授权控制
Envoy 提供强大的授权控制功能,确保只有经过授权的用户能够访问特定资源。
RBAC 过滤器
基本配置
http_filters:
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
stat_prefix: rbac
rules:
action: ALLOW
policies:
"service-reader":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/reader"
"service-writer":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/writer"
基于路径的授权
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
stat_prefix: rbac
rules:
action: ALLOW
policies:
"api-reader":
permissions:
- header:
name: ":path"
string_match:
prefix: "/api/read"
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/api-reader"
"api-writer":
permissions:
- header:
name: ":path"
string_match:
prefix: "/api/write"
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/api-writer"
基于角色的访问控制
角色定义
policies:
"admin-role":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
"user-role":
permissions:
- header:
name: ":method"
string_match:
exact: "GET"
- header:
name: ":path"
string_match:
prefix: "/api/users"
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/user"
"guest-role":
permissions:
- header:
name: ":path"
string_match:
prefix: "/public"
principals:
- any: true
条件授权
policies:
"conditional-access":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/conditional"
condition:
call_expr:
function: _==_
args:
- call_expr:
function: _[_]
args:
- call_expr:
function: _[_]
args:
- call_expr:
function: metadata
args:
- string_value: "filter_metadata"
- string_value: "envoy.filters.http.rbac"
- string_value: "condition_key"
- string_value: "condition_value"
基于 IP 的访问控制
IP 白名单
policies:
"ip-whitelist":
permissions:
- any: true
principals:
- direct_remote_ip:
address_prefix: "192.168.1.0"
prefix_len: 24
- direct_remote_ip:
address_prefix: "10.0.0.0"
prefix_len: 8
IP 黑名单
policies:
"ip-blacklist":
permissions:
- any: true
principals:
- not_id:
direct_remote_ip:
address_prefix: "192.168.1.100"
prefix_len: 32
基于请求头的授权
自定义头部授权
policies:
"header-based-auth":
permissions:
- any: true
principals:
- header:
name: "x-api-key"
string_match:
exact: "valid-api-key"
- header:
name: "x-user-role"
string_match:
exact: "admin"
组合条件授权
policies:
"complex-auth":
permissions:
- header:
name: ":method"
string_match:
exact: "POST"
- header:
name: ":path"
string_match:
prefix: "/api/admin"
principals:
- and_ids:
ids:
- header:
name: "x-api-key"
string_match:
exact: "admin-key"
- header:
name: "x-user-role"
string_match:
exact: "admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
动态授权
基于元数据的授权
policies:
"metadata-based":
permissions:
- any: true
principals:
- metadata:
filter: "envoy.filters.http.rbac"
path:
- key: "user_role"
value:
string_match:
exact: "admin"
授权统计
统计指标
RBAC 过滤器提供丰富的统计指标:
rbac.allowed:允许的请求数rbac.denied:拒绝的请求数rbac.shadow_allowed:影子模式允许的请求数rbac.shadow_denied:影子模式拒绝的请求数
自定义统计
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
stat_prefix: custom_rbac
rules:
action: ALLOW
policies:
"custom-policy":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/custom"
最佳实践
1. 安全设计
- 使用最小权限原则
- 定期审查访问权限
- 实施多层授权
- 监控授权失败
2. 性能优化
- 合理使用条件表达式
- 避免复杂的授权规则
- 使用缓存提高性能
- 监控授权性能
3. 监控和调试
- 启用授权日志
- 监控授权统计
- 设置授权告警
- 定期审查策略
注意事项
- 复杂的授权规则可能影响性能
- 需要确保授权策略的一致性
- 配置变更需要谨慎测试
- 需要定期更新授权策略
授权控制是 Envoy 安全架构的重要组成部分,合理配置可以确保系统的安全性。