0

i'm working on istio configuration to build automatic authorization system.

I use oauth2-proxy for external authorization and dex for OICD.

I have to avoid authorization check for certain sub adress, so I set notPaths option in authorization policy.

But every time I set the notPaths option, the web goes blank white page instead of display proper page. And console shows CORB warning sign.

I don't have any clue why this heppens.

here is my authorization policy and gateway, virtual service configuration.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cm-gateway
  namespace: cm-temp
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "my.domain.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: cm-vs
  namespace: cm-temp
spec:
  hosts:
  - "my.domain.com"
  gateways:
  - cm-gateway
  http:
  - match:
    - uri:
        prefix: /api
    route:
    - destination:
        host: cm-be-svc
        port:
          number: 5000
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: cm-fe-svc
        port:
          number: 80
m_moo
  • 7
  • 4
  • In AUTH policy under match labels please provide appropriate workload instead of ingress gateway. Also in operation choose the method type like “GET” or suitable verb for your requirement – Nataraj Medayhal Sep 17 '22 at 11:21

1 Answers1

-1

It was the authorization policy config problem.

I use react to display page, and the address of index page was blocked cuz i didn't add the sub address of it.

i add the sub address to auth policy and it worked.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
        - "/index*"
        - "/favicon*"
m_moo
  • 7
  • 4