apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...
You can use JSON Web Token (JWT) authentication with Knative services by using Service Mesh 1.x and OpenShift Serverless. To do this, you must create a policy in the application namespace that is a member of the ServiceMeshMemberRoll
object. You must also enable sidecar injection for the service.
Adding sidecar injection to pods in system namespaces, such as |
You have installed the OpenShift Serverless Operator, Knative Serving, and Red Hat OpenShift Service Mesh on your cluster.
Install the OpenShift CLI (oc
).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Dedicated.
Add the sidecar.istio.io/inject="true"
annotation to your service:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...
1 | Add the sidecar.istio.io/inject="true" annotation. |
2 | You must set the annotation sidecar.istio.io/rewriteAppHTTPProbers: "true" in your Knative service, because OpenShift Serverless versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default. |
Apply the Service
resource:
$ oc apply -f <filename>
Create a policy in a serverless application namespace which is a member in the ServiceMeshMemberRoll
object, that only allows requests with valid JSON Web Tokens (JWT):
The paths |
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: <namespace>
spec:
origins:
- jwt:
issuer: testing@secure.istio.io
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
triggerRules:
- excludedPaths:
- prefix: /metrics (1)
- prefix: /healthz (2)
principalBinding: USE_ORIGIN
1 | The path on your application to collect metrics by system pod. |
2 | The path on your application to probe by system pod. |
Apply the Policy
resource:
$ oc apply -f <filename>
If you try to use a curl
request to get the Knative service URL, it is denied:
$ curl http://hello-example-default.apps.mycluster.example.com/
Origin authentication failed.
Verify the request with a valid JWT.
Get the valid JWT token:
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
Access the service by using the valid token in the curl
request header:
$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"
The request is now allowed:
Hello OpenShift!