RequestAuthentication

RequestAuthentication

RequestAuthentication defines what request authentication methods are supported by a workload.If will reject a request if the request contains invalid authentication information, based on theconfigured authentication rules. A request that does not contain any authentication credentialswill be accepted but will not have any authenticated identity. To restrict access to authenticatedrequests only, this should be accompanied by an authorization rule.Examples:

  • Require JWT for all request for workloads that have label app:httpbin
  1. apiVersion: security.istio.io/v1beta1
  2. kind: RequestAuthentication
  3. metadata:
  4.  name: httpbin
  5.  namespace: foo
  6. spec:
  7.   selector:
  8.     matchLabels:
  9.       app: httpbin
  10.   jwtRules:
  11.   - issuer: "issuer-foo"
  12.     jwksUri: https://example.com/.well-known/jwks.json
  13. ---
  14. apiVersion: security.istio.io/v1beta1
  15. kind: AuthorizationPolicy
  16. metadata:
  17.  name: httpbin
  18.  namespace: foo
  19. spec:
  20.  selector:
  21.    matchLabels:
  22.      app: httpbin
  23.  rules:
  24.  - from:
  25.    - source:
  26.        requestPrincipals: ["*"]
  • The next example shows how to set a different JWT requirement for a different host. The RequestAuthenticationdeclares it can accpet JWTs issuer by either issuer-foo or issuer-bar (the public key set is implicitlyset from the OpenID Connect spec).“`yamlapiVersion: security.istio.io/v1beta1kind: RequestAuthenticationmetadata:name: httpbinnamespace: foospec:selector:matchLabels:app: httpbinjwtRules:
    • issuer: “issuer-foo”
    • issuer: “issuer-bar”—apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: httpbinnamespace: foospec:selector:matchLabels:app: httpbinrules:
    • from:
    • source:requestPrincipals: [“issuer-foo/*”]to:hosts: [“example.com”]
    • from:
    • source:requestPrincipals: [“issuer-bar/”]to:hosts: [“another-host.com”]- You can fine tune the authorization policy to set different requirement per path. For example,
      to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
      authorization policy could be:
      yamlapiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: httpbinnamespace: foospec:selector:matchLabels:app: httpbinrules:- from:- source:requestPrincipals: [”      ”]- to:- operation:paths: [“/healthz]“`
FieldTypeDescriptionRequired
selectorWorkloadSelector
The selector determines the workloads to apply the RequestAuthentication on.If not set, the policy will be applied to all workloads in the same namespace as the policy.
No
jwtRulesJWTRule[]
Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid tokenwill be used to extract the authenticated identity.Each rule will be activated only when a token is presented at the location recorgnized by therule. The token will be validated based on the JWT rule config. If validation fails, the request willbe rejected.Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
No