apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...- Documentation
- OpenShift Dedicated
- Serverless
- Knative Serving
- Configuring access to Knative services
- Using JSON Web Token authentication with Service Mesh 1.x history bug_report picture_as_pdf
- About
- Introduction to OpenShift Dedicated
- Red Hat OpenShift Cluster Manager
- Planning your environment
- Getting started
- Installing, accessing, and deleting OpenShift Dedicated clusters
- Cluster administration
- Security and compliance
- Authentication and authorization
- Upgrading
- CI/CD
- Add-on services
- Storage
- Registry
- Networking
- Applications
-
Logging
- Release notes
- About Logging
- Installing Logging
- Accessing the service logs
-
Configuring your Logging deployment
- About the Cluster Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring Logging storage
- Configuring CPU and memory limits for Logging components
- Using tolerations to control Logging pod placement
- Moving the Logging resources with node selectors
- Maintenance and support
- Logging with the LokiStack
- Viewing logs for a specific resource
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Enabling JSON logging
- Collecting and storing Kubernetes events
- Updating Logging
- Viewing cluster dashboards
- Troubleshooting Logging
- Uninstalling Logging
- Exported fields
- Monitoring user-defined projects
-
Serverless
- Release notes
- About Serverless
- Installing Serverless
- Knative Serving
-
Eventing
- Knative Eventing
- Event sources
- Event sinks
- Brokers
-
Triggers
- Triggers overview
- Creating triggers from the web console
- Creating triggers from the command line
- Creating a trigger from the Administrator perspective
- List triggers from the command line
- Describe triggers from the command line
- Connecting a trigger to a sink
- Filtering triggers from the command line
- Updating triggers from the command line
- Deleting triggers from the command line
- Channels
- Subscriptions
- Event discovery
- Tuning eventing configuration
- kn-event plugin
-
Functions
- Setting up OpenShift Serverless Functions
- Getting started with functions
- Developing Quarkus functions
- Developing Node.js functions
- Developing TypeScript functions
- Using functions with Knative Eventing
- Function project configuration in func.yaml
- Accessing secrets and config maps from functions
- Adding annotations to functions
- Functions development reference guide
- Knative CLI
- Administer
- Security
- Observability
- Removing Serverless
- Serverless support
- Troubleshooting
×
Using JSON Web Token authentication with Service Mesh 1.x
You can use JSON Web Token (JWT) authentication with Knative services by using Service Mesh 1.x and OpenShift Serverless. To do this, you must create a policy in the application namespace that is a member of the ServiceMeshMemberRoll object. You must also enable sidecar injection for the service.
Configuring JSON Web Token authentication for Service Mesh 1.x and OpenShift Serverless
|
Adding sidecar injection to pods in system namespaces, such as |
Prerequisites
-
You have installed the OpenShift Serverless Operator, Knative Serving, and Red Hat OpenShift Service Mesh on your cluster.
-
Install the OpenShift CLI (
oc). -
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Dedicated.
Procedure
-
Add the
sidecar.istio.io/inject="true"annotation to your service:Example service1 Add the sidecar.istio.io/inject="true"annotation.2 You must set the annotation sidecar.istio.io/rewriteAppHTTPProbers: "true"in your Knative service, because OpenShift Serverless versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default. -
Apply the
Serviceresource:$ oc apply -f <filename> -
Create a policy in a serverless application namespace which is a member in the
ServiceMeshMemberRollobject, that only allows requests with valid JSON Web Tokens (JWT):The paths
/metricsand/healthzmust be included inexcludedPathsbecause they are accessed from system pods in theknative-servingnamespace.apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default namespace: <namespace> spec: origins: - jwt: issuer: testing@secure.istio.io jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json" triggerRules: - excludedPaths: - prefix: /metrics (1) - prefix: /healthz (2) principalBinding: USE_ORIGIN1 The path on your application to collect metrics by system pod. 2 The path on your application to probe by system pod. -
Apply the
Policyresource:$ oc apply -f <filename>
Verification
-
If you try to use a
curlrequest to get the Knative service URL, it is denied:$ curl http://hello-example-default.apps.mycluster.example.com/Example outputOrigin authentication failed. -
Verify the request with a valid JWT.
-
Get the valid JWT token:
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - -
Access the service by using the valid token in the
curlrequest header:$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"The request is now allowed:
Example outputHello OpenShift!
-