RequestAuthentication
RequestAuthentication
RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:
- Require JWT for all request for workloads that have label
app:httpbin
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: "issuer-foo"
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: ["*"]
- The next example shows how to set a different JWT requirement for a different
host
. TheRequestAuthentication
declares it can accpet JWTs issuer by eitherissuer-foo
orissuer-bar
(the public key set is implicitly set from the OpenID Connect spec). “`yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: httpbin namespace: foo spec: selector: matchLabels: app: httpbin jwtRules:- issuer: “issuer-foo”
- issuer: “issuer-bar” — apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin namespace: foo spec: selector: matchLabels: app: httpbin rules:
- from:
- source: requestPrincipals: [“issuer-foo/*”] to: hosts: [“example.com”]
- from:
- source:
requestPrincipals: [“issuer-bar/”]
to:
hosts: [“another-host.com”]
- You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the authorization policy could be:
yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin namespace: foo spec: selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: [””] - to: - operation: paths: [“/healthz] “`