This package defines user-facing authentication policy.
A JWT for any requests:
issuer: https://example.com audiences: - bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com jwksUri: https://example.com/.well-known/jwks.json
A JWT for all requests except request at path
/health_check and path with
/status/. This is useful to expose some paths for public access but
keep others JWT validated.
issuer: https://example.com jwks_uri: https://example.com/.well-known/jwks.json trigger_rules: - excluded_paths: - exact: /health_check - prefix: /status/
A JWT only for requests at path
/admin. This is useful to only require JWT
validation on a specific set of paths but keep others public accessible.
issuer: https://example.com jwks_uri: https://example.com/.well-known/jwks.json trigger_rules: - included_paths: - prefix: /admin
A JWT only for requests at path of prefix
/status/ but except the path of
/status/version. This means for any request path with prefix
/status/version will require a valid JWT to proceed.
issuer: https://example.com jwks_uri: https://example.com/.well-known/jwks.json trigger_rules: - excluded_paths: - exact: /status/version included_paths: - prefix: /status/
Trigger rule to match against a request. The trigger rule is satisfied if and only if both rules, excludedpaths and includepaths are satisfied.
TLS authentication params.
Defines the acceptable connection TLS mode.
Client cert must be presented, connection is in TLS.
Connection can be either plaintext or TLS, and client cert can be omitted.
OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.
PeerAuthenticationMethod defines one particular type of authentication, e.g mutual TLS, JWT etc, (no authentication is one type by itself) that can be used for peer authentication. The type can be progammatically determine by checking the type of the “params” field.
Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).
Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.
Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.
Policy to enable mTLS for all services in namespace frod. The policy name must be
default, and it contains no rule for
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default namespace: frod spec: peers: - mtls:
Policy to disable mTLS for “productpage” service
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: productpage-mTLS-disable namespace: frod spec: targets: - name: productpage
Policy to require mTLS for peer authentication, and JWT for origin authentication for productpage:9000 except the path ‘/health_check’ . Principal is set from origin identity.
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: productpage-mTLS-with-JWT namespace: frod spec: targets: - name: productpage ports: - number: 9000 peers: - mtls: origins: - jwt: issuer: "https://securetoken.google.com" audiences: - "productpage" jwksUri: "https://www.googleapis.com/oauth2/v1/certs" jwt_headers: - "x-goog-iap-jwt-assertion" trigger_rules: - excluded_paths: - exact: /health_check principalBinding: USE_ORIGIN
PortSelector specifies the name or number of a port to be used for matching targets for authentication policy. This is copied from networking API to avoid dependency.
Associates authentication with request principal.
Principal will be set to the identity from peer authentication.
Principal will be set to the identity from origin authentication.
Describes how to match a given string. Match is case-sensitive.
TargetSelector defines a matching rule to a workload. A workload is selected if it is associated with the service name and service port(s) specified in the selector rule.