Prerequisites

Adding sidecar injection to pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

Using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless

Procedure
  1. Create the RequestAuthentication resource in each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by copying the following code into a YAML file:

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: jwt-example
      namespace: <namespace>
    spec:
      jwtRules:
      - issuer: testing@secure.istio.io
        jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json
  2. Apply the RequestAuthentication resource:

    $ oc apply -f <filename>
  3. Allow access to the RequestAuthenticaton resource from system pods for each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by copying the following AuthorizationPolicy resources into a YAML file:

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: allowlist-by-paths
      namespace: <namespace>
    spec:
      action: ALLOW
      rules:
      - to:
        - operation:
            paths:
            - /metrics (1)
            - /healthz (2)
    1 The path on your application to collect metrics by system pod.
    2 The path on your application to probe by system pod.
  4. Apply the AuthorizationPolicy resource YAML file:

    $ oc apply -f <filename>
  5. For each serverless application namespace that is a member in the ServiceMeshMemberRoll object, copy the following AuthorizationPolicy resource, into a YAML file:

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: require-jwt
      namespace: <namespace>
    spec:
      action: ALLOW
      rules:
      - from:
        - source:
           requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]
  6. Apply the AuthorizationPolicy resource YAML file:

    $ oc apply -f <filename>
Verification
  1. If you try to use a curl request to get the Knative service URL, it is denied.

    $ curl http://hello-example-1-default.apps.mycluster.example.com/
    Example output
    RBAC: access denied
  2. Verify the request with a valid JWT.

    1. Get the valid JWT token by entering the following command:

      $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. Access the service by using the valid token in the curl request header:

      $ curl -H "Authorization: Bearer $TOKEN"  http://hello-example-1-default.apps.example.com

      The request is now allowed.

      Example output
      Hello OpenShift!

Using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless

Procedure
  1. Create a policy in a serverless application namespace which is a member in the ServiceMeshMemberRoll object, that only allows requests with valid JSON Web Tokens (JWT):

    1. Copy the following Policy resource into a YAML file:

      The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system Pods in the knative-serving namespace.

      apiVersion: authentication.istio.io/v1alpha1
      kind: Policy
      metadata:
        name: default
        namespace: <namespace>
      spec:
        origins:
        - jwt:
            issuer: testing@secure.istio.io
            jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
            triggerRules:
            - excludedPaths:
              - prefix: /metrics (1)
              - prefix: /healthz (2)
        principalBinding: USE_ORIGIN
      1 The path on your application to collect metrics by system pod.
      2 The path on your application to probe by system pod.
    2. Apply the Policy resource:

      $ oc apply -f <filename>
Verification
  1. If you try to use a curl request to get the Knative service URL, it is denied.

    $ curl http://hello-example-default.apps.mycluster.example.com/
    Example output
    Origin authentication failed.
  2. Verify the request with a valid JWT.

    1. Get the valid JWT token by entering the following command:

      $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. Access the service by using the valid token in the curl request header:

      $ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"

      The request is now allowed.

      Example output
      Hello OpenShift!