Anthos Service Mesh 1.10 已达到服务终止期限,不再受支持。请参阅从早期版本升级。
查看最新文档或选择其他可用版本:
更新授权政策
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
从 Anthos Service Mesh 1.4.5 版开始,Anthos Service Mesh 证书授权机构 (Mesh CA) 负责管理 GKE Pod 的 mTLS 证书和密钥的颁发及轮替。开源 Istio 和早期版本的 Anthos Service Mesh 使用 Istio CA(以前称为 Citadel)作为证书授权机构。
如果要从 Istio 或早期版本的 Anthos Service Mesh 升级,并且您已有使用自定义信任网域的授权政策,则您必须更新您的授权政策以使用 cluster.local
来引用本地信任网域。如果您的现有授权政策已使用 cluster.local
,则无需执行任何操作。
如需更新您的授权政策,请执行以下操作:
通过 grep 查找您的授权政策以找到自定义信任网域的所有发生实例。在以下示例中,old-td
是自定义信任网域的名称。
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-httpbin.default.svc.cluster.local
namespace: default
spec:
rules:
- from:
- source:
principals:
- old-td/ns/sleep-allow/sa/sleep
to:
- operation:
methods:
- GET
selector:
matchLabels:
app: httpbin
将该自定义信任网域更改为 cluster.local
,然后应用更新后的政策。
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-httpbin.default.svc.cluster.local
namespace: default
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/sleep-allow/sa/sleep
to:
- operation:
methods:
- GET
selector:
matchLabels:
app: httpbin
---
EOF
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-07。
[{
"type": "thumb-down",
"id": "hardToUnderstand",
"label":"Hard to understand"
},{
"type": "thumb-down",
"id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code"
},{
"type": "thumb-down",
"id": "missingTheInformationSamplesINeed",
"label":"Missing the information/samples I need"
},{
"type": "thumb-down",
"id": "translationIssue",
"label":"翻译问题"
},{
"type": "thumb-down",
"id": "otherDown",
"label":"其他"
}]
[{
"type": "thumb-up",
"id": "easyToUnderstand",
"label":"易于理解"
},{
"type": "thumb-up",
"id": "solvedMyProblem",
"label":"解决了我的问题"
},{
"type": "thumb-up",
"id": "otherUp",
"label":"其他"
}]
{"lastModified": "\u6700\u540e\u66f4\u65b0\u65f6\u95f4 (UTC)\uff1a2023-12-07\u3002"}
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2023-12-07。"]]