Authz

The following will shows you how to set up an Istio authorization policy to enforce access based on a JSON Web Token (JWT).

Prerequisites

Service Mesh must be deployed.

Mesh Injection

Label the impacted namespaces for mesh injection:

kubectl label --overwrite -n mynamespace --all istio-injection=enabled

Authz

Creates a request authentication policy for the workload in the mynamespace namespace. This policy for httpbin workload accepts a JWT issued by testing@secure.istio.io.

Use the .well-known/openid-configuration endpoint from Keycloak to get the issuer and jwksUri values.

Replace the app label with a one matching your application.

apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  name: "myra"
  namespace: mynamespace
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
    # get info (issuer and uri) with:
    # http://keycloakservice:keycloakport/realms/kosmos/.well-known/openid-configuration
  - issuer: "testing@secure.istio.io"
    #jwks: xxx
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.25/security/tools/jwt/samples/jwks.json"

Create an authorization policy, the following command creates an authorization policy for the httpbin workload in the mynamespace namespace. The policy requires all requests to the httpbin workload to have a valid JWT with requestPrincipal set to testing@secure.istio.io/testing@secure.istio.io and authorize GET HTTP request on /headers path.

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: myap
  namespace: mynamespace
spec:
  selector:
    matchLabels:
      app: httpbin
  action: ALLOW
  rules:
  # extarct auth info
  #  when:
  #  - key: request.auth.claims[iss]
  #    values: ["https://foo.com"]
  - to:
    - operation:
        methods: ["GET"]
        paths: ["/headers"]
  - from:
    - source:
       requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]