istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/docs/tasks/security/authn-policy/index.html

430 lines
89 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Authentication Policy"><meta name=description content="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication."><meta name=keywords content=microservices,services,mesh,security,authentication><meta property=og:title content="Authentication Policy"><meta property=og:type content=website><meta property=og:description content="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication."><meta property=og:url content=/v1.1/docs/tasks/security/authn-policy/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Authentication Policy</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Authentication Policy";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<a title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.1/help/>Help</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/tasks\/security\/authn-policy\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/tasks\/security\/authn-policy\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card19 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card19-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card19 role=region id=card19-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card19><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.1/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.1/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.1/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the policy enforcement and telemetry mechanisms." href=/v1.1/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.1/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.1/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card39 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card39-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card39 role=region id=card39-body><ul role=tree aria-expanded=true aria-labelledby=card39><li role=treeitem aria-label=Kubernetes><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.1/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Prepare><button aria-hidden=true></button><a title="Getting ready for Istio." href=/v1.1/docs/setup/kubernetes/prepare/>Prepare</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.1/docs/setup/kubernetes/prepare/requirements/>Pods and Services</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker For Desktop for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/docker/>Docker For Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup Minikube for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li></ul></li><li role=none><a role=treeitem title="Download the Istio release and prepare for installation." href=/v1.1/docs/setup/kubernetes/download/>Download</a></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the flows that best suit your needs and platform." href=/v1.1/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install and configure an Istio mesh in a Kubernetes cluster for evaluation." href=/v1.1/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Instructions to install Istio using a Helm chart." href=/v1.1/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.1/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using Istio Gateway to reach remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/gateways/>Gateway Connectivity</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with direct network access to remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/vpn/>VPN Connectivity</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation flows for the supported Kubernetes platforms." href=/v1.1/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.1/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.1/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.1/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.1/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.1." href=/v1.1/docs/setup/kubernetes/upgrade/notice/>1.1 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.1/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.1/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.1/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.1/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.1/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.1/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad &amp; Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.1/docs/setup/consul/>Nomad &amp; Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.1/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.1/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card57 title="How to do single specific targeted activities with the Istio system." aria-controls=card57-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#tasks"/></svg>Tasks</button><div class="body default" aria-labelledby=card57 role=region id=card57-body><ul role=tree aria-expanded=true aria-labelledby=card57><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.1/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.1/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.1/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.1/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.1/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.1/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.1/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li role=treeitem aria-label="Securing Ingress Gateway"><button aria-hidden=true></button><a title="Secure ingress gateway controllers using various approaches." href=/v1.1/docs/tasks/traffic-management/secure-ingress/>Securing Ingress Gateway</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.1/docs/tasks/traffic-management/secure-ingress/mount/>Securing Gateways with HTTPS With a File Mount-Based Approach</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS, using secret discovery service." href=/v1.1/docs/tasks/traffic-management/secure-ingress/sds/>Securing Gateways with HTTPS Using Secret Discovery Service</a></li></ul></li><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.1/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.1/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.1/docs/tasks/traffic-management/mirroring/>Mirroring</a></li></ul></li><li role=treeitem aria-label=Security><button class=show aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.1/docs/tasks/security/>Security</a><ul role=group aria-expanded=true class=leaf-section><li role=none><span role=treeitem class=current title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.">Authentication Policy</span></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.1/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.1/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.1/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.1/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.1/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.1/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.1/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.1/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.1/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.1/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.1/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.1/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.1/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.1/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.1/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.1/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.1/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.1/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.1/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.1/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.1/docs/tasks/telemetry/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.1/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.1/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.1/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.1/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.1/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.1/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.1/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.1/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.1/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.1/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.1/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Edge Traffic Management"><button aria-hidden=true></button><a title="A variety of advanced examples for managing traffic at the edge (i.e., ingress and egress traffic) of an Istio service mesh." href=/v1.1/docs/examples/advanced-gateways/>Edge Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.1/docs/examples/advanced-gateways/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.1/docs/examples/advanced-gateways/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.1/docs/examples/advanced-gateways/egress-gateway/>Configure an Egress Gateway</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.1/docs/examples/advanced-gateways/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.1/docs/examples/advanced-gateways/wildcard-egress-hosts/>Configure Egress Traffic using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.1/docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/>SNI Monitoring and Policies for TLS Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.1/docs/examples/advanced-gateways/http-proxy/>Connect to an External HTTPS Proxy</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.1/docs/examples/advanced-gateways/ingress-certmgr/>Securing Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.1/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuring remote services in a gateway-connected multicluster mesh." href=/v1.1/docs/examples/multicluster/gateways/>Gateway-Connected Clusters</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.1/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.1/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li role=none><a role=treeitem title="Multicluster mesh between IBM Cloud Kubernetes Service and IBM Cloud Private." href=/v1.1/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service &amp; IBM Cloud Private</a></li><li role=none><a role=treeitem title="Leveraging Istio's Split-horizon EDS to create a multicluster mesh." href=/v1.1/docs/examples/multicluster/split-horizon-eds/>Cluster-Aware Service Routing</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card106 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card106-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card106 role=region id=card106-body><ul role=tree aria-expanded=true aria-labelledby=card106><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.1/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.1/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.1/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.1/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.1/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.1/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.1/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.0 and release-1.1." href=/v1.1/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.1/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.1/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.1/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.1/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.1/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.1/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.1/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.1/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Utility to trigger direct calls to Mixer's API." href=/v1.1/docs/reference/commands/mixc/>mixc</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.1/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.1/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.1/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.1/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.1/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.1/docs/tasks/ title="How to do single specific targeted activities with the Istio system.">Tasks</a></li><li><a href=/v1.1/docs/tasks/security/ title="Demonstrates how to secure the mesh.">Security</a></li><li>Authentication Policy</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Authentication Policy</h1><p class=byline><span title="3443 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>17 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><ol><li role=none aria-label=Setup><a href=#setup>Setup</a></ol></li><li role=none aria-label="Globally enabling Istio mutual TLS"><a href=#globally-enabling-istio-mutual-tls>Globally enabling Istio mutual TLS</a><ol><li role=none aria-label="Request from non-Istio services to Istio services"><a href=#request-from-non-istio-services-to-istio-services>Request from non-Istio services to Istio services</a><li role=none aria-label="Request from Istio services to non-Istio services"><a href=#request-from-istio-services-to-non-istio-services>Request from Istio services to non-Istio services</a><li role=none aria-label="Request from Istio services to Kubernetes API server"><a href=#request-from-istio-services-to-kubernetes-api-server>Request from Istio services to Kubernetes API server</a><li role=none aria-label="Cleanup part 1"><a href=#cleanup-part-1>Cleanup part 1</a></ol></li><li role=none aria-label="Enable mutual TLS per namespace or service"><a href=#enable-mutual-tls-per-namespace-or-service>Enable mutual TLS per namespace or service</a><ol><li role=none aria-label="Namespace-wide policy"><a href=#namespace-wide-policy>Namespace-wide policy</a><li role=none aria-label="Service-specific policy"><a href=#service-specific-policy>Service-specific policy</a><li role=none aria-label="Policy precedence"><a href=#policy-precedence>Policy precedence</a><li role=none aria-label="Cleanup part 2"><a href=#cleanup-part-2>Cleanup part 2</a></ol></li><li role=none aria-label="End-user authentication"><a href=#end-user-authentication>End-user authentication</a><ol><li role=none aria-label="End-user authentication with per-path requirements"><a href=#end-user-authentication-with-per-path-requirements>End-user authentication with per-path requirements</a><ol><li role=none aria-label="Disable End-user authentication for specific paths"><a href=#disable-end-user-authentication-for-specific-paths>Disable End-user authentication for specific paths</a><li role=none aria-label="Enable End-user authentication for specific paths"><a href=#enable-end-user-authentication-for-specific-paths>Enable End-user authentication for specific paths</a></ol></li><li role=none aria-label="End-user authentication with mutual TLS"><a href=#end-user-authentication-with-mutual-tls>End-user authentication with mutual TLS</a><li role=none aria-label="Cleanup part 3"><a href=#cleanup-part-3>Cleanup part 3</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This task covers the primary activities you might need to perform when enabling, configuring, and using Istio authentication policies. Find out more about
the underlying concepts in the <a href=/v1.1/docs/concepts/security/#authentication>authentication overview</a>.</p><h2 id=before-you-begin>Before you begin</h2><ul><li><p>Understand Istio <a href=/v1.1/docs/concepts/security/#authentication-policies>authentication policy</a> and related
<a href=/v1.1/docs/concepts/security/#mutual-tls-authentication>mutual TLS authentication</a> concepts.</p></li><li><p>Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use <code>install/kubernetes/istio-demo.yaml</code> as described in
<a href=/v1.1/docs/setup/kubernetes/install/kubernetes/#installation-steps>installation steps</a>, or set <code>global.mtls.enabled</code> to false using
<a href=/v1.1/docs/setup/kubernetes/install/helm/>Helm</a>).</p></li></ul><h3 id=setup>Setup</h3><p>Our examples use two namespaces <code>foo</code> and <code>bar</code>, with two services, <code>httpbin</code> and <code>sleep</code>, both running with an Envoy sidecar proxy. We also use second
instances of <code>httpbin</code> and <code>sleep</code> running without the sidecar in the <code>legacy</code> namespace. If youd like to use the same examples when trying the tasks,
run the following:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/httpbin/httpbin.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/httpbin/httpbin.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns foo
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
$ kubectl create ns bar
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n bar
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n bar
$ kubectl create ns legacy
$ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n legacy
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n legacy
</code></pre></div><p>You can verify setup by sending an HTTP request with <code>curl</code> from any <code>sleep</code> pod in the namespace <code>foo</code>, <code>bar</code> or <code>legacy</code> to either <code>httpbin.foo</code>,
<code>httpbin.bar</code> or <code>httpbin.legacy</code>. All requests should succeed with HTTP code 200.</p><p>For example, here is a command to check <code>sleep.bar</code> to <code>httpbin.foo</code> reachability:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pod -l app=sleep -n bar -o jsonpath={.items..metadata.name}) -c sleep -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><p>This one-liner command conveniently iterates through all reachability combinations:</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;foo&#34; &#34;bar&#34; &#34;legacy&#34;; do for to in &#34;foo&#34; &#34;bar&#34; &#34;legacy&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 200
sleep.legacy to httpbin.bar: 200
sleep.legacy to httpbin.legacy: 200
</code></pre><p>You should also verify that there is a default mesh authentication policy in the system, which you can do as follows:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get policies.authentication.istio.io --all-namespaces
No resources found.
</code></pre><pre><code class=language-bash data-expandlinks=true>$ kubectl get meshpolicies.authentication.istio.io
NAME AGE
default 3m
</code></pre><p>Last but not least, verify that there are no destination rules that apply on the example services. You can do this by checking the <code>host:</code> value of
existing destination rules and make sure they do not match. For example:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep &#34;host:&#34;
host: istio-policy.istio-system.svc.cluster.local
host: istio-telemetry.istio-system.svc.cluster.local
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>Depending on the version of Istio, you may see destination rules for hosts other then those shown. However, there should be none with hosts in the <code>foo</code>,
<code>bar</code> and <code>legacy</code> namespace, nor is the match-all wildcard <code>*</code></div></aside></div><h2 id=globally-enabling-istio-mutual-tls>Globally enabling Istio mutual TLS</h2><p>To set a mesh-wide authentication policy that enables mutual TLS, submit <em>mesh authentication policy</em> like below:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;MeshPolicy&#34;
metadata:
name: &#34;default&#34;
spec:
peers:
- mtls: {}
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>The mesh authentication policy uses the <a href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/>regular authentication policy API</a>
it is defined in the cluster-scoped <code>MeshPolicy</code> CRD.</div></aside></div><p>This policy specifies that all workloads in the mesh will only accept encrypted requests using TLS. As you can see, this authentication policy has the kind:
<code>MeshPolicy</code>. The name of the policy must be <code>default</code>, and it contains no <code>targets</code> specification (as it is intended to apply to all services in the mesh).</p><p>At this point, only the receiving side is configured to use mutual TLS. If you run the <code>curl</code> command between <em>Istio services</em> (i.e those with sidecars), all
requests will fail with a 503 error code as the client side is still using plain-text.</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;foo&#34; &#34;bar&#34;; do for to in &#34;foo&#34; &#34;bar&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.foo to httpbin.foo: 503
sleep.foo to httpbin.bar: 503
sleep.bar to httpbin.foo: 503
sleep.bar to httpbin.bar: 503
</code></pre><p>To configure the client side, you need to set <a href=/v1.1/docs/concepts/traffic-management/#rule-destinations>destination rules</a> to use mutual TLS. It&rsquo;s possible to use
multiple destination rules, one for each applicable service (or namespace). However, it&rsquo;s more convenient to use a rule with the <code>*</code> wildcard to match all
services so that it is on par with the mesh-wide authentication policy.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;istio-system&#34;
spec:
host: &#34;*.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content><ul><li>Starting with Istio 1.1, only destination rules in the client namespace, server namespace and <code>global</code> namespace (default is <code>istio-system</code>) will be considered for a service, in that order.</li><li>Host value <code>*.local</code> to limit matches only to services in cluster, as opposed to external services. Also note, there is no restriction on the name or
namespace for destination rule.</li><li>With <code>ISTIO_MUTUAL</code> TLS mode, Istio will set the path for key and certificates (e.g client certificate, private key and CA certificates) according to
its internal implementation.</li></ul></div></aside></div><p>Dont forget that destination rules are also used for non-auth reasons such as setting up canarying, but the same order of precedence applies. So if a service
requires a specific destination rule for any reason - for example, for a configuration load balancer - the rule must contain a similar TLS block with
<code>ISTIO_MUTUAL</code> mode, as otherwise it will override the mesh- or namespace-wide TLS settings and disable TLS.</p><p>Re-running the testing command as above, you will see all requests between Istio-services are now completed successfully:</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;foo&#34; &#34;bar&#34;; do for to in &#34;foo&#34; &#34;bar&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
</code></pre><h3 id=request-from-non-istio-services-to-istio-services>Request from non-Istio services to Istio services</h3><p>The non-Istio service, e.g <code>sleep.legacy</code> doesn&rsquo;t have a sidecar, so it cannot initiate the required TLS connection to Istio services. As a result,
requests from <code>sleep.legacy</code> to <code>httpbin.foo</code> or <code>httpbin.bar</code> will fail:</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;legacy&#34;; do for to in &#34;foo&#34; &#34;bar&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 000
command terminated with exit code 56
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>Due to the way Envoy rejects plain-text requests, you will see <code>curl</code> exit code 56 (failure with receiving network data) in this case.</div></aside></div><p>This works as intended, and unfortunately, there is no solution for this without reducing authentication requirements for these services.</p><h3 id=request-from-istio-services-to-non-istio-services>Request from Istio services to non-Istio services</h3><p>Try to send requests to <code>httpbin.legacy</code> from <code>sleep.foo</code> (or <code>sleep.bar</code>). You will see requests fail as Istio configures clients as instructed in our
destination rule to use mutual TLS, but <code>httpbin.legacy</code> does not have a sidecar so it&rsquo;s unable to handle it.</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;foo&#34; &#34;bar&#34;; do for to in &#34;legacy&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.foo to httpbin.legacy: 503
sleep.bar to httpbin.legacy: 503
</code></pre><p>To fix this issue, we can add a destination rule to overwrite the TLS setting for <code>httpbin.legacy</code>. For example:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: &#34;httpbin-legacy&#34;
namespace: &#34;legacy&#34;
spec:
host: &#34;httpbin.legacy.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: DISABLE
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>This destination rule is in the namespace of the server (<code>httpbin.legacy</code>), so it will be preferred over the global destination rule defined in <code>istio-system</code></div></aside></div><h3 id=request-from-istio-services-to-kubernetes-api-server>Request from Istio services to Kubernetes API server</h3><p>The Kubernetes API server doesn&rsquo;t have a sidecar, thus request from Istio services such as <code>sleep.foo</code> will fail due to the same problem as when sending
requests to any non-Istio service.</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default-token | cut -f1 -d &#39; &#39; | head -1) | grep -E &#39;^token&#39; | cut -f2 -d&#39;:&#39; | tr -d &#39;\t&#39;)
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl https://kubernetes.default/api --header &#34;Authorization: Bearer $TOKEN&#34; --insecure -s -o /dev/null -w &#34;%{http_code}\n&#34;
000
command terminated with exit code 35
</code></pre><p>Again, we can correct this by overriding the destination rule for the API server (<code>kubernetes.default</code>)</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: &#34;api-server&#34;
namespace: istio-system
spec:
host: &#34;kubernetes.default.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: DISABLE
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>This rule, along with the global authentication policy and destination rule, above,
is automatically injected into the system when you install Istio with mutual TLS enabled.</div></aside></div><p>Re-run the testing command above to confirm that it returns 200 after the rule is added:</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default-token | cut -f1 -d &#39; &#39; | head -1) | grep -E &#39;^token&#39; | cut -f2 -d&#39;:&#39; | tr -d &#39;\t&#39;)
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl https://kubernetes.default/api --header &#34;Authorization: Bearer $TOKEN&#34; --insecure -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><h3 id=cleanup-part-1>Cleanup part 1</h3><p>Remove global authentication policy and destination rules added in the session:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete meshpolicy default
$ kubectl delete destinationrules httpbin-legacy -n legacy
$ kubectl delete destinationrules api-server -n istio-system
</code></pre><h2 id=enable-mutual-tls-per-namespace-or-service>Enable mutual TLS per namespace or service</h2><p>In addition to specifying an authentication policy for your entire mesh, Istio also lets you specify policies for particular namespaces or services. A
namespace-wide policy takes precedence over the mesh-wide policy, while a service-specific policy has higher precedence still.</p><h3 id=namespace-wide-policy>Namespace-wide policy</h3><p>The example below shows the policy to enable mutual TLS for all services in namespace <code>foo</code>. As you can see, it uses kind: &ldquo;Policy” rather than &ldquo;MeshPolicy”,
and specifies a namespace, in this case, <code>foo</code>. If you dont specify a namespace value the policy will apply to the default namespace.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;foo&#34;
spec:
peers:
- mtls: {}
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>Similar to <em>mesh-wide policy</em>, namespace-wide policy must be named <code>default</code>, and doesn&rsquo;t restrict any specific service (no <code>targets</code> section)</div></aside></div><p>Add corresponding destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;foo&#34;
spec:
host: &#34;*.foo.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>Host <code>*.foo.svc.cluster.local</code> limits the matches to services in <code>foo</code> namespace only.</div></aside></div><p>As these policy and destination rule are applied on services in namespace <code>foo</code> only, you should see only request from client-without-sidecar (<code>sleep.legacy</code>) to <code>httpbin.foo</code> start to fail.</p><pre><code class=language-bash data-expandlinks=true>$ for from in &#34;foo&#34; &#34;bar&#34; &#34;legacy&#34;; do for to in &#34;foo&#34; &#34;bar&#34; &#34;legacy&#34;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl &#34;http://httpbin.${to}:8000/ip&#34; -s -o /dev/null -w &#34;sleep.${from} to httpbin.${to}: %{http_code}\n&#34;; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.bar to httpbin.legacy: 200
sleep.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 200
sleep.legacy to httpbin.legacy: 200
</code></pre><h3 id=service-specific-policy>Service-specific policy</h3><p>You can also set authentication policy and destination rule for a specific service. Run this command to set another policy only for <code>httpbin.bar</code> service.</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n bar -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;httpbin&#34;
spec:
targets:
- name: httpbin
peers:
- mtls: {}
EOF
</code></pre><p>And a destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n bar -f -
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;httpbin&#34;
spec:
host: &#34;httpbin.bar.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content><ul><li>In this example, we do <strong>not</strong> specify namespace in metadata but put it in the command line (<code>-n bar</code>), which has an identical effect.</li><li>There is no restriction on the authentication policy and destination rule name. This example uses the name of the service itself for simplicity.</li></ul></div></aside></div><p>Again, run the probing command. As expected, request from <code>sleep.legacy</code> to <code>httpbin.bar</code> starts failing with the same reasons.</p><pre><code class=language-plain data-expandlinks=true>...
sleep.legacy to httpbin.bar: 000
command terminated with exit code 56
</code></pre><p>If we have more services in namespace <code>bar</code>, we should see traffic to them won&rsquo;t be affected. Instead of adding more services to demonstrate this behavior,
we edit the policy slightly to apply on a specific port:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n bar -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;httpbin&#34;
spec:
targets:
- name: httpbin
ports:
- number: 1234
peers:
- mtls: {}
EOF
</code></pre><p>And a corresponding change to the destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n bar -f -
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;httpbin&#34;
spec:
host: httpbin.bar.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
portLevelSettings:
- port:
number: 1234
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><p>This new policy will apply only to the <code>httpbin</code> service on port <code>1234</code>. As a result, mutual TLS is disabled (again) on port <code>8000</code> and requests from
<code>sleep.legacy</code> will resume working.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.bar:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><h3 id=policy-precedence>Policy precedence</h3><p>To illustrate how a service-specific policy takes precedence over namespace-wide policy, you can add a policy to disable mutual TLS for <code>httpbin.foo</code> as below.
Note that you&rsquo;ve already created a namespace-wide policy that enables mutual TLS for all services in namespace <code>foo</code> and observe that requests from
<code>sleep.legacy</code> to <code>httpbin.foo</code> are failing (see above).</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;overwrite-example&#34;
spec:
targets:
- name: httpbin
EOF
</code></pre><p>and destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;overwrite-example&#34;
spec:
host: httpbin.foo.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
EOF
</code></pre><p>Re-running the request from <code>sleep.legacy</code>, you should see a success return code again (200), confirming service-specific policy overrides the namespace-wide policy.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><h3 id=cleanup-part-2>Cleanup part 2</h3><p>Remove policies and destination rules created in the above steps:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete policy default overwrite-example -n foo
$ kubectl delete policy httpbin -n bar
$ kubectl delete destinationrules default overwrite-example -n foo
$ kubectl delete destinationrules httpbin -n bar
</code></pre><h2 id=end-user-authentication>End-user authentication</h2><p>To experiment with this feature, you need a valid JWT. The JWT must correspond to the JWKS endpoint you want to use for the demo. In
this tutorial, we use this <a href=https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/demo.jwt>JWT test</a> and this
<a href=https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/jwks.json>JWKS endpoint</a> from the Istio code base.</p><p>Also, for convenience, expose <code>httpbin.foo</code> via <code>ingressgateway</code> (for more details, see the <a href=/v1.1/docs/tasks/traffic-management/ingress/>ingress task</a>).</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &#34;*&#34;
EOF
</code></pre><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
namespace: foo
spec:
hosts:
- &#34;*&#34;
gateways:
- httpbin-gateway
http:
- route:
- destination:
port:
number: 8000
host: httpbin.foo.svc.cluster.local
EOF
</code></pre><p>Get ingress IP</p><pre><code class=language-bash data-expandlinks=true>$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath=&#39;{.status.loadBalancer.ingress[0].ip}&#39;)
</code></pre><p>And run a test query</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><p>Now, add a policy that requires end-user JWT for <code>httpbin.foo</code>. The next command assumes there is no service-specific policy for <code>httpbin.foo</code> (which should
be the case if you run <a href=#cleanup-part-2>cleanup</a> as described). You can run <code>kubectl get policies.authentication.istio.io -n foo</code> to confirm.</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;jwt-example&#34;
spec:
targets:
- name: httpbin
origins:
- jwt:
issuer: &#34;testing@secure.istio.io&#34;
jwksUri: &#34;https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/jwks.json&#34;
principalBinding: USE_ORIGIN
EOF
</code></pre><p>The same <code>curl</code> command from before will return with 401 error code, as a result of server is expecting JWT but none was provided:</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
401
</code></pre><p>Attaching the valid token generated above returns success:</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/demo.jwt -s)
$ curl --header &#34;Authorization: Bearer $TOKEN&#34; $INGRESS_HOST/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><p>To observe other aspects of JWT validation, use the script <a href=https://github.com/istio/istio/tree/release-1.1/security/tools/jwt/samples/gen-jwt.py><code>gen-jwt.py</code></a> to
generate new tokens to test with different issuer, audiences, expiry date, etc. The script can be downloaded from the Istio repository:</p><pre><code class=language-bash data-expandlinks=true>$ wget https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/gen-jwt.py
$ chmod +x gen-jwt.py
</code></pre><p>You also need the <code>key.pem</code> file:</p><pre><code class=language-bash data-expandlinks=true>$ wget https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/key.pem
</code></pre><p>For example, the command below creates a token that
expires in 5 seconds. As you see, Istio authenticates requests using that token successfully at first but rejects them after 5 seconds:</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(./gen-jwt.py ./key.pem --expire 5)
$ for i in `seq 1 10`; do curl --header &#34;Authorization: Bearer $TOKEN&#34; $INGRESS_HOST/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;; sleep 1; done
200
200
200
200
200
401
401
401
401
401
</code></pre><p>You can also add a JWT policy to an ingress gateway (e.g., service <code>istio-ingressgateway.istio-system.svc.cluster.local</code>).
This is often used to define a JWT policy for all services bound to the gateway, instead of for individual services.</p><h3 id=end-user-authentication-with-per-path-requirements>End-user authentication with per-path requirements</h3><p>End-user authentication can be enabled or disabled based on request path. This is useful if you want to
disable authentication for some paths, for example, the path used for health check or status report.
You can also specify different JWT requirements on different paths.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-warning"/></svg></div><div class=content>The end-user authentication with per-path requirements is an experimental feature in Istio 1.1 and
is <strong>NOT</strong> recommended for production use.</div></aside></div><h4 id=disable-end-user-authentication-for-specific-paths>Disable End-user authentication for specific paths</h4><p>Modify the <code>jwt-example</code> policy to disable End-user authentication for path <code>/user-agent</code>:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;jwt-example&#34;
spec:
targets:
- name: httpbin
origins:
- jwt:
issuer: &#34;testing@secure.istio.io&#34;
jwksUri: &#34;https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/jwks.json&#34;
trigger_rules:
- excluded_paths:
- exact: /user-agent
principalBinding: USE_ORIGIN
EOF
</code></pre><p>Confirm it&rsquo;s allowed to access the path <code>/user-agent</code> without JWT tokens:</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/user-agent -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><p>Confirm it&rsquo;s denied to access paths other than <code>/user-agent</code> without JWT tokens:</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
401
</code></pre><h4 id=enable-end-user-authentication-for-specific-paths>Enable End-user authentication for specific paths</h4><p>Modify the <code>jwt-example</code> policy to enable End-user authentication only for path <code>/ip</code>:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;jwt-example&#34;
spec:
targets:
- name: httpbin
origins:
- jwt:
issuer: &#34;testing@secure.istio.io&#34;
jwksUri: &#34;https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/jwks.json&#34;
trigger_rules:
- included_paths:
- exact: /ip
principalBinding: USE_ORIGIN
EOF
</code></pre><p>Confirm it&rsquo;s allowed to access paths other than <code>/ip</code> without JWT tokens:</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/user-agent -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><p>Confirm it&rsquo;s denied to access the path <code>/ip</code> without JWT tokens:</p><pre><code class=language-bash data-expandlinks=true>$ curl $INGRESS_HOST/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
401
</code></pre><p>Confirm it&rsquo;s allowed to access the path <code>/ip</code> with a valid JWT token:</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/demo.jwt -s)
$ curl --header &#34;Authorization: Bearer $TOKEN&#34; $INGRESS_HOST/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre><h3 id=end-user-authentication-with-mutual-tls>End-user authentication with mutual TLS</h3><p>End-user authentication and mutual TLS can be used together. Modify the policy above to define both mutual TLS and end-user JWT authentication:</p><pre><code class=language-bash data-expandlinks=true>$ cat &lt;&lt;EOF | kubectl apply -n foo -f -
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;jwt-example&#34;
spec:
targets:
- name: httpbin
peers:
- mtls: {}
origins:
- jwt:
issuer: &#34;testing@secure.istio.io&#34;
jwksUri: &#34;https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/jwks.json&#34;
principalBinding: USE_ORIGIN
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>Use <code>istio create</code> if the <code>jwt-example</code> policy hasn&rsquo;t been submitted.</div></aside></div><p>And add a destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;httpbin&#34;
namespace: &#34;foo&#34;
spec:
host: &#34;httpbin.foo.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>If you already enable mutual TLS mesh-wide or namespace-wide, the host <code>httpbin.foo</code> is already covered by the other destination rule.
Therefore, you do not need adding this destination rule. On the other hand, you still need to add the <code>mtls</code> stanza to the authentication policy as the service-specific policy will override the mesh-wide (or namespace-wide) policy completely.</div></aside></div><p>After these changes, traffic from Istio services, including ingress gateway, to <code>httpbin.foo</code> will use mutual TLS. The test command above will still work. Requests from Istio services directly to <code>httpbin.foo</code> also work, given the correct token:</p><pre><code class=language-bash data-expandlinks=true>$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/demo.jwt -s)
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34; --header &#34;Authorization: Bearer $TOKEN&#34;
200
</code></pre><p>However, requests from non-Istio services, which use plain-text will fail:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34; --header &#34;Authorization: Bearer $TOKEN&#34;
000
command terminated with exit code 56
</code></pre><h3 id=cleanup-part-3>Cleanup part 3</h3><ol><li><p>Remove authentication policy:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n foo delete policy jwt-example
</code></pre></li><li><p>Remove destination rule:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n foo delete destinationrule httpbin
</code></pre></li><li><p>If you are not planning to explore any follow-on tasks, you can remove all resources simply by deleting test namespaces.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete ns foo bar legacy
</code></pre></li></ol><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></p><p class=desc>Shows you how to incrementally migrate your Istio services to mutual TLS.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/concepts/security/>Security</a></p><p class=desc>Describes Istio&#39;s authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></p><p class=desc>Learn how to extend the lifetime of Istio self-signed root certificate.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio&#39;s authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></p><p class=desc>Shows how to set up role-based access control for HTTP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></p><p class=desc>Shows how to set up role-based access control for TCP services.</p></div></div></nav></article><nav class=pagenav><div class=left></div><div class=right><a title="Shows how to set up role-based access control for HTTP services." href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><ol><li role=none aria-label=Setup><a href=#setup>Setup</a></ol></li><li role=none aria-label="Globally enabling Istio mutual TLS"><a href=#globally-enabling-istio-mutual-tls>Globally enabling Istio mutual TLS</a><ol><li role=none aria-label="Request from non-Istio services to Istio services"><a href=#request-from-non-istio-services-to-istio-services>Request from non-Istio services to Istio services</a><li role=none aria-label="Request from Istio services to non-Istio services"><a href=#request-from-istio-services-to-non-istio-services>Request from Istio services to non-Istio services</a><li role=none aria-label="Request from Istio services to Kubernetes API server"><a href=#request-from-istio-services-to-kubernetes-api-server>Request from Istio services to Kubernetes API server</a><li role=none aria-label="Cleanup part 1"><a href=#cleanup-part-1>Cleanup part 1</a></ol></li><li role=none aria-label="Enable mutual TLS per namespace or service"><a href=#enable-mutual-tls-per-namespace-or-service>Enable mutual TLS per namespace or service</a><ol><li role=none aria-label="Namespace-wide policy"><a href=#namespace-wide-policy>Namespace-wide policy</a><li role=none aria-label="Service-specific policy"><a href=#service-specific-policy>Service-specific policy</a><li role=none aria-label="Policy precedence"><a href=#policy-precedence>Policy precedence</a><li role=none aria-label="Cleanup part 2"><a href=#cleanup-part-2>Cleanup part 2</a></ol></li><li role=none aria-label="End-user authentication"><a href=#end-user-authentication>End-user authentication</a><ol><li role=none aria-label="End-user authentication with per-path requirements"><a href=#end-user-authentication-with-per-path-requirements>End-user authentication with per-path requirements</a><ol><li role=none aria-label="Disable End-user authentication for specific paths"><a href=#disable-end-user-authentication-for-specific-paths>Disable End-user authentication for specific paths</a><li role=none aria-label="Enable End-user authentication for specific paths"><a href=#enable-end-user-authentication-for-specific-paths>Enable End-user authentication for specific paths</a></ol></li><li role=none aria-label="End-user authentication with mutual TLS"><a href=#end-user-authentication-with-mutual-tls>End-user authentication with mutual TLS</a><li role=none aria-label="Cleanup part 3"><a href=#cleanup-part-3>Cleanup part 3</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink