Authentication Policy

JSON Web Token (JWT) token format for authentication as defined by RFC 7519. See and OIDC 1.0 for how this is used in the whole authentication flow.

For example:

A JWT for any requests:

A JWT for all requests except request at path and path with prefix /status/. This is useful to expose some paths for public access but keep others JWT validated.

issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
triggerRules:
- excludedPaths:
  - exact: /health_check
  - prefix: /status/

A JWT only for requests at path /admin. This is useful to only require JWT validation on a specific set of paths but keep others public accessible.

issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
triggerRules:
- includedPaths:

A JWT only for requests at path of prefix /status/ but except the path of /status/version. This means for any request path with prefix /status/ except /status/version will require a valid JWT to proceed.

Jwt.TriggerRule

Trigger rule to match against a request. The trigger rule is satisfied if and only if both rules, excludedpaths and includepaths are satisfied.

MutualTls

TLS authentication params.

Defines the acceptable connection TLS mode.

OriginAuthenticationMethod

OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.

PeerAuthenticationMethod

PeerAuthenticationMethod defines one particular type of authentication, e.g mutual TLS, JWT etc, (no authentication is one type by itself) that can be used for peer authentication. The type can be progammatically determine by checking the type of the “params” field.

Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).

Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.

Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.

Examples:

Policy to enable mTLS for all services in namespace frod. The policy name must be default, and it contains no rule for targets.

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: frod
spec:
  peers:
  - mtls:

Policy to disable mTLS for “productpage” service

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: productpage-mTLS-with-JWT
  namespace: frod
spec:
  targets:
  - name: productpage
    ports:
    - number: 9000
  - mtls:
  origins:
  - jwt:
      issuer: "https://securetoken.google.com"
      audiences:
      - "productpage"
      jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
      jwtHeaders:
      - "x-goog-iap-jwt-assertion"
      triggerRules:
      - excludedPaths:
  principalBinding: USE_ORIGIN

PortSelector

PortSelector specifies the name or number of a port to be used for matching targets for authentication policy. This is copied from networking API to avoid dependency.

PrincipalBinding

Associates authentication with request principal.

Describes how to match a given string. Match is case-sensitive.

TargetSelector

TargetSelector defines a matching rule to a workload. A workload is selected if it is associated with the service name and service port(s) specified in the selector rule.

kind: Service
metadata:
  …
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 9000
    app: backend