Clarification for istio authentication policy with origin and peer mtls authentication

1

I am using istio deployed in a minikube cluster. I have created and deployed two services in the default namespace, an ‘entitlements’ service and an ‘organizations’ service. The ‘organizations’ service exposes and endpoint meant to be hit publicly. When that endpoint is called, organizations calls into the ‘entitlements’ service to get some information.

I want to have an authentication policy that requires origin authentication for requests coming from outside the cluster, and mtls for all requests machine-to-machine (peer authentication: orgs ->; entitlemlents).

end_user -> organizations (origin jwt authentication) -> entitlements (mtls authentication)

This is the policy I have:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  origins:
  - jwt:
      issuer: "https://login-dev.solutionreach.com/oauth2/aushjaeb7yvgghqOU0h7"
      jwksUri: "https://solutionreach-test.oktapreview.com/oauth2/aushjaeb7yvgghqOU0h7/v1/keys"
      audiences:
      - "https://api.dev.srconnect.io"
  peers:
  - mtls: {}
  principalBinding: USE_ORIGIN

Before I added the ‘peers’ section of the config, I was able to make a request to the public endpoint fine using curl. However, once I added ‘peers’ into the Policy config, I started getting 503 responses with upstream connect error or disconnect/reset before headers in the body.

I expected that with that configuration, I would be able to make origin-authenticated calls, and that service-to-service calls would be authenticated via mtls, but what I think is happening is that now my origin-calls from outside the cluster are required to use mtls as well, is that correct?

How would I go about configuring origin authentication for requests coming from outside the cluster, and mtls for maching-to-machine authentication inside the cluster?

2

I’m also hitting the same issue, does anyone know how to make both work?

3

Your policy didn’t use TargetSelector which means it will apply to all services in the default namespace.

This means the organizations service will also require mTLS from end_user and I think this is the reason for the 503 response.

To correct this, you can use TargetSelector to specify different policies for organizations and entitlements, for example:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "organizations-jwt"
  namespace: "default"
spec:
  targets:
  - name: organizations
  origins:
  - jwt:
      issuer: "https://login-dev.solutionreach.com/oauth2/aushjaeb7yvgghqOU0h7"
      jwksUri: "https://solutionreach-test.oktapreview.com/oauth2/aushjaeb7yvgghqOU0h7/v1/keys"
      audiences:
      - "https://api.dev.srconnect.io"
  principalBinding: USE_ORIGIN
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "entitlements-mtls"
  namespace: "default"
spec:
  targets:
  - name: entitlements
  peers:
  - mtls: {}

The above example policy requires JWT authentication for service organizations and mTLS for service entitlements. Please also make sure you have the correct DestinationRule so that organizations is able to talk to entitlements with mTLS, for example:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: entitlements-istio-mtls
  namespace: "default"
spec:
  host: entitlements.default.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
4

Please see my reply above and let me know if it solves your issue.

5

@YangminZhu Thanks, that fixes the issue.