This package defines user-facing authentication policy.
Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).
Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.
Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.
Policy to enable mTLS for all services in namespace frod. The policy name must be
default, and it contains no rule for
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default namespace: frod spec: peers: - mtls:
Policy to disable mTLS for “productpage” service
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: productpage-mTLS-disable namespace: frod spec: targets: - name: productpage
Policy to require mTLS for peer authentication, and JWT for origin authentication for productpage:9000 except the path ‘/health_check’ . Principal is set from origin identity.
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: productpage-mTLS-with-JWT namespace: frod spec: targets: - name: productpage ports: - number: 9000 peers: - mtls: origins: - jwt: issuer: "https://securetoken.google.com" audiences: - "productpage" jwksUri: "https://www.googleapis.com/oauth2/v1/certs" jwtHeaders: - "x-goog-iap-jwt-assertion" triggerRules: - excludedPaths: - exact: /health_check principalBinding: USE_ORIGIN
Defines the acceptable connection TLS mode.
Client cert must be presented, connection is in TLS.
Connection can be either plaintext or TLS with Client cert.