From fe3de42870bd7ebb2d81e7c17849eab595916117 Mon Sep 17 00:00:00 2001 From: Chris Wilson <46912004+sushicw@users.noreply.github.com> Date: Mon, 17 Jun 2019 12:44:13 -0700 Subject: [PATCH] Fix authn-policy task: add missing cleanup and a dependent lib (#4410) * add missing cleanup step for authn policy task section 1 The "*.local" rule created in "Globally enabling Istio mutual TLS" was not removed during the cleanup section, leading to unexpected 503s for users continuing on to the next section (enabling per-namespace). * Note that jwcrypto needs to be present to run gen_jwt.py * Apply suggestions from code review Co-Authored-By: Rigs Caballero --- .spelling | 1 + content/docs/tasks/security/authn-policy/index.md | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.spelling b/.spelling index c119f2494e..52e7eecb02 100644 --- a/.spelling +++ b/.spelling @@ -263,6 +263,7 @@ jason Jog json JSON-formatted +jwcrypto JWT jwt.io JWTs diff --git a/content/docs/tasks/security/authn-policy/index.md b/content/docs/tasks/security/authn-policy/index.md index a9908103dc..b55fbb41a9 100644 --- a/content/docs/tasks/security/authn-policy/index.md +++ b/content/docs/tasks/security/authn-policy/index.md @@ -266,6 +266,7 @@ Remove global authentication policy and destination rules added in the session: $ kubectl delete meshpolicy default $ kubectl delete destinationrules httpbin-legacy -n legacy $ kubectl delete destinationrules api-server -n istio-system +$ kubectl delete destinationrules default -n istio-system {{< /text >}} ## Enable mutual TLS per namespace or service @@ -590,6 +591,11 @@ You also need the `key.pem` file: $ wget {{< github_file >}}/security/tools/jwt/samples/key.pem {{< /text >}} +{{< tip >}} +Download the [jwcrypto](https://pypi.org/project/jwcrypto) library, +if you haven't installed it on your system. +{{< /tip >}} + For example, the command below creates a token that expires in 5 seconds. As you see, Istio authenticates requests using that token successfully at first but rejects them after 5 seconds: