Authentication Policy

This package defines user-facing authentication policy.

Jwt

JSON Web Token (JWT) token format for authentication as defined byRFC 7519. See OAuth 2.0 andOIDC 1.0 for how this is used in the wholeauthentication flow.

For example:

A JWT for any requests:

  1. issuer: https://example.com
  2. audiences:
  3. - bookstore_android.apps.googleusercontent.com
  4.   bookstore_web.apps.googleusercontent.com
  5. jwksUri: https://example.com/.well-known/jwks.json

A JWT for all requests except request at path /health_check and path withprefix /status/. This is useful to expose some paths for public access butkeep others JWT validated.

  1. issuer: https://example.com
  2. jwksUri: https://example.com/.well-known/jwks.json
  3. triggerRules:
  4. - excludedPaths:
  5.   - exact: /health_check
  6.   - prefix: /status/

A JWT only for requests at path /admin. This is useful to only require JWTvalidation on a specific set of paths but keep others public accessible.

  1. issuer: https://example.com
  2. jwksUri: https://example.com/.well-known/jwks.json
  3. triggerRules:
  4. - includedPaths:
  5.   - prefix: /admin

A JWT only for requests at path of prefix /status/ but except the path of/status/version. This means for any request path with prefix /status/ except/status/version will require a valid JWT to proceed.

  1. issuer: https://example.com
  2. jwksUri: https://example.com/.well-known/jwks.json
  3. triggerRules:
  4. - excludedPaths:
  5.   - exact: /status/version
  6.   includedPaths:
  7.   - prefix: /status/
FieldTypeDescriptionRequired
issuerstringIdentifies the issuer that issued the JWT. SeeissuerUsually a URL or an email address.Example: https://securetoken.google.comExample: 1234567-compute@developer.gserviceaccount.comNo
audiencesstring[]The list of JWTaudiences.that are allowed to access. A JWT containing any of theseaudiences will be accepted.The service name will be accepted if audiences is empty.Example:
  1. audiences:- bookstore_android.apps.googleusercontent.com  bookstore_web.apps.googleusercontent.com
No
jwksUristringURL of the provider’s public key set to validate signature of theJWT. See OpenID Discovery.Optional if the key set document can either (a) be retrieved fromOpenIDDiscovery ofthe issuer or (b) inferred from the email domain of the issuer (e.g. aGoogle service account).Example: https://www.googleapis.com/oauth2/v1/certsNote: Only one of jwks_uri and jwks should be used.No
jwksstringJSON Web Key Set of public keys to validate signature of the JWT.See https://auth0.com/docs/jwks.Note: Only one of jwks_uri and jwks should be used.No
jwtHeadersstring[]JWT is sent in a request header. header represents theheader name.For example, if header=x-goog-iap-jwt-assertion, the headerformat will be x-goog-iap-jwt-assertion: <JWT>.No
jwtParamsstring[]JWT is sent in a query parameter. query represents thequery parameter name.For example, query=jwt_token.No
triggerRulesTriggerRule[]List of trigger rules to decide if this JWT should be used to validate therequest. The JWT validation happens if any one of the rules matched.If the list is not empty and none of the rules matched, authentication willskip the JWT validation.Leave this empty to always trigger the JWT validation.No

Jwt.TriggerRule

Trigger rule to match against a request. The trigger rule is satisfied ifand only if both rules, excluded_paths and include_paths are satisfied.

FieldTypeDescriptionRequired
excludedPathsStringMatch[]List of paths to be excluded from the request. The rule is satisfied ifrequest path does not match to any of the path in this list.No
includedPathsStringMatch[]List of paths that the request must include. If the list is not empty, therule is satisfied if request path matches at least one of the path in the list.If the list is empty, the rule is ignored, in other words the rule is always satisfied.No

MutualTls

TLS authentication params.

FieldTypeDescriptionRequired
allowTlsboolWILL BE DEPRECATED, if set, will translates to TLS_PERMISSIVE mode.Set this flag to true to allow regular TLS (i.e without client x509certificate). If request carries client certificate, identity will beextracted and used (set to peer identity). Otherwise, peer identity willbe left unset.When the flag is false (default), request must have client certificate.No
modeModeDefines the mode of mTLS authentication.No

MutualTls.Mode

Defines the acceptable connection TLS mode.

NameDescription
STRICTClient cert must be presented, connection is in TLS.
PERMISSIVEConnection can be either plaintext or TLS, and client cert can be omitted.

OriginAuthenticationMethod

OriginAuthenticationMethod defines authentication method/params for originauthentication. Origin could be end-user, device, delegate service etc.Currently, only JWT is supported for origin authentication.

FieldTypeDescriptionRequired
jwtJwtJwt params for the method.No

PeerAuthenticationMethod

PeerAuthenticationMethod defines one particular type of authentication, e.gmutual TLS, JWT etc, (no authentication is one type by itself) that canbe used for peer authentication.The type can be progammatically determine by checking the type of the“params” field.

FieldTypeDescriptionRequired
mtlsMutualTls (oneof)Set if mTLS is used.Yes

Policy

Policy defines what authentication methods can be accepted on workload(s),and if authenticated, which method/certificate will set the request principal(i.e request.auth.principal attribute).

Authentication policy is composed of 2-part authentication:- peer: verify caller service credentials. This part will set source.user(peer identity).- origin: verify the origin credentials. This part will set request.auth.user(origin identity), as well as other attributes like request.auth.presenter,request.auth.audiences and raw claims. Note that the identity could beend-user, service account, device etc.

Last but not least, the principal binding rule defines which identity (peeror origin) should be used as principal. By default, it uses peer.

Examples:

Policy to enable mTLS for all services in namespace frod. The policy name must bedefault, and it contains no rule for targets.

  1. apiVersion: authentication.istio.io/v1alpha1
  2. kind: Policy
  3. metadata:
  4.   name: default
  5.   namespace: frod
  6. spec:
  7.   peers:
  8.   - mtls:

Policy to disable mTLS for “productpage” service

  1. apiVersion: authentication.istio.io/v1alpha1
  2. kind: Policy
  3. metadata:
  4.   name: productpage-mTLS-disable
  5.   namespace: frod
  6. spec:
  7.   targets:
  8.   - name: productpage

Policy to require mTLS for peer authentication, and JWT for origin authenticationfor productpage:9000 except the path ‘/health_check’ . Principal is set from origin identity.

  1. apiVersion: authentication.istio.io/v1alpha1
  2. kind: Policy
  3. metadata:
  4.   name: productpage-mTLS-with-JWT
  5.   namespace: frod
  6. spec:
  7.   targets:
  8.   - name: productpage
  9.     ports:
  10.     - number: 9000
  11.   peers:
  12.   - mtls:
  13.   origins:
  14.   - jwt:
  15.       issuer: "https://securetoken.google.com"
  16.       audiences:
  17.       - "productpage"
  18.       jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
  19.       jwtHeaders:
  20.       - "x-goog-iap-jwt-assertion"
  21.       triggerRules:
  22.       - excludedPaths:
  23.         - exact: /health_check
  24.   principalBinding: USE_ORIGIN
FieldTypeDescriptionRequired
targetsTargetSelector[]List rules to select workloads that the policy should be applied on.If empty, policy will be used on all workloads in the same namespace.No
peersPeerAuthenticationMethod[]List of authentication methods that can be used for peer authentication.They will be evaluated in order; the first validate one will be used toset peer identity (source.user) and other peer attributes. If none ofthese methods pass, request will be rejected with authentication failed error (401).Leave the list empty if peer authentication is not requiredNo
peerIsOptionalboolSet this flag to true to accept request (for peer authentication perspective),even when none of the peer authentication methods defined above satisfied.Typically, this is used to delay the rejection decision to next layer (e.gauthorization).This flag is ignored if no authentication defined for peer (peers field is empty).No
originsOriginAuthenticationMethod[]List of authentication methods that can be used for origin authentication.Similar to peers, these will be evaluated in order; the first validate onewill be used to set origin identity and attributes (i.e request.auth.user,request.auth.issuer etc). If none of these methods pass, request will berejected with authentication failed error (401).A method may be skipped, depends on its trigger rule. If all of these methodsare skipped, origin authentication will be ignored, as if it is not defined.Leave the list empty if origin authentication is not required.No
originIsOptionalboolSet this flag to true to accept request (for origin authentication perspective),even when none of the origin authentication methods defined above satisfied.Typically, this is used to delay the rejection decision to next layer (e.gauthorization).This flag is ignored if no authentication defined for origin (origins field is empty).No
principalBindingPrincipalBindingDefine whether peer or origin identity should be use for principal. Defaultvalue is USE_PEER.If peer (or origin) identity is not available, either because of peer/originauthentication is not defined, or failed, principal will be left unset.In other words, binding rule does not affect the decision to accept orreject request.No

PortSelector

PortSelector specifies the name or number of a port to be used formatching targets for authentication policy. This is copied fromnetworking API to avoid dependency.

FieldTypeDescriptionRequired
numberuint32 (oneof)Valid port numberYes
namestring (oneof)Port nameYes

PrincipalBinding

Associates authentication with request principal.

NameDescription
USE_PEERPrincipal will be set to the identity from peer authentication.
USE_ORIGINPrincipal will be set to the identity from origin authentication.

StringMatch

Describes how to match a given string. Match is case-sensitive.

FieldTypeDescriptionRequired
exactstring (oneof)exact string match.Yes
prefixstring (oneof)prefix-based match.Yes
suffixstring (oneof)suffix-based match.Yes
regexstring (oneof)ECMAscript style regex-based match as defined by EDCA-262.Example: “^/pets/(.*?)?”Yes

TargetSelector

TargetSelector defines a matching rule to a workload. A workload is selectedif it is associated with the service name and service port(s) specified in the selector rule.

FieldTypeDescriptionRequired
namestringThe name must be a short name from the service registry. Thefully qualified domain name will be resolved in a platform specific manner.Yes
portsPortSelector[]Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.For example, if a service is defined as below, then 8000 should be used, not 9000.
  1. kind: Servicemetadata:  spec:  ports:  - name: http    port: 8000    targetPort: 9000  selector:    app: backend
Leave empty to match all ports that are exposed.		No