Hello, I have a question about Authorization inside Istio, on cluster I use Istio and Dex as OIDC provider, now I want to create some authorization of users on ingress gateway level.
How workflow is now looks like.
Some User go on https://my-domain.com then user is forwarded to https://my-domain.com/dex for authenticate he can use google connector that is implemented in Dex, if user correct authenticate is moved back to https://my-domain.com.
Now I have some others routes like https://my-domain.com/kibana I want to check if user email have access to this route, i want to not all users be able to go on this route.
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt"
namespace: istio-system
spec:
selector:
matchLabels:
istio: istio-ingressgateway
jwtRules:
- issuer: "https://my-domain/dex"
jwksUri: "https://my-domain/dex/keys"
outputPayloadToHeader: "x-jwt"
forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: "Bearer "
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: kibana-authorization
namespace: istio-system
spec:
selector:
matchLabels:
istio: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
methods: ["GET"]
paths: ["/kibana"]
when:
- key: request.auth.claims[email]
values: ["hubert@example.com"]
I want to only access user with email as above.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: logs-kibana
namespace: monitoring
spec:
hosts:
- "*"
gateways:
- kubeflow/kubeflow-gateway
http:
- match:
- uri:
prefix: "/kibana"
route:
- destination:
host: kibana.monitoring.svc.cluster.local
port:
number: 5601
This solutions didn’t work, I think Dex is not returning JWT tokens, or we not pass this tokens when requesting from web browser. Did anyone try to do something like this or its not achievable ?