Istio 授权策略与 mTLS：AuthorizationPolicy 与 PeerAuthentication

--- title: Istio 授权策略与 mTLS：AuthorizationPolicy 与 PeerAuthentication keywords: - AuthorizationPolicy - PeerAuthentication - mTLS - RBAC - 零信任 description: 使用 AuthorizationPolicy 与 PeerAuthentication 实施零信任访问控制与强制 mTLS，提供可执行清单。 categories: - 文章资讯 - 技术教程 --- # Istio 授权策略与 mTLS：AuthorizationPolicy 与 PeerAuthentication ## 强制 mTLS ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: default spec: mtls: mode: STRICT ``` ## 授权策略 ```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: web-allow namespace: default spec: selector: matchLabels: app: web rules: - from: - source: principals: [ "cluster.local/ns/default/sa/api" ] to: - operation: paths: [ "/api/" ] methods: [ "GET", "POST" ] ``` ## 总结 结合 mTLS 与基于主体的授权策略，可实现细粒度的服务访问控制。