apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...After the Service Mesh integration with OpenShift Serverless and Kourier has been configured on your cluster, you can enable JSON Web Token (JWT) authentication for your Knative services.
You can add the sidecar.istio.io/inject="true" annotation to a Knative service to enable sidecar injection for that service.
|
Adding sidecar injection to pods in system namespaces, such as |
You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in Red Hat OpenShift Service on AWS.
Add the sidecar.istio.io/inject="true" annotation to your Service resource:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...| 1 | Add the sidecar.istio.io/inject="true" annotation. |
| 2 | You must set the annotation sidecar.istio.io/rewriteAppHTTPProbers: "true" in your Knative service as OpenShift Serverless versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default. |
Apply your Service resource YAML file:
$ oc apply -f <filename>You can use the following procedure to enable using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless.
You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in Red Hat OpenShift Service on AWS.
Create a RequestAuthentication resource in each serverless application namespace that is a member in the ServiceMeshMemberRoll object:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-example
namespace: <namespace>
spec:
jwtRules:
- issuer: testing@secure.istio.io
jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.jsonApply the RequestAuthentication resource:
$ oc apply -f <filename>Allow access to the RequestAuthenticaton resource from system pods for each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by creating the following AuthorizationPolicy resource:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allowlist-by-paths
namespace: <namespace>
spec:
action: ALLOW
rules:
- to:
- operation:
paths:
- /metrics (1)
- /healthz (2)| 1 | The path on your application to collect metrics by system pod. |
| 2 | The path on your application to probe by system pod. |
Apply the AuthorizationPolicy resource:
$ oc apply -f <filename>For each serverless application namespace that is a member in the ServiceMeshMemberRoll object, create the following AuthorizationPolicy resource:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: <namespace>
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]Apply the AuthorizationPolicy resource:
$ oc apply -f <filename>If you try to use a curl request to get the Knative service URL, it is denied:
$ curl http://hello-example-1-default.apps.mycluster.example.com/RBAC: access deniedVerify the request with a valid JWT.
Get the valid JWT token:
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -Access the service by using the valid token in the curl request header:
$ curl -H "Authorization: Bearer $TOKEN" http://hello-example-1-default.apps.example.comThe request is now allowed:
Hello OpenShift!You can use the following procedure to enable using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless.
You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in Red Hat OpenShift Service on AWS.
Create a policy in a serverless application namespace which is a member in the ServiceMeshMemberRoll object, that only allows requests with valid JSON Web Tokens (JWT):
|
The paths |
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: <namespace>
spec:
origins:
- jwt:
issuer: testing@secure.istio.io
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
triggerRules:
- excludedPaths:
- prefix: /metrics (1)
- prefix: /healthz (2)
principalBinding: USE_ORIGIN| 1 | The path on your application to collect metrics by system pod. |
| 2 | The path on your application to probe by system pod. |
Apply the Policy resource:
$ oc apply -f <filename>If you try to use a curl request to get the Knative service URL, it is denied:
$ curl http://hello-example-default.apps.mycluster.example.com/Origin authentication failed.Verify the request with a valid JWT.
Get the valid JWT token:
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -Access the service by using the valid token in the curl request header:
$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"The request is now allowed:
Hello OpenShift!