istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/docs/reference/config/security/request_authentication/index.html

454 lines
13 KiB
HTML
Raw Blame History

---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: RequestAuthentication
description: Request authentication configuration for workloads.
location: https://istio.io/docs/reference/config/security/request_authentication.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.RequestAuthentication
aliases: [/docs/reference/config/security/v1beta1/request_authentication]
number_of_entries: 1
---
<h2 id="RequestAuthentication">RequestAuthentication</h2>
<section>
<p>RequestAuthentication defines what request authentication methods are supported by a workload.
It will reject a request if the request contains invalid authentication information, based on the
configured authentication rules. A request that does not contain any authentication credentials
will be accepted but will not have any authenticated identity. To restrict access to authenticated
requests only, this should be accompanied by an authorization rule.
Examples:</p>
<ul>
<li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
</ul>
<p>{{<tabset category-name="example">}}
{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1" category-value="v1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<ul>
<li>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
in a mesh. The following policy makes all workloads only accept requests that contain a
valid JWT token.</li>
</ul>
<p>{{<tabset category-name="example">}}
{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: req-authn-for-all
namespace: istio-system
spec:
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt-for-all
namespace: istio-system
spec:
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1" category-value="v1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: req-authn-for-all
namespace: istio-system
spec:
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: require-jwt-for-all
namespace: istio-system
spec:
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<ul>
<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
set from the OpenID Connect spec).</li>
</ul>
<p>{{<tabset category-name="example">}}
{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
- issuer: &quot;issuer-bar&quot;
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;issuer-foo/*&quot;]
to:
- operation:
hosts: [&quot;example.com&quot;]
- from:
- source:
requestPrincipals: [&quot;issuer-bar/*&quot;]
to:
- operation:
hosts: [&quot;another-host.com&quot;]
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1" category-value="v1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
- issuer: &quot;issuer-bar&quot;
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;issuer-foo/*&quot;]
to:
- operation:
hosts: [&quot;example.com&quot;]
- from:
- source:
requestPrincipals: [&quot;issuer-bar/*&quot;]
to:
- operation:
hosts: [&quot;another-host.com&quot;]
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<ul>
<li>You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
authorization policy could be:</li>
</ul>
<p>{{<tabset category-name="example">}}
{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
- to:
- operation:
paths: [&quot;/healthz&quot;]
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1" category-value="v1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
- to:
- operation:
paths: [&quot;/healthz&quot;]
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>[Experimental] Routing based on derived <a href="/docs/reference/config/security/conditions/">metadata</a>
is now supported. A prefix &lsquo;@&rsquo; is used to denote a match against internal metadata instead of the headers in the request.
Currently this feature is only supported for the following metadata:</p>
<ul>
<li><code>request.auth.claims.{claim-name}[.{nested-claim}]*</code> which are extracted from validated JWT tokens.
Use the <code>.</code> or <code>[]</code> as a separator for nested claim names.
Examples: <code>request.auth.claims.sub</code>, <code>request.auth.claims.name.givenName</code> and <code>request.auth.claims[foo.com/name]</code>.
For more information, see <a href="/docs/tasks/security/authentication/jwt-route/">JWT claim based routing</a>.</li>
</ul>
<p>The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:</p>
<ul>
<li>RequestAuthentication to decode and validate a JWT. This also makes the <code>@request.auth.claims</code> available for use in the VirtualService.</li>
<li>AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.</li>
<li>VirtualService to route the request based on the &ldquo;sub&rdquo; claim.</li>
</ul>
<p>{{<tabset category-name="example">}}
{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-on-ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: &quot;example.com&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: route-jwt
spec:
hosts:
- foo.prod.svc.cluster.local
gateways:
- istio-ingressgateway
http:
- name: &quot;v2&quot;
match:
- headers:
&quot;@request.auth.claims.sub&quot;:
exact: &quot;dev&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v2
- name: &quot;default&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v1
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1" category-value="v1">}}</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: jwt-on-ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: &quot;example.com&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: route-jwt
spec:
hosts:
- foo.prod.svc.cluster.local
gateways:
- istio-ingressgateway
http:
- name: &quot;v2&quot;
match:
- headers:
&quot;@request.auth.claims.sub&quot;:
exact: &quot;dev&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v2
- name: &quot;default&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v1
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RequestAuthentication-selector">
<td><code>selector</code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
the selector will additionally match with workloads in all namespaces.</p>
<p>If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-targetRef">
<td><code>targetRef</code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the request authentication policy to. The targeted resource
must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
gateway must be in the same namespace as the request authentication
policy.</p>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRef can be set.
Waypoint proxies will not respect selectors even if they match.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-jwt_rules">
<td><code>jwtRules</code></td>
<td><code><a href="/docs/reference/config/security/jwt/#JWTRule">JWTRule[]</a></code></td>
<td>
<p>Define the list of JWTs that can be validated at the selected workloads&rsquo; proxy. A valid token
will be used to extract the authenticated identity.
Each rule will be activated only when a token is presented at the location recognized by the
rule. The token will be validated based on the JWT rule config. If validation fails, the request will
be rejected.
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
Reference in New Issue View Git Blame Copy Permalink