abd*_*ama 5 filter kubernetes istio envoyproxy
我有 ext_authz 过滤器,如下所示:
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
config:
http_service:
server_uri:
uri: http://authservice.istio-system.svc.cluster.local
cluster: outbound|8080||authservice.istio-system.svc.cluster.local
failure_mode_allow: false
timeout: 10s
authorization_request:
allowed_headers:
patterns:
- exact: "cookie"
- exact: "X-Auth-Token"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: "kubeflow-userid"
status_on_error:
code: GatewayTimeout
问题是它适用于同一入口下的所有虚拟主机。我只想将其应用于特定的虚拟主机。目前我使用以下内容排除一些主机:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-auth-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: VIRTUAL_HOST
match:
routeConfiguration:
vhost:
name: a.example.com:80
patch:
operation: MERGE
value:
per_filter_config:
envoy.ext_authz:
disabled: true
但是,我希望我是否可以这样做,以便在特定虚拟主机上应用过滤器,而不必排除每个不需要身份验证的主机(更像是白名单解决方案而不是黑名单)
任何提示将不胜感激!
| 归档时间: |
|
| 查看次数: |
1470 次 |
| 最近记录: |