Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the standard CRD for zero trust direction in Opensergo | Opensergo中加入关于零信任方向的标准CRD #85

Open
xinlunanxinlunan opened this issue Aug 3, 2023 · 0 comments
Open

Add the standard CRD for zero trust direction in Opensergo | Opensergo中加入关于零信任方向的标准CRD #85

xinlunanxinlunan opened this issue Aug 3, 2023 · 0 comments
Labels
kind/spec-RFC Issues or PRs for OpenSergo spec RFC

Comments

@xinlunanxinlunan
Copy link

xinlunanxinlunan commented Aug 3, 2023
edited

We want to add a standard CRD on the zero-trust direction to Opensergo.
The CRD will be expanded to be compatible with istio.
The CRD involves three aspects in total, namely

  1. TlsMode: Authentication policy, whether to authenticate both parties.
  2. JWT: JWT policy, how to verify tokens in a request that comply with the JWT specification.
  3. Auth: Authentication policy that determines which requests are approved and which requests are rejected.

我们希望在Opensergo中加入关于零信任方向的标准CRD。
该CRD会在兼容istio的基础上适当拓展。
该CRD总共涉及3个方面,分别为

  1. TlsMode:认证策略,请求是否需要验证双方身份。
  2. JWT: JWT策略,如何验证请求中符合JWT规范的token。
  3. Auth:鉴权策略,判断何种请求会通过,何种请求会不通过。

TLSMode:认证策略

认证策略其示例CRD如下:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance
  namespace: foo
spec:
  selector:
    matchLabels:
      app: finance
  mtls:
    mode: STRICT
  portLevelMtls:
    8080:
      mode: DISABLE

能够选取的属性说明如下:

Field Type Description
mtls MutualTLS:DISABLE、PERMISSIVE、STRICT tls模式,分别为明文模式、兼容模式、严格模式
portLevelMtls map<uint32, MutualTLS> 制定特定端口的tls模式。

JWT:JWT策略

JWT的示例CRD如下:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt
spec:
  jwtRules:
  - issuer: "issuer-foo"
    jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.18/security/tools/jwt/samples/jwks.json
    fromHeaders:
      - name: header1
        prefix: "pre1"
      - name: header2
        prefix: "pre2"
    audiences:
      - bookstore_android.apps.example.com
      - bookstore_web.apps.example.com
    fromParams:
      - "parmas1"
      - "parmas2"
  - issuer: "issuer-foo1"
    jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.18/security/tools/jwt/samples/jwks.json

能够选取的jwtRules属性说明如下:

Field Type Description
issuer string jwt需要匹配的iss
jwksUri string 验证jwt的公钥获取地址
fromHeaders map<string,string> 从header的哪个字段,前缀为什么获取token
audiences string[] jwt需要匹配的aud
fromParams string[] 从param的哪个字段获取token

Auth:鉴权策略

鉴权策略其示例CRD如下:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin1
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["principal1","principal2"]
        notPrincipals: ["notPrincipal1","notPrincipal2"]
        requestPrincipals: ["jwtp1","jwtp2"]
        notRequestPrincipals: ["notjwtp1","notjwtp2"]
        namespaces: ["namespace1","namespace2"]
        notNamespaces: ["notNamespace1","notNamespace2"]
        ipBlocks: ["10.1.1.1","10.1.1.0/24"]
        notIpBlocks: ["11.1.1.1","11.1.1.0/24"]
        remoteIpBlocks: ["12.1.1.1","12.1.1.0/24"]
        notRemoteIpBlocks: ["13.1.1.1","13.1.1.0/24"]
    - source:
        principals: ["principal3"]

    to:
    - operation:
        hosts: ["www.host1.com","www.host2.com"]
        notHosts: ["www.nothost1.com","www.nothost2.com"]
        ports: ["8080","443"]
        notPorts: ["18080","1443"]
        methods: ["GET","POST"]
        notMethods: ["PUT","DELETE"]
        paths: ["/info1*","/info2"]
        notPaths: ["/notinfo1*","/notinfo2"]
    - operation:
        hosts: ["www.host3.com"]

能够选取的action属性说明如下:

Field Type Description
action ALLOW、DENY 允许规则、拒绝规则

能够选取的rules属性说明如下:

Field Type Description
from source[] 来自规则
to operation[] 到达规则

能够选取的from属性说明如下:

Field Type Description
principals string[] 需要匹配的身份
notPrincipals string[] 需要不匹配的身份
requestPrincipals string[] 需要匹配的JWT中iss+"/"+sub
notRequestPrincipals string[] 需要不匹配的JWT中iss+"/"+sub
namespaces string[] 需要匹配的命名空间
notNamespaces string[] 需要不匹配的命名空间
ipBlocks string[] 需要匹配的直接来源ip
notIpBlocks string[] 需要不匹配的直接来源ip
remoteIpBlocks string[] 需要匹配的请求最初ip,最初请求的来源ip来自于header中X-Forwarded-For的值
notRemoteIpBlocks string[] 需要不匹配的请求最初ip ,最初请求的来源ip来自于header中X-Forwarded-For的值

能够选取的to属性说明如下:

Field Type Description
hosts string[] 需要匹配的到达域名
notHosts string[] 需要不匹配的到达域名
ports string[] 需要匹配的到达端口
notPorts string[] 需要不匹配的到达端口
methods string[] 需要匹配的请求方法
notMethods string[] 需要不匹配的请求方法
paths string[] 需要匹配的请求path
notPaths string[] 需要不匹配的请求path

istio的认证策略
https://istio.io/latest/docs/reference/config/security/peer_authentication/
istio的鉴权策略
https://istio.io/latest/docs/reference/config/security/authorization-policy/
istio的jwt的鉴权策略
https://istio.io/latest/docs/reference/config/security/jwt/
@xinlunanxinlunan xinlunanxinlunan changed the title Opensergo中加入关于零信任方向的标准CRD Add the standard CRD for zero trust direction in Opensergo | Opensergo中加入关于零信任方向的标准CRD Aug 3, 2023
@sczyh30 sczyh30 added the kind/spec-RFC Issues or PRs for OpenSergo spec RFC label Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/spec-RFC Issues or PRs for OpenSergo spec RFC
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sczyh30 @xinlunanxinlunan