You can enable JSON Web Token (JWT) authentication for Knative services.


Adding sidecar injection to Pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

  1. Create a policy in your serverless application namespace that only allows requests with valid JSON Web Tokens (JWT):

    1. Copy the following Policy resource into a YAML file:

      The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system Pods in the knative-serving namespace.

      kind: Policy
        name: default
        - jwt:
            jwksUri: ""
            - excludedPaths:
              - prefix: /metrics
              - prefix: /healthz
        principalBinding: USE_ORIGIN
    2. Apply the Policy resource YAML file:

      $ oc apply -f <filename>
Verification steps
  1. If you try to use a curl request to get the Knative service URL, it is denied.

    $ curl
    Example output
    Origin authentication failed.
  2. Verify the request with a valid JWT.

    1. Get the valid JWT token by entering the following command:

      $ TOKEN=$(curl -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. Access the service by using the valid token in the curl request header:

      $ curl -H "Authorization: Bearer $TOKEN"

      The request is now allowed.

    Example output
    Hello OpenShift!

Additional resources