Using JSON Web Token authentication with Service Mesh and OpenShift Serverless - Networking | Serverless

Prerequisites
Using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless
Using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless

You can enable JSON Web Token (JWT) authentication for Knative services.

Prerequisites

Install OpenShift Serverless.
Install Red Hat OpenShift Service Mesh. OpenShift Serverless is supported for use with both Red Hat OpenShift Service Mesh version 1.x and version 2.x.
Configure Service Mesh with OpenShift Serverless, including enabling sidecar injection for your Knative services.

Adding sidecar injection to pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

Using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless

Procedure

Create the RequestAuthentication resource in each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by copying the following code into a YAML file:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-example
  namespace: <namespace>
spec:
  jwtRules:
  - issuer: testing@secure.istio.io
    jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json

Apply the RequestAuthentication resource:
```
$ oc apply -f <filename>
```
Allow access to the RequestAuthenticaton resource from system pods for each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by copying the following AuthorizationPolicy resources into a YAML file:
```
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allowlist-by-paths
  namespace: <namespace>
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        paths:
        - /metrics (1)
        - /healthz (2)
```
1 The path on your application to collect metrics by system pod.

2 The path on your application to probe by system pod.
Apply the AuthorizationPolicy resource YAML file:
```
$ oc apply -f <filename>
```

For each serverless application namespace that is a member in the ServiceMeshMemberRoll object, copy the following AuthorizationPolicy resource, into a YAML file:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: <namespace>
spec:
  action: ALLOW
  rules:
  - from:
    - source:
       requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]

Apply the AuthorizationPolicy resource YAML file:
```
$ oc apply -f <filename>
```

Verification

If you try to use a curl request to get the Knative service URL, it is denied.
```
$ curl http://hello-example-1-default.apps.mycluster.example.com/
```
Example output
```
RBAC: access denied
```

Verify the request with a valid JWT.

Get the valid JWT token by entering the following command:

$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -

Access the service by using the valid token in the curl request header:

$ curl -H "Authorization: Bearer $TOKEN"  http://hello-example-1-default.apps.example.com

The request is now allowed.

Example output

Hello OpenShift!

Using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless

Procedure

Create a policy in a serverless application namespace which is a member in the ServiceMeshMemberRoll object, that only allows requests with valid JSON Web Tokens (JWT):

Copy the following Policy resource into a YAML file:

The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system Pods in the knative-serving namespace.

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: <namespace>
spec:
  origins:
  - jwt:
      issuer: testing@secure.istio.io
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
      triggerRules:
      - excludedPaths:
        - prefix: /metrics (1)
        - prefix: /healthz (2)
  principalBinding: USE_ORIGIN

1	The path on your application to collect metrics by system pod.
2	The path on your application to probe by system pod.

Apply the Policy resource:
```
$ oc apply -f <filename>
```

Verification

If you try to use a curl request to get the Knative service URL, it is denied.

$ curl http://hello-example-default.apps.mycluster.example.com/

Example output

Origin authentication failed.

Verify the request with a valid JWT.

Get the valid JWT token by entering the following command:

$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -

Access the service by using the valid token in the curl request header:

$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"

The request is now allowed.

Example output

Hello OpenShift!