You can enable JSON Web Token (JWT) authentication for Knative services.

Prerequisites

Adding sidecar injection to Pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

Procedure
  1. Create a policy in your serverless application namespace that only allows requests with valid JSON Web Tokens (JWT):

    1. Copy the following Policy resource into a YAML file:

      The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system Pods in the knative-serving namespace.

      apiVersion: authentication.istio.io/v1alpha1
      kind: Policy
      metadata:
        name: default
      spec:
        origins:
        - jwt:
            issuer: testing@secure.istio.io
            jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
            triggerRules:
            - excludedPaths:
              - prefix: /metrics
              - prefix: /healthz
        principalBinding: USE_ORIGIN
    2. Apply the Policy resource YAML file:

      $ oc apply -f <filename>
Verification steps
  1. If you try to use a curl request to get the Knative service URL, it is denied.

    $ curl http://hello-example-default.apps.mycluster.example.com/
    Example output
    Origin authentication failed.
  2. Verify the request with a valid JWT.

    1. Get the valid JWT token by entering the following command:

      $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. Access the service by using the valid token in the curl request header:

      $ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"

      The request is now allowed.

    Example output
    Hello OpenShift!

Additional resources