Giter VIP home page Giter VIP logo

security-policy-migrate's People

Contributors

xulingqing avatar yangminzhu avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar

Forkers

zhiminxiang phspagiari

security-policy-migrate's Issues

cloud shell invalid memory address or nil pointer dereferenc

i am following the migration steps from https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh#zonal-clusters_1 this article

and get an error like this

$ ./convert
2021/07/22 11:40:12 found root namespace: istio-system
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x1342136]

goroutine 1 [running]:
strings.(*Builder).String(...)
        /opt/hostedtoolcache/go/1.14.14/x64/src/strings/builder.go:48
main.(*kubeClient).convert(0xc0004287b0, 0x0, 0x0)
        /home/runner/work/security-policy-migrate/security-policy-migrate/k8s.go:198 +0x1176
main.rootCmd.func1(0xc00022b600, 0x22b1fa8, 0x0, 0x0, 0x0, 0x0)
        /home/runner/work/security-policy-migrate/security-policy-migrate/main.go:48 +0xf7
github.com/spf13/cobra.(*Command).execute(0xc00022b600, 0xc00003c1d0, 0x0, 0x0, 0xc00022b600, 0xc00003c1d0)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:850 +0x453
github.com/spf13/cobra.(*Command).ExecuteC(0xc00022b600, 0x0, 0x0, 0xc00022b600)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:958 +0x349
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
main.main()
        /home/runner/work/security-policy-migrate/security-policy-migrate/main.go:22 +0xab

since I have no go knowledge I am bringing this issue here

the go version in cloud shell
is

$ go version
go version go1.16.6 linux/amd64

MeshPolicy does not get converted to respective correct RequestAuthentication

We had the following MeshPolicy which we were trying to migrate to the istio v1.6.0

apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
  name: "default"
spec:
  peers:
  - mtls: {}
  originIsOptional: true
  origins:
  - jwt:
      issuer: "https://keycloak.domain"
      jwksUri: "https://keycloak.domain/protocol/openid-connect/certs"
      jwt_headers:
        - "x-amzn-oidc-accesstoken"
  principalBinding: USE_ORIGIN

The migration was attempted using the security-policy-migrate tool, and it generated the following PeerAuthentication and RequestAuthentication yamls.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  annotations:
    security.istio.io/alpha-policy-convert: converted from alpha authentication policy
      /default, mesh level policy
  creationTimestamp: null
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  annotations:
    security.istio.io/alpha-policy-convert: converted from alpha authentication policy
      /default, mesh level policy
  creationTimestamp: null
  name: default
  namespace: istio-system
spec:
  jwtRules:
  - fromHeaders:
    - name: x-amzn-oidc-accesstoken
    issuer: https://keycloak.domain
    jwksUri: https://keycloak.domain/protocol/openid-connect/certs
---

Unfortunately the generated v1beta1 RequestAuthentication policy didn't work. After a lot of debugging and trial and error, i finally found that the missing piece was forwardOriginalToken: true from RequestAuthentication. To my frustration, this change/requirement was nowhere documented and took a lot of time to figure it out. I am creating a bug here, so that this can be resolved, and if someone else stumbles over the same issue, they know what to do.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.