身份验证
Envoy 支持多种身份验证机制,确保只有经过授权的客户端能够访问服务。
JWT 认证
基本 JWT 配置
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
example_provider:
issuer: "https://example.com"
audiences:
- "api.example.com"
forward_payload_header: "x-jwt-payload"
from_headers:
- name: "Authorization"
value_prefix: "Bearer "
from_params:
- "access_token"
remote_jwks:
http_uri:
uri: "https://example.com/.well-known/jwks.json"
cluster: "jwks_cluster"
timeout: 5s
forward: true
rules:
- match:
prefix: "/api"
requires:
provider_name: "example_provider"
JWT 验证规则
rules:
- match:
prefix: "/public"
requires:
allow_missing_or_failed: true
- match:
prefix: "/api"
requires:
provider_name: "example_provider"
- match:
prefix: "/admin"
requires:
requires_all:
requirements:
- provider_name: "example_provider"
- provider_name: "admin_provider"
OAuth2 认证
OAuth2 过滤器配置
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: oauth
uri: https://oauth.example.com/oauth/token
timeout: 3s
authorization_endpoint: https://oauth.example.com/oauth/authorize
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
pass_through_header:
- name: "Authorization"
- name: "X-Custom-Header"
credentials:
client_id: "client_id"
client_secret:
name: "oauth"
hmac_secret:
name: "hmac"
mTLS 认证
客户端证书验证
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
require_client_certificate: true
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/ssl/certs/server.crt"
private_key:
filename: "/etc/ssl/private/server.key"
validation_context:
trusted_ca:
filename: "/etc/ssl/certs/ca.crt"
verify_certificate_hash:
- "sha256:1234567890abcdef..."
RBAC 访问控制
基于角色的访问控制
http_filters:
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
stat_prefix: rbac
rules:
action: ALLOW
policies:
"service-reader":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/reader"
"service-writer":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/writer"
外部认证
ext_authz 配置
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: ext_authz
timeout: 0.5s
failure_mode_allow: false
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
ext_authz 集群配置
clusters:
- name: ext_authz
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: ext_authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: auth-service
port_value: 9001
最佳实践
1. 安全配置
- 使用强加密算法
- 定期轮换密钥和证书
- 实施最小权限原则
- 监控认证失败
2. 性能优化
- 缓存认证结果
- 使用高效的认证算法
- 优化认证服务性能
- 实施适当的超时设置
3. 监控和调试
- 监控认证成功率
- 记录认证失败日志
- 设置认证告警
- 定期审查访问权限
身份验证是 Envoy 安全架构的核心,合理配置可以确保系统的安全性。