Hello, I have a question about Authorization inside Istio, on cluster I use Istio and Dex as OIDC provider, now I want to create some authorization of users on ingress gateway level.
How workflow is now looks like.
Some User go on https://my-domain.com then user is forwarded to https://my-domain.com/dex for authenticate he can use google connector that is implemented in Dex, if user correct authenticate is moved back to https://my-domain.com.
Now I have some others routes like https://my-domain.com/kibana I want to check if user email have access to this route, i want to not all users be able to go on this route.
apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt" namespace: istio-system spec: selector: matchLabels: istio: istio-ingressgateway jwtRules: - issuer: "https://my-domain/dex" jwksUri: "https://my-domain/dex/keys" outputPayloadToHeader: "x-jwt" forwardOriginalToken: true fromHeaders: - name: Authorization prefix: "Bearer "
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: kibana-authorization namespace: istio-system spec: selector: matchLabels: istio: istio-ingressgateway action: ALLOW rules: - from: - source: requestPrincipals: ["*"] to: - operation: methods: ["GET"] paths: ["/kibana"] when: - key: request.auth.claims[email] values: ["email@example.com"]
I want to only access user with email as above.
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: logs-kibana namespace: monitoring spec: hosts: - "*" gateways: - kubeflow/kubeflow-gateway http: - match: - uri: prefix: "/kibana" route: - destination: host: kibana.monitoring.svc.cluster.local port: number: 5601
This solutions didn’t work, I think Dex is not returning JWT tokens, or we not pass this tokens when requesting from web browser. Did anyone try to do something like this or its not achievable ?