I’m using Istio 1.7 with the Ingress Gateway and Envoy Proxy sidecars on my workload.
On my Ingress Gateway, I’ve enabled JWT validation with this.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: tenna-oidc-userpool
namespace: alb-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- forwardOriginalToken: true
issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_jkfldsjkl
I’ve verified the Ingress Gateway is able to confirm JWT signatures/expirations and so forth. I’m also able to open selected routes to not be filtered by authentication like so.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: global-healthcheck-policy
namespace: alb-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
- from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/healthz", "/stats/prometheus"]
But when I go and try to do more complex things to control resources dependent on JWT claims, the rules aren’t enforced for me. I’m not sure what I’m doing wrong.
I’ve tried this where I want to allow request to a certain path only if the email claim in my JWT matches. The request that should have been caught by this policy is allowed to go through even if my email is me@abc.com
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingestion-bobber-admin-policy
namespace: alb-system
spec:
action: ALLOW
selector:
matchLabels:
app: istio-ingressgateway
rules:
- to:
- operation:
paths: ["ingestion/bobber/admin"]
when:
- key: request.auth.claims[email]
values: ["*@xyz.com"]
I’ve also tried using a DENY
action like this and still no dice.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingestion-bobber-admin-policy
namespace: alb-system
spec:
action: DENY
selector:
matchLabels:
app: istio-ingressgateway
rules:
- to:
- operation:
paths: ["ingestion/bobber/admin"]
when:
- key: request.auth.claims[email]
notValues: ["*@xyz.com"]
Can anyone point me in the right direction on what I’m doing wrong? Also what would be a good way to analyze the rules and enforcement. I don’t see anything coming out of the envoy logs. But would like to see which part of the rule is failing or if the rule is even being activated for a request.