Hi all, I’m trying to step through the AuthService example with BookInfo and have a few questions. The current example relies on a Policy resource which I believe was deprecated in favor of the new AuthN API resources: AuthorizationPolicy and RequestAuthentication. Are the following manifests appropriate replacements?
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: bookinfo-productpage namespace: bookinfo spec: selector: matchLabels: app: productpage jwtRules: - issuer: https://kubernetes.docker.internal/auth/realms/example jwksUri: https://kubernetes.docker.internal/auth/realms/example/protocol/openid-connect/certs principalBinding: USE_ORIGIN apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bookinfo-productpage namespace: bookinfo spec: selector: matchLabels: app: productpage # rules: # - from: # - source: # requestPrincipals: ["*"]
If so, I can submit a PR to address this. Just wanted to make sure I was implementing them correctly first.
Second, I am using Keycloak as my OIDC provider. You can see my JWT Issuer rules in the RequestAuthentication resource above. If these lines are commented out,
/productpage will return a 403. If they are NOT commented out,
/productpage will return a 200. This seems strange to me as the docs suggest I should expect a 401 when requests are being denied. Furthermore, why are requests being allowed when I add the JWT rule and denied when it is absent?