You can enable JSON Web Token (JWT) authentication for Knative services by creating a policy in your serverless application namespace that only allows requests with valid JWTs.

Prerequisites

Adding sidecar injection to pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

Procedure
  1. Copy the following Policy resource into a YAML file:

    The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system pods in the knative-serving namespace.

    apiVersion: authentication.istio.io/v1alpha1
    kind: Policy
    metadata:
      name: default
    spec:
      origins:
      - jwt:
          issuer: testing@secure.istio.io
          jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
          triggerRules:
          - excludedPaths:
            - prefix: /metrics
            - prefix: /healthz
      principalBinding: USE_ORIGIN
  2. Apply the Policy resource YAML file:

    $ oc apply -f <filename>
Verification
  1. If you try to use a curl request to get the Knative service URL, it is denied.

    $ curl http://hello-example-default.apps.mycluster.example.com/
    Example output
    Origin authentication failed.
  2. Verify the request with a valid JWT.

    1. Get the valid JWT token by entering the following command:

      $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. Access the service by using the valid token in the curl request header:

      $ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"

      The request is now allowed.

      Example output
      Hello OpenShift!

Additional resources