1.8 KiB
| title | layout |
|---|---|
| JwtFailureDueToInvalidServicePortPrefix | analysis-message |
This message occurs when a authentication Policy specifies the use of JWT authentication, but the targeted Kubernetes services is not configured properly. A properly targeted Kubernetes service requires the port to be named with a prefix of http|http2|https (see Protocol Selection) and also requires the protocol to be TCP; an empty protocol is acceptable as TCP is the default value.
Example
You will receive this message:
{{< text plain >}} Warn [IST0119] (Policy secure-httpbin.default) Authentication policy with JWT targets Service with invalid port specification (port: 8080, name: svc-8080, protocol: TCP, targetPort: 80). {{< /text >}}
when your cluster has following policy:
{{< text yaml >}} apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: secure-httpbin namespace: default spec: targets: - name: httpbin origins: - jwt: issuer: "testing@secure.istio.io" jwksUri: "https://raw.githubusercontent.com/istio/istio-1.4/security/tools/jwt/samples/jwks.json" {{< /text >}}
that targets the following service:
{{< text yaml >}} apiVersion: v1 kind: Service metadata: name: httpbin namespace: default labels: app: httpbin spec: ports:
- name: svc-8080 port: 8080 targetPort: 80 protocol: TCP selector: app: httpbin {{< /text >}}
In this example, the port svc-8080 does follow the syntax: name: <http|https|http2>[-<suffix>].
How to resolve
- JWT authentication is only supported over http, https or http2. Rename the Service port name to conform with
<http|https|http2>[-<suffix>]