Joel Baxter joel-bluedata
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The kubectl commands below assume that you are executing in a context that uses your desired namespace. | |
| 1. Create the Pod and its Service: | |
| kubectl create -f digits.yaml | |
| 2. Examine the created objects: | |
| kubectl get deployment gpu-pod -o yaml | |
| kubectl get service gpu-service -o yaml |
joel-bluedata
/ readme.txt
Created
July 28, 2023 18:33
Istio policy to block API access based on JWT claims
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is an example of using Istio policies to specifically block DELETE operations on the /api/v1/user endpoints of home.jkb-ezaf-lr1.com based on JWT claims. | |
| This policy is defined in the "ui" namespace, to be applied to the Envoy proxy there in the app-ui pod, so that the header injections applied at the Istio gateway by the existing app-ui-auth-policy have already happened and can be referenced here. | |
| The RequestAuthentication resource applied here is necessary if this policy is to use the request.auth.claims condition. | |
| This example specifically allows user "joel" to do the DELETE operation, by checking the preferred_username claim. | |
| It seems like we should also be able to check the list-valued "groups" claim like this, to check for admin-ness: |