my current setup is as follows:
- Public → API gateway is verified using an opaque token
- API-Gateway creates a signed JWT and propagates it to downstream services
- Service’s Istio sidecar verifies JWT from api-gateway
context:
- this RequestAuthentication policy is only applied for traffic that enters our ecosystem from the public internet (not other internal service to service traffic)
- we already have PeerAuthentication setup for mTLS in the mesh
- we plan on implementing AuthorizationPolicy soon for ensuring only the traffic that should be allowed is being forwarded inward beyond the api-gateway (my colleague feels this is enough and RequestAuthentication is overkill/redundant/weird)
Question:
- is using RequestAuthentication for this specific use case awkward?
- I have a colleague telling me that its only meant for end-user authentication
- my rationale is to apply security in layers and protect from teams applying liberal ALLOW * AuthzPolicies in their namespaces
- also there is a concern about the VirtualService being modified with a bug then bypassing api-gateway hence I want to apply some added protection that only the api-gateway allows traffic in from the outside world
- am I just being overly paranoid? Am I misusing the policy for something it was not meant to do?