AuthorizationPolicy not Enforced

lamchan · September 2, 2020, 9:37pm

I’m using Istio 1.7 with the Ingress Gateway and Envoy Proxy sidecars on my workload.

On my Ingress Gateway, I’ve enabled JWT validation with this.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: tenna-oidc-userpool
  namespace: alb-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
  - forwardOriginalToken: true
    issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_jkfldsjkl

I’ve verified the Ingress Gateway is able to confirm JWT signatures/expirations and so forth. I’m also able to open selected routes to not be filtered by authentication like so.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: global-healthcheck-policy
  namespace: alb-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/healthz", "/stats/prometheus"]

But when I go and try to do more complex things to control resources dependent on JWT claims, the rules aren’t enforced for me. I’m not sure what I’m doing wrong.

I’ve tried this where I want to allow request to a certain path only if the email claim in my JWT matches. The request that should have been caught by this policy is allowed to go through even if my email is me@abc.com

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingestion-bobber-admin-policy
  namespace: alb-system
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - to:
    - operation:
        paths: ["ingestion/bobber/admin"]
    when:
      - key: request.auth.claims[email]
        values: ["*@xyz.com"]

I’ve also tried using a DENY action like this and still no dice.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingestion-bobber-admin-policy
  namespace: alb-system
spec:
  action: DENY
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - to:
    - operation:
        paths: ["ingestion/bobber/admin"]
    when:
      - key: request.auth.claims[email]
        notValues: ["*@xyz.com"]

Can anyone point me in the right direction on what I’m doing wrong? Also what would be a good way to analyze the rules and enforcement. I don’t see anything coming out of the envoy logs. But would like to see which part of the rule is failing or if the rule is even being activated for a request.

YangminZhu · October 8, 2020, 8:17pm

In your RequestAuthentication policy, it seems you didn’t specify the jwksUri field to provide the jwks for validating your JWT token?

lamchan · October 8, 2020, 8:32pm

The jwksUri is optional. It uses the OpenID API contract standards when not supplied to calculate the public key API path.

Topic		Replies	Views
Istio 1.5 AuthorizationPolicy using JWT Security	4	975	July 28, 2020
Istio JWT authentication does not seem to be working Security	7	5045	January 27, 2021
Struggling with JWT auth Security	1	526	January 4, 2022
Exclude RequestAuthentication JWT rules for specific paths Security	3	969	June 24, 2022
Ingress gateway IP whitelist with AuthorizationPolicy	7	3446	March 11, 2020

AuthorizationPolicy not Enforced

Related Topics