跨源读取阻止(CORB)是指在istio授权策略中设置notpaths配置时发生的情况。

huangapple go评论81阅读模式
英文:

Cross-Origin Read Blocking (CORB) occurs when setting notpaths config in istio authorization policy

问题

我正在进行Istio配置,以构建自动授权系统。

我使用oauth2-proxy进行外部授权,使用dex进行OICD。

我必须避免对某些子地址进行授权检查,所以我在授权策略中设置了notPaths选项。

但是每次我设置notPaths选项时,网页都会变成空白白页,而不是显示正确的页面。控制台显示CORB警告标志。

我不知道为什么会发生这种情况。

以下是我的授权策略、网关和虚拟服务配置。

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cm-gateway
  namespace: cm-temp
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "my.domain.com"

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: cm-vs
  namespace: cm-temp
spec:
  hosts:
  - "my.domain.com"
  gateways:
  - cm-gateway
  http:
  - match:
    - uri:
        prefix: /api
    route:
    - destination:
        host: cm-be-svc
        port:
          number: 5000
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: cm-fe-svc
        port:
          number: 80
英文:

i'm working on istio configuration to build automatic authorization system.

I use oauth2-proxy for external authorization and dex for OICD.

I have to avoid authorization check for certain sub adress, so I set notPaths option in authorization policy.

But every time I set the notPaths option, the web goes blank white page instead of display proper page. And console shows CORB warning sign.

I don't have any clue why this heppens.

here is my authorization policy and gateway, virtual service configuration.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cm-gateway
  namespace: cm-temp
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "my.domain.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: cm-vs
  namespace: cm-temp
spec:
  hosts:
  - "my.domain.com"
  gateways:
  - cm-gateway
  http:
  - match:
    - uri:
        prefix: /api
    route:
    - destination:
        host: cm-be-svc
        port:
          number: 5000
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: cm-fe-svc
        port:
          number: 80

答案1

得分: -1

这是授权策略配置问题。

我使用React来显示页面,由于我没有添加其子地址,所以首页的地址被阻止了。

我将子地址添加到了授权策略中,然后它就起作用了。

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
        - "/index*"
        - "/favicon*"
英文:

It was the authorization policy config problem.

I use react to display page, and the address of index page was blocked cuz i didn't add the sub address of it.

i add the sub address to auth policy and it worked.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts:
        - "my.domain.com"
        notPaths:
        - "/main*"
        - "/index*"
        - "/favicon*"

huangapple
  • 本文由 发表于 2022年9月16日 10:57:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/73739390.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定