Hello,
I have installed on my cluster Kubernetes, hosted on DigitalOcean and with a lot of microcervices already deployed, the latest Istio release.
I have installed Istio with Helm with this options:
helm template install/kubernetes/helm/istio --namespace=istio-system --set gateways.istio-ingressgateway.sds.enabled=true --set global.k8sIngress.enabled=true --set global.k8sIngress.enableHttps=true --set global.k8sIngress.gatewayName=ingressgateway --set certmanager.enabled=true --set certmanager.email=<my-email> kubectl apply -f -
I modified the GW to use sds:
kubectl -n istio-system \ patch gateway istio-autogenerated-k8s-ingress --type=json \ -p='[{"op": "replace", "path": "/spec/servers/1/tls", "value": {"credentialName": "ingress-cert", "mode": "SIMPLE", "privateKey": "sds", "serverCertificate": "sds"}}]'
After that I have deployed a very simple APP(http-test) and I have configured the VirtualService.
So If I do a ‘curl http://IP-GW/test’
I get 200 OK
Now, because in my infrastructure I already have a Keycloak configured, I would like to activate authentication and authorization on Istio.
I have the default GW “istio-autogenerated-k8s-ingress”
I configured the following policy:
kind: "Policy"
metadata:
name: "gateway-jwt-policy"
namespace: "istio-system"
spec:
targets:
- name: istio-ingressgateway
origins:
- jwt:
issuer: "Keycloak-URI"
jwksUri: "Keycloak-URI"
audiences:
- "client-test"
incipalBinding: USE_ORIGIN
After that If make “curl http://IP-GW/test”
I got 401 Unauthorized.
So I retrieve a JWT
TOKEN=curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=test&password=test&client_id=client-test&client_secret=<secret>&scope=openid" <keycloak>| jq -r '.access_token'
So If I do "curl -H "Authorization: Bearer $TOKEN’
I get 200 OK
So the Authentication works fine.
After that I have activated the RBAC:
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
services: ["http-test.istio-system.svc.cluster.local"]
So If I do 'curl -H “Authorization: Bearer $TOKEN” http://IP-GW/test’
I get 403 Forbidden(RBAC: access denied)
this of course it’s expected
So I have configured a ServiceRole and a ServiceRoleBinding:
kind: ServiceRole
metadata:
name: http-admin
namespace: istio-system
spec:
rules:
- services: ["http-test.istio-system.svc.cluster.local"]
methods: ["*"]
paths: ["*"]
kind: ServiceRoleBinding
metadata:
name: bind-http-admin
namespace: istio-system
spec:
subjects:
- properties:
request.auth.claims[x_role]: "operator"
roleRef:
kind: ServiceRole
name: "http-admin"
The JWT provided by Keycloak is like:
HEADER:
{
"alg": "RS256",
"typ": "JWT",
"kid": "9fPzbbb3-E1r411Uj1Tuxrc1jutq4N7Vs1dt7sCKOvY"
}
PAYLOAD:
{
"jti": "be075fff-ed7f-4387-abc7-a632c884a269",
"exp": 1573227250,
"nbf": 0,
"iat": 1573226950,
"iss": "keycloak",
"aud": [
"client-test",
"account"
],
"sub": "8388d162-7222-4d8d-bc5b-d68e2ab2c8ce",
"typ": "Bearer",
"azp": "client-test",
"auth_time": 0,
"session_state": "7c14902d-c0e9-4942-bd51-df45c2e222a8",
"acr": "1",
"allowed-origins": [
""
],
"realm_access": {
"roles": [
"operator"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"email_verified": true,
"x_role": "operator",
"groups": [
"operator"
],
"preferred_username": "test",
"email": "test@test.com",
"userRoleName": [
"operator"
]
}
So If I do ‘curl -H “Authorization: Bearer $TOKEN” http://IP-GW/test’
I get always “403 Forbidden(RBAC: access denied)”
I don’t understand where is the issue!
I tried to activate mTLS, but the result is always the same.
Could you help me?