Add Istio policies for the same service in all name spaces

Yonghao_Yu · April 17, 2020, 1:34pm

Hi Istio Experts
We are using Istio (in GKE) for service authZ and JWT Check. Currently we are at istio1.2 and will migrate to 1.4 whenever GKE version is ready for that.
In our world, we have multiple namespaces(almost for each team or developer). All those namespaces will have the same service(say it is foo).
How can we add a JWT Policy which can apply to all foo services? And note that I can not enable JWT globally because there are some service(bar) doesn’t require JWT.
As far as I know, I can do a policy like this for n1 namespces, is there any generic way for that?
apiVersion: “authentication.istio.io/v1alpha1”
kind: “Policy”
metadata:
name: “jwt-example”
namespace: n1
spec:
targets:
- name: foo
peers:
- mtls:
mode: PERMISSIVE
origins:
- jwt:
issuer: “https://kernel.integ.envs.broadinstitute.org/”
jwksUri: “https://kernel.integ.envs.broadinstitute.org/.well-known/jwks.json”
principalBinding: USE_ORIGIN

Also, the same question for authZ policy. e.g., we want to block foo to bar in all namespaces.

Thanks

Yonghao_Yu · April 20, 2020, 8:55pm

Ping, can anyone give me some help?
Thanks!

incfly · April 30, 2020, 11:09pm

Recommendations from k8s and istio is to group security related config, such as Istio authn/z config, k8s rbac, within namespace. If you have multiple namespaces, each have some same “foo” service requiring JWT authentication, you will have to configure policy in each namespace…

Topic		Replies	Views
Istio AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace Security security	0	378	June 12, 2023
Help with Istio Authorization policy	0	367	May 19, 2021
Istio 1.7 - Setup for JWT Auth Security	1	545	September 1, 2020
JWT Authentication always 401 Security	2	649	August 29, 2019
Multiple Authenttication policies Security	2	1495	April 16, 2020

Add Istio policies for the same service in all name spaces

Related topics