHASEBoOaXN0aW8tb3BlcmF0b3IKKAobYXBwLmt1YmVybmV0ZXMuaW8vY29tcG9uZW50EgkaB2luZ3Jlc3MKJQobYXBwLmt1YmVybmV0ZXMuaW8vbWFuYWdlZEJ5EgYaBEhlbG0KMgoWYXBwLmt1YmVybmV0ZXMuaW8vbmFtZRIYGhZpc3Rpby1vcGVyYXRvci1pbmdyZXNzCi0KGWFwcC5rdWJlcm5ldGVzLmlvL3BhcnQtb2YSEBoOaXN0aW8tb3BlcmF0b3IKJQoZYXBwLmt1YmVybmV0ZXMuaW8vdmVyc2lvbhIIGgZ2MC4wLjIKEwoFY2hhcnQSChoIZ2F0ZXdheXMKHQoNaGVsbS5zaC9jaGFydBIMGgp1ZHAtYWRkb25zChQKCGhlcml0YWdlEggaBlRpbGxlcgo2CilpbnN0YWxsLm9wZXJhdG9yLmlzdGlvLmlvL293bmluZy1yZXNvdXJjZRIJGgd1bmtub3duCiIKBWlzdGlvEhkaF21ldGFkYXRhLWluZ3Jlc3NnYXRld2F5ChkKDGlzdGlvLmlvL3JldhIJGgdkZWZhdWx0CjAKG29wZXJhdG9yLmlzdGlvLmlvL2NvbXBvbmVudBIRGg9JbmdyZXNzR2F0ZXdheXMKIQoRcG9kLXRlbXBsYXRlLWhhc2gSDBoKNjU2ZmY3NmQ2YgoSCgdyZWxlYXNlEgcaBWlzdGlvCjwKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSGRoXbWV0YWRhdGEtaW5ncmVzc2dhdGV3YXkKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0ChEKA3NoYRIKGgg2MTRlYTkyYwoiChdzaWRlY2FyLmlzdGlvLmlvL2luamVjdBIHGgVmYWxzZQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKMgoETkFNRRIqGihtZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheS02NTZmZjc2ZDZiLXFkbDJqChsKCU5BTUVTUEFDRRIOGgxpc3Rpby1zeXN0ZW0KYAoFT1dORVISVxpVa3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2lzdGlvLXN5c3RlbS9kZXBsb3ltZW50cy9tZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheQoXChFQTEFURk9STV9NRVRBREFUQRICKgAKKgoNV09SS0xPQURfTkFNRRIZGhdtZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheQ=='
'x-envoy-peer-metadata-id', 'router~100.112.90.145~metadata-ingressgateway-656ff76d6b-qdl2j.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'dae9d28da5c49193785bcb1128971c0b'
'x-b3-spanid', '785bcb1128971c0b'
'x-b3-sampled', '0'
'x-envoy-original-path', '/api/v1/namespaces/troubleshootistio'
2021-12-09T16:10:28.648642Z debug   envoy pool  queueing stream due to no available connections
2021-12-09T16:10:28.648645Z debug   envoy pool  trying to create new connection
2021-12-09T16:10:28.648649Z debug   envoy pool  creating a new connection
2021-12-09T16:10:28.648708Z debug   envoy client    [C4470] connecting
2021-12-09T16:10:28.648715Z debug   envoy connection    [C4470] connecting to 100.112.69.104:5000
2021-12-09T16:10:28.648876Z debug   envoy connection    [C4470] connection in progress
2021-12-09T16:10:28.648904Z debug   envoy jwt   Called Filter : decodeData
2021-12-09T16:10:28.648921Z debug   envoy http  [C4469][S10542422563474009578] request end stream
2021-12-09T16:10:28.648924Z debug   envoy jwt   Called Filter : decodeData
2021-12-09T16:10:28.648938Z debug   envoy connection    [C4470] connected
2021-12-09T16:10:28.649435Z debug   envoy client    [C4470] connected
2021-12-09T16:10:28.649452Z debug   envoy pool  [C4470] attaching to next stream
2021-12-09T16:10:28.649456Z debug   envoy pool  [C4470] creating stream
2021-12-09T16:10:28.649465Z debug   envoy router    [C4469][S10542422563474009578] pool ready
2021-12-09T16:10:28.650350Z debug   envoy router    [C4469][S10542422563474009578] upstream headers complete: end_stream=false
2021-12-09T16:10:28.650404Z debug   envoy http  [C4469][S10542422563474009578] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'date', 'Thu, 09 Dec 2021 16:10:28 GMT'
'server', 'istio-envoy'
'x-envoy-upstream-service-time', '1'
2021-12-09T16:10:28.650422Z debug   envoy client    [C4470] response complete
2021-12-09T16:10:28.650545Z debug   envoy wasm  wasm log stats_outbound stats_outbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=12
2021-12-09T16:10:28.650555Z debug   envoy wasm  wasm log stats_outbound stats_outbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=6
2021-12-09T16:10:28.650558Z debug   envoy wasm  wasm log stats_outbound stats_outbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=10
2021-12-09T16:10:28.650561Z debug   envoy wasm  wasm log stats_outbound stats_outbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=14
2021-12-09T16:10:28.650565Z debug   envoy jwt   Called Filter : onDestroy
2021-12-09T16:10:28.650568Z debug   envoy filter    Called AuthenticationFilter : onDestroy
2021-12-09T16:10:28.650574Z debug   envoy pool  [C4470] response complete
2021-12-09T16:10:28.650577Z debug   envoy pool  [C4470] saw upstream close connection
2021-12-09T16:10:28.650580Z debug   envoy connection    [C4470] closing data_to_write=0 type=1
2021-12-09T16:10:28.650583Z debug   envoy connection    [C4470] closing socket: 1
2021-12-09T16:10:28.650642Z debug   envoy connection    [C4470] SSL shutdown: rc=0
2021-12-09T16:10:28.650690Z debug   envoy client    [C4470] disconnect. resetting 0 pending requests
2021-12-09T16:10:28.650699Z debug   envoy pool  [C4470] client disconnected, failure reason:
2021-12-09T16:10:28.650747Z debug   envoy pool  [C4470] destroying stream: 0 remaining

但应用程序 pod 的日志显示 JWT 值从未从网关发送,因此授权失败:

2021-12-09T16:10:28.648927Z debug   envoy filter    original_dst: New connection accepted
2021-12-09T16:10:28.648959Z debug   envoy filter    tls inspector: new connection accepted
2021-12-09T16:10:28.649014Z debug   envoy filter    tls:onServerName(), requestedServerName: outbound_.443_._.marquez.marquez.svc.cluster.local
2021-12-09T16:10:28.649556Z debug   envoy http  [C4227] new stream
2021-12-09T16:10:28.649677Z debug   envoy http  [C4227][S15673186747439282324] request headers complete (end_stream=false):
':authority', 'redacted.com'
':path', '/api/v1/namespaces/troubleshootistio'
':method', 'GET'
'content-type', 'application/json'
'user-agent', 'PostmanRuntime/7.28.4'
'accept', '*/*'
'cache-control', 'no-cache'
'postman-token', '3318e2c3-7a16-4f35-a4a6-03ca1c30680c'
'accept-encoding', 'gzip, deflate, br'
'content-length', '93'
'x-forwarded-for', '10.11.226.29'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '263e9f61-f6a0-4d22-bf67-c5abafcd4d6d'
'x-envoy-decorator-operation', 'marquez.marquez.svc.cluster.local:443/api/*'
'x-envoy-peer-metadata', 'ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjEwLjAK0gUKBkxBQkVMUxLHBSrEBQoXCgNhcHASEBoOaXN0aW8tb3BlcmF0b3IKKAobYXBwLmt1YmVybmV0ZXMuaW8vY29tcG9uZW50EgkaB2luZ3Jlc3MKJQobYXBwLmt1YmVybmV0ZXMuaW8vbWFuYWdlZEJ5EgYaBEhlbG0KMgoWYXBwLmt1YmVybmV0ZXMuaW8vbmFtZRIYGhZpc3Rpby1vcGVyYXRvci1pbmdyZXNzCi0KGWFwcC5rdWJlcm5ldGVzLmlvL3BhcnQtb2YSEBoOaXN0aW8tb3BlcmF0b3IKJQoZYXBwLmt1YmVybmV0ZXMuaW8vdmVyc2lvbhIIGgZ2MC4wLjIKEwoFY2hhcnQSChoIZ2F0ZXdheXMKHQoNaGVsbS5zaC9jaGFydBIMGgp1ZHAtYWRkb25zChQKCGhlcml0YWdlEggaBlRpbGxlcgo2CilpbnN0YWxsLm9wZXJhdG9yLmlzdGlvLmlvL293bmluZy1yZXNvdXJjZRIJGgd1bmtub3duCiIKBWlzdGlvEhkaF21ldGFkYXRhLWluZ3Jlc3NnYXRld2F5ChkKDGlzdGlvLmlvL3JldhIJGgdkZWZhdWx0CjAKG29wZXJhdG9yLmlzdGlvLmlvL2NvbXBvbmVudBIRGg9JbmdyZXNzR2F0ZXdheXMKIQoRcG9kLXRlbXBsYXRlLWhhc2gSDBoKNjU2ZmY3NmQ2YgoSCgdyZWxlYXNlEgcaBWlzdGlvCjwKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSGRoXbWV0YWRhdGEtaW5ncmVzc2dhdGV3YXkKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0ChEKA3NoYRIKGgg2MTRlYTkyYwoiChdzaWRlY2FyLmlzdGlvLmlvL2luamVjdBIHGgVmYWxzZQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKMgoETkFNRRIqGihtZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheS02NTZmZjc2ZDZiLXFkbDJqChsKCU5BTUVTUEFDRRIOGgxpc3Rpby1zeXN0ZW0KYAoFT1dORVISVxpVa3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2lzdGlvLXN5c3RlbS9kZXBsb3ltZW50cy9tZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheQoXChFQTEFURk9STV9NRVRBREFUQRICKgAKKgoNV09SS0xPQURfTkFNRRIZGhdtZXRhZGF0YS1pbmdyZXNzZ2F0ZXdheQ=='
'x-envoy-peer-metadata-id', 'router~100.112.90.145~metadata-ingressgateway-656ff76d6b-qdl2j.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'dae9d28da5c49193785bcb1128971c0b'
'x-b3-spanid', '785bcb1128971c0b'
'x-b3-sampled', '0'
'x-envoy-original-path', '/api/v1/namespaces/troubleshootistio'
2021-12-09T16:10:28.649788Z debug   envoy jwt   Called Filter : setDecoderFilterCallbacks
2021-12-09T16:10:28.649840Z debug   envoy jwt   Called Filter : decodeHeaders
2021-12-09T16:10:28.649853Z debug   envoy jwt   Prefix requirement '/' matched.
2021-12-09T16:10:28.649860Z debug   envoy jwt   extract authorizationBearer
2021-12-09T16:10:28.649865Z debug   envoy jwt   origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2021-12-09T16:10:28.649868Z debug   envoy jwt   origins-0: JWT token verification completed with: Jwt is missing
2021-12-09T16:10:28.649871Z debug   envoy jwt   Jwt authentication completed with: OK
2021-12-09T16:10:28.649895Z debug   envoy filter    AuthenticationFilter::decodeHeaders with config
policy 
  peers 
    mtls 
      mode: PERMISSIVE
    
  
  origins 
    jwt 
      issuer: "https://sts.windows.net/redacted-tenant/"
    
  
  origin_is_optional: true
  principal_binding: USE_ORIGIN

skip_validate_trust_domain: true
2021-12-09T16:10:28.649905Z debug   envoy filter    [C4227] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2021-12-09T16:10:28.649908Z debug   envoy filter    [C4227] trust domain validation skipped
2021-12-09T16:10:28.649910Z debug   envoy filter    Set peer from X509: cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account
2021-12-09T16:10:28.649915Z debug   envoy filter    Validating request path /api/v1/namespaces/troubleshootistio for jwt issuer: "https://sts.windows.net/redacted-tenant/"
2021-12-09T16:10:28.649917Z debug   envoy filter    No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2021-12-09T16:10:28.649920Z debug   envoy filter    No dynamic_metadata found for filter jwt-auth
2021-12-09T16:10:28.649922Z debug   envoy filter    Origin authenticator failed
2021-12-09T16:10:28.649952Z debug   envoy filter    Saved Dynamic Metadata:
fields 
  key: "source.namespace"
  value 
    string_value: "istio-system"
  

fields 
  key: "source.principal"
  value 
    string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
  

fields 
  key: "source.user"
  value 
    string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
  

2021-12-09T16:10:28.650000Z debug   envoy rbac  checking request: requestedServerName: outbound_.443_._.marquez.marquez.svc.cluster.local, sourceIP: 100.112.90.145:40310, directRemoteIP: 100.112.90.145:40310, remoteIP: 10.11.226.29:0,localAddress: 100.112.69.104:5000, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'redacted.com'
':path', '/api/v1/namespaces/troubleshootistio'
':method', 'GET'
':scheme', 'https'
'content-type', 'application/json'
'user-agent', 'PostmanRuntime/7.28.4'
'accept', '*/*'
'cache-control', 'no-cache'
'postman-token', '3318e2c3-7a16-4f35-a4a6-03ca1c30680c'
'accept-encoding', 'gzip, deflate, br'
'content-length', '93'
'x-forwarded-for', '10.11.226.29'
'x-forwarded-proto', 'https'
'x-request-id', '263e9f61-f6a0-4d22-bf67-c5abafcd4d6d'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'dae9d28da5c49193785bcb1128971c0b'
'x-b3-spanid', '785bcb1128971c0b'
'x-b3-sampled', '0'
'x-envoy-original-path', '/api/v1/namespaces/troubleshootistio'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/marquez/sa/default;Hash=0adef9d0a150cbba7db8c026be24a496bc09ff4dd3f30ddc020b5e90d3afb619;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account'
, dynamicMetadata: filter_metadata 
  key: "istio_authn"
  value 
    fields 
      key: "source.namespace"
      value 
        string_value: "istio-system"
      
    
    fields 
      key: "source.principal"
      value 
        string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
      
    
    fields 
      key: "source.user"
      value 
        string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
      
    
  

2021-12-09T16:10:28.650019Z debug   envoy rbac  enforced denied, matched policy none
2021-12-09T16:10:28.650030Z debug   envoy http  [C4227][S15673186747439282324] Sending local reply with details rbac_access_denied_matched_policy[none]
2021-12-09T16:10:28.650068Z debug   envoy http  [C4227][S15673186747439282324] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChsKDkFQUF9DT05UQUlORVJTEgkaB21hcnF1ZXoKGgoKQ0xVU1RFUl9JRBIMGgpLdWJlcm5ldGVzChkKDUlTVElPX1ZFUlNJT04SCBoGMS4xMC4wCpMDCgZMQUJFTFMSiAMqhQMKKAobYXBwLmt1YmVybmV0ZXMuaW8vY29tcG9uZW50EgkaB21hcnF1ZXoKJwoaYXBwLmt1YmVybmV0ZXMuaW8vaW5zdGFuY2USCRoHbWFycXVlegomChxhcHAua3ViZXJuZXRlcy5pby9tYW5hZ2VkLWJ5EgYaBEhlbG0KIwoWYXBwLmt1YmVybmV0ZXMuaW8vbmFtZRIJGgdtYXJxdWV6CiEKDWhlbG0uc2gvY2hhcnQSEBoObWFycXVlei0wLjE5LjEKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKIAoRcG9kLXRlbXBsYXRlLWhhc2gSCxoJNzZmOTg3Yzk0CiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KLAofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIJGgdtYXJxdWV6Ci8KI3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLXJldmlzaW9uEggaBmxhdGVzdAoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKIQoETkFNRRIZGhdtYXJxdWV6LTc2Zjk4N2M5NC1wNXdjegoWCglOQU1FU1BBQ0USCRoHbWFycXVlegpLCgVPV05FUhJCGkBrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvbWFycXVlei9kZXBsb3ltZW50cy9tYXJxdWV6ChcKEVBMQVRGT1JNX01FVEFEQVRBEgIqAAoaCg1XT1JLTE9BRF9OQU1FEgkaB21hcnF1ZXo='
'x-envoy-peer-metadata-id', 'sidecar~100.112.69.104~marquez-76f987c94-p5wcz.marquez~marquez.svc.cluster.local'
'date', 'Thu, 09 Dec 2021 16:10:28 GMT'
'server', 'istio-envoy'
'connection', 'close'
2021-12-09T16:10:28.650089Z debug   envoy http  [C4227][S15673186747439282324] doEndStream() resetting stream
2021-12-09T16:10:28.650095Z debug   envoy http  [C4227][S15673186747439282324] stream reset
2021-12-09T16:10:28.650177Z debug   envoy wasm  wasm log stats_inbound stats_inbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=12
2021-12-09T16:10:28.650188Z debug   envoy wasm  wasm log stats_inbound stats_inbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=6
2021-12-09T16:10:28.650191Z debug   envoy wasm  wasm log stats_inbound stats_inbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=10
2021-12-09T16:10:28.650194Z debug   envoy wasm  wasm log stats_inbound stats_inbound: [extensions/stats/plugin.cc:621]::report() metricKey cache hit , stat=14
2021-12-09T16:10:28.650198Z debug   envoy jwt   Called Filter : onDestroy
2021-12-09T16:10:28.650200Z debug   envoy filter    Called AuthenticationFilter : onDestroy
2021-12-09T16:10:28.650208Z debug   envoy connection    [C4227] closing data_to_write=1245 type=2
2021-12-09T16:10:28.650216Z debug   envoy connection    [C4227] setting delayed close timer with timeout 1000 ms
2021-12-09T16:10:28.650230Z debug   envoy connection    [C4227] closing data_to_write=1245 type=2
2021-12-09T16:10:28.650306Z debug   envoy connection    [C4227] write flush complete
2021-12-09T16:10:28.650690Z debug   envoy connection    [C4227] remote early close
2021-12-09T16:10:28.650700Z debug   envoy connection    [C4227] closing socket: 0
2021-12-09T16:10:28.650750Z debug   envoy connection    [C4227] SSL shutdown: rc=0

我是 Istio 新手,无法通过文档或其他资源中的解决方案找到此问题。

我知道我的本地集群和我们的 EKS 之间的唯一区别是,在 AWS 中运行的 EKS 使用 TLS 并启用了第 3 方 JWT 令牌,而我的本地版本有第 1 方 JWT 令牌。

为什么令牌或令牌中的值没有被传递到我的应用程序 pod 上的 istio-proxy sidecar,我该如何配置它来保护我的应用程序?

【问题讨论】:

您使用的是哪个 Kubernetes 和 Istio 版本? 您使用的是哪个 Istio 和 Kubernetes 版本?你用的是哪个installation configuration profile?此信息对于重现您的问题很重要。如何在 EKS 上为您的集群生成 JWT 令牌? Istio 客户端:1.12.0 Istio 控制和数据平面 1.10.0。 Kube 客户端版本:v1.21.5 Kube 服务器版本:v1.20.7-eks-d88609 好吧,我使用 example JWT token from this tutorial 测试了您的设置,我更改了 AuthorizationPolicy 中的 when 块以使用示例 JWT 令牌中的键和值,它工作正常。它通过使用 `forwardOriginalToken` 和 outputPayloadToHeader 选项传递给应用程序。您能否尝试使用this tutorial 中的 httpbin 并使用主要问题中的 JWT 令牌选项对其进行配置? 然后您可以尝试运行kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath=.items..metadata.name)" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "Authorization: Bearer $TOKEN" 并检查是否正在传递 JWT 令牌。您能否发送任何用于生成 JWT 令牌的步骤/教程? 【参考方案1】:

我能够通过将以下内容添加到我的 AuthorizationPolicy 来解决此问题:

  rules:
    - from:
      - source:
          requestPrincipals: ["$ISS/$SUB"]

【讨论】:

【参考方案2】:

JWT 身份验证未成功完成。如果是这样,您将在过滤器元数据中获得声明。目前,连接过滤器元数据中存储的唯一数据是通过相互身份验证检索到的数据:

fields 
  key: "source.namespace"
  value 
    string_value: "istio-system"
  

fields 
  key: "source.principal"
  value 
    string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
  

fields 
  key: "source.user"
  value 
    string_value: "cluster.local/ns/istio-system/sa/metadata-ingressgateway-service-account"
  

当 JWT 通过身份验证时,您会在连接过滤器元数据中获得以下值:

  key: "envoy.filters.http.jwt_authn"
  value 
    fields 
      key: "auth@istio.io"
      value 
        struct_value 
          fields 
            key: "exp"
            value 
              number_value: 4745145071
            
          
          fields 
            key: "group"
            value 
              string_value: "admin"
            
          
     #...

【讨论】:

感谢您的信息!有没有办法获得有关身份验证失败原因的更多详细信息?使用的值似乎在 istio 之外工作: using java-jwt and jwks-rsa from com.auth0 我不确定我是否同意你的看法。 5 月网关日志显示2021-12-09T16:10:28.648282Z debug envoy jwt Jwt authentication completed with: OK。如果身份验证失败,我希望适当的日志记录语句将指定失败并在启用调试时提供更多信息。如果确实是身份验证失败,我如何记录更多信息以帮助找到根本原因? 身份验证成功后,声明将存储为过滤器元数据。在你的输出中,那些不是。我必须浏览代码,但是对于缺少 JWT 的请求,可以显示此日志 Jwt authentication completed with: OK 有趣。我将发行者和受众更改为一些垃圾,并且看到了相同的行为。所以也许你是对的。

以上是关于为啥我使用 Istio AuthorizationPolicy 和 JWT 收到 403“RBAC: access denied”的主要内容,如果未能解决你的问题,请参考以下文章

为啥要对 Authorization 标头进行 base64 编码?

为啥我应该在 `Authorization: Bearer` 标头中发送令牌?

C# ASP.NET Core 5.0 - 为啥在使用 [Authorization] 时甚至不调用该方法

为啥 Keycloak 使用 Session-Cookie 而不是 JWT Authorization Header

为啥在 React 中,我的 axios API 调用有 Authorization Header,其中包含 Bearer <token> 但未被授权并给出 401 错误

oAuth2.0:为啥需要“授权码”,然后才需要令牌?