Istio 安全策略

mTLS 双向认证

yaml

# 全局强制 mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system  # 全局生效
spec:
  mtls:
    mode: STRICT

---
# 命名空间级别
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

---
# 特定服务允许明文（迁移期间）
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: legacy-service
  namespace: production
spec:
  selector:
    matchLabels:
      app: legacy-service
  mtls:
    mode: PERMISSIVE  # 同时接受 mTLS 和明文

JWT 认证

yaml

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-auth
  namespace: production
spec:
  selector:
    matchLabels:
      app: api-server
  jwtRules:
  - issuer: https://auth.example.com
    jwksUri: https://auth.example.com/.well-known/jwks.json
    audiences:
    - my-api
    forwardOriginalToken: true

授权策略

yaml

# 只允许特定服务访问，且需要 JWT
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: api-server-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: api-server
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/production/sa/frontend-sa
        - cluster.local/ns/production/sa/mobile-sa
    to:
    - operation:
        methods: ["GET", "POST"]
        paths: ["/api/v1/*"]
    when:
    - key: request.auth.claims[role]
      values: ["user", "admin"]

---
# 拒绝所有未认证请求
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-unauthenticated
  namespace: production
spec:
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]

证书管理

bash

# 查看证书信息
istioctl proxy-config secret my-pod.production

# 查看 mTLS 状态
istioctl authn tls-check my-pod.production my-service.production.svc.cluster.local

# 自定义 CA（使用 cert-manager）
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  isCA: true
  commonName: istio-ca
  secretName: istio-ca-secret
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
EOF

Istio 安全策略 ​

mTLS 双向认证 ​

JWT 认证 ​

授权策略 ​

证书管理 ​

Istio 安全策略

mTLS 双向认证

JWT 认证

授权策略

证书管理