Hi all,
Working with Google Cloud and Kubeflow, I would like to establish a GRPC connection with a pod in my cluster.
My current setup includes a istio-ingressgateway configured with Cloud Identity-Aware Proxy as authorization layer.
I already have in place a virtual service to redirect my traffic from the ingress-gateway to the GRPC pod port.
When I local port-forward to my ingress-gateway http2 port, I am unable to send requests getting the following error:
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAUTHENTICATED
details = "Origin authentication failed"
debug_error_string = "{"created":"@1587401119.875413000","description":"Error received from peer ipv6:[::1]:8080","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"Origin authentication failed","grpc_status":16}"
From the error code I can notice that is a problem in authenticating my GRPC Channel.
The problem looks even stranger when I look to my ingress-gateway logs, where I can see the following for my failed request:
"POST /seldon.protos.Seldon/Predict HTTP/2" 200 - "-" 0 0 0 - "10.52.7.24" "grpc-python/1.27.2 grpc-c/9.0.0 (osx; chttp2; guantao)"
which in the logs looks successful.
My current security policy is:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"authentication.istio.io/v1alpha1","kind":"Policy","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"iap-ingress","app.kubernetes.io/instance":"iap-ingress-v1.0.0","app.kubernetes.io/managed-by":"kfctl","app.kubernetes.io/name":"iap-ingress","app.kubernetes.io/part-of":"kubeflow","app.kubernetes.io/version":"v1.0.0","kustomize.component":"iap-ingress"},"name":"ingress-jwt","namespace":"istio-system"},"spec":{"origins":[{"jwt":{"audiences":["TO_BE_PATCHED"],"issuer":"https://cloud.google.com/iap","jwksUri":"https://www.gstatic.com/iap/verify/public_key-jwk","jwtHeaders":["x-goog-iap-jwt-assertion"],"trigger_rules":[{"excluded_paths":[{"exact":"/healthz/ready"},{"prefix":"/.well-known/acme-challenge"}]}]}}],"principalBinding":"USE_ORIGIN","targets":[{"name":"istio-ingressgateway","ports":[{"number":80}]}]}}
creationTimestamp: "2020-04-18T09:43:46Z"
generation: 2
labels:
app.kubernetes.io/component: iap-ingress
app.kubernetes.io/instance: iap-ingress-v1.0.0
app.kubernetes.io/managed-by: kfctl
app.kubernetes.io/name: iap-ingress
app.kubernetes.io/part-of: kubeflow
app.kubernetes.io/version: v1.0.0
kustomize.component: iap-ingress
name: ingress-jwt
namespace: istio-system
resourceVersion: "8170"
selfLink: /apis/authentication.istio.io/v1alpha1/namespaces/istio-system/policies/ingress-jwt
uid: *********
spec:
origins:
- jwt:
audiences:
- /projects/2********/global/backendServices/
issuer: https://cloud.google.com/iap
jwksUri: https://www.gstatic.com/iap/verify/public_key-jwk
jwtHeaders:
- x-goog-iap-jwt-assertion
trigger_rules:
- excluded_paths:
- exact: /healthz/ready
- prefix: /.well-known/acme-challenge
principalBinding: USE_ORIGIN
targets:
- name: istio-ingressgateway
ports:
- number: 80
Using REST I was able to authenticate successfully my requests, adding a token to my request following what described here
I’ve tried various ways to authenticate my requests in GRPC with no success:
- https://grpc.io/docs/guides/auth/#authenticate-with-google-using-a-jwt
- https://grpc.io/docs/guides/auth/#authenticate-with-google-using-an-oauth2-token
- Adding as metadata of the request (‘authentication’, ‘Bearer {}’.format(token)
Is there any example in creating a secure channel with Cloud IAP?
Many Thanks