Correct way to require a jwt to access a workload from ingress

I’m trying to create an authorization policy (in Istio 1.17.3) that requires a jwt to access a particular workload for ingress traffic. I’m getting errors logged but it otherwise seems to work; I’m hoping someone can validate my approach, which uses the requestPrincipal to check the token.

Istiod continually logs an error telling me that:

error	authorization	skipped rule ns[test]-policy[httpbin-test]-rule[1]: 
request.auth.principal must not be used in TCP

Here’s my test authorization policy. I’m attempting to allow access from the sleep service with no token, but ingress (or anything originating from istio-system) requires a token:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin-test
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/test/sa/sleep
  - from:
    - source:
        namespaces:
        - istio-system
        requestPrincipals:
        - '*'
  selector:
    matchLabels:
      app: httpbin
      version: v1

Am I doing something wrong? Is there a preferred way to do this? I’m trying to apply the policy to the workload itself since there are other workloads which do not have this requirement. Clearly the rule is not being skipped in all cases since it’s working (and behaves very differently when I remove that rule).

Thanks for any input.

I’m having the same issue, I found this resource https://istio.io/latest/docs/reference/config/security/conditions/ which basically says the requestPrincipals field is HTTP only. I have yet to find out how to fix this, I’m guessing it’s to do with the port the container is on but I’m not sure, I might try changing it from 5000 to 80 and see what happens

I figured out the fix was to add the name field to the service’s port section e.g. name: http