Authentication Policy

    JSON Web Token (JWT) token format for authentication as defined byRFC 7519. See andOIDC 1.0 for how this is used in the wholeauthentication flow.

    For example:

    A JWT for any requests:

    A JWT for all requests except request at path and path withprefix /status/. This is useful to expose some paths for public access butkeep others JWT validated.

    1. issuer: https://example.com
    2. jwksUri: https://example.com/.well-known/jwks.json
    3. triggerRules:
    4. - excludedPaths:
    5.   - exact: /health_check
    6.   - prefix: /status/

    A JWT only for requests at path /admin. This is useful to only require JWTvalidation on a specific set of paths but keep others public accessible.

    1. issuer: https://example.com
    2. triggerRules:
    3. - includedPaths:
    4.   - prefix: /admin

    A JWT only for requests at path of prefix /status/ but except the path of/status/version. This means for any request path with prefix /status/ except/status/version will require a valid JWT to proceed.

    Jwt.TriggerRule

    FieldTypeDescriptionRequired
    excludedPathsList of paths to be excluded from the request. The rule is satisfied ifrequest path does not match to any of the path in this list.No
    includedPathsStringMatch[]List of paths that the request must include. If the list is not empty, therule is satisfied if request path matches at least one of the path in the list.If the list is empty, the rule is ignored, in other words the rule is always satisfied.No

    MutualTls

    TLS authentication params.

    FieldTypeDescriptionRequired
    allowTlsboolWILL BE DEPRECATED, if set, will translates to TLS_PERMISSIVE mode.Set this flag to true to allow regular TLS (i.e without client x509certificate). If request carries client certificate, identity will beextracted and used (set to peer identity). Otherwise, peer identity willbe left unset.When the flag is false (default), request must have client certificate.No
    modeModeDefines the mode of mTLS authentication.No

    Defines the acceptable connection TLS mode.

    OriginAuthenticationMethod

    OriginAuthenticationMethod defines authentication method/params for originauthentication. Origin could be end-user, device, delegate service etc.Currently, only JWT is supported for origin authentication.

    FieldTypeDescriptionRequired
    jwtJwtJwt params for the method.No

    PeerAuthenticationMethod

    PeerAuthenticationMethod defines one particular type of authentication, e.gmutual TLS, JWT etc, (no authentication is one type by itself) that canbe used for peer authentication.The type can be progammatically determine by checking the type of the“params” field.

    FieldTypeDescriptionRequired
    mtlsMutualTls (oneof)Set if mTLS is used.Yes

    Policy defines what authentication methods can be accepted on workload(s),and if authenticated, which method/certificate will set the request principal(i.e request.auth.principal attribute).

    Authentication policy is composed of 2-part authentication:- peer: verify caller service credentials. This part will set source.user(peer identity).- origin: verify the origin credentials. This part will set request.auth.user(origin identity), as well as other attributes like request.auth.presenter,request.auth.audiences and raw claims. Note that the identity could beend-user, service account, device etc.

    Examples:

    Policy to enable mTLS for all services in namespace frod. The policy name must bedefault, and it contains no rule for targets.

    1. apiVersion: authentication.istio.io/v1alpha1
    2. kind: Policy
    3. metadata:
    4.   name: default
    5.   namespace: frod
    6. spec:
    7.   peers:
    8.   - mtls:

    Policy to disable mTLS for “productpage” service

    Policy to require mTLS for peer authentication, and JWT for origin authenticationfor productpage:9000 except the path ‘/health_check’ . Principal is set from origin identity.

    1. apiVersion: authentication.istio.io/v1alpha1
    2. kind: Policy
    3. metadata:
    4.   name: productpage-mTLS-with-JWT
    5.   namespace: frod
    6. spec:
    7.   - name: productpage
    8.     ports:
    9.     - number: 9000
    10.   peers:
    11.   - mtls:
    12.   origins:
    13.   - jwt:
    14.       issuer: "https://securetoken.google.com"
    15.       audiences:
    17.       jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
    18.       jwtHeaders:
    19.       - "x-goog-iap-jwt-assertion"
    20.       triggerRules:
    21.       - excludedPaths:
    22.         - exact: /health_check
    23.   principalBinding: USE_ORIGIN

    PortSelector

    PortSelector specifies the name or number of a port to be used formatching targets for authentication policy. This is copied fromnetworking API to avoid dependency.

    FieldTypeDescriptionRequired
    numberuint32 (oneof)Valid port numberYes
    namestring (oneof)Port nameYes

    PrincipalBinding

    Associates authentication with request principal.

    NameDescription
    USE_PEERPrincipal will be set to the identity from peer authentication.
    USE_ORIGINPrincipal will be set to the identity from origin authentication.

    TargetSelector

    TargetSelector defines a matching rule to a workload. A workload is selectedif it is associated with the service name and service port(s) specified in the selector rule.

    FieldTypeDescriptionRequired
    namestringThe name must be a short name from the service registry. Thefully qualified domain name will be resolved in a platform specific manner.Yes
    portsPortSelector[]Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.For example, if a service is defined as below, then 8000 should be used, not 9000.
    Leave empty to match all ports that are exposed.    		No