Istio AuthN policy for Service deployed in a different namespace

adurai81 · November 20, 2019, 1:48am

Hi,

This is my service deployment config.

apiVersion: v1
kind: Service
metadata:
  name: myservice
  namespace: test
  labels:
    app: test-app
spec:
  type: NodePort
  selector:
    app: test-app
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
    name: http

and Istio’s authN policy is deployed in a separate namespace istio-system. This is the config -

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: authn-policy
  namespace: istio-system
spec:
  targets:
  - name: myservice
  origins:
  - jwt:
      issuer: "https://identity.oraclecloud.com/"
      jwksUri: "https://idcs-test.identity.oraclecloud.com/admin/v1/SigningCert/jwk"
  principalBinding: USE_ORIGIN

With this configuration , I can access the end-point without authorization (no token being passed). Is this because the target specification for the service myservice is unable to look outside istio-system namespace.

What is the right way to construct the AuthN-policy filter in this case ?

Appreciate any quick help.

adurai81 · November 20, 2019, 1:56am

Hi @YangminZhu, would you be able to help out on how to reference services deployed in a different namespace ?

adurai81 · November 20, 2019, 4:01am

Infact I tried deploying mesh-wide policy as below -

apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
  name: default
  namespace: istio-system
spec:
  origins:
  - jwt:
      issuer: "https://identity.oraclecloud.com/"
      jwksUri: "https://idcs-test.identity.c9dev1.oc9qadev.com/admin/v1/SigningCert/jwk"
  principalBinding: USE_ORIGIN

But there is no effect. I can still access the rest end-point without passing the bearer token.

adurai81 · November 20, 2019, 4:03am

Having said this, when I created EnvoyFilter as below, I was restricted from accessing my rest end-point.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: edge-jwt-authn
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
  - listenerMatch:
      portNumber: 443
      listenerType: GATEWAY
    filterName: envoy.filters.http.jwt_authn
    filterType: HTTP
    filterConfig:
      providers:
        provider_idcs:
          issuer: https://identity.oraclecloud.com/
          local_jwks:
            inline_string: '<JWK>'
      rules:
      - match:
          prefix: /
        requires:
          provider_name: provider_idcs

YangminZhu · December 2, 2019, 7:56pm

For your first policy authn-policy, it should be added in the same namespace as the service which is test to make it work.

For your second mesh policy, you don’t need to specify the namespace because it’s cluster-scope resource. It should work and I guess there might be another authN policy in the test namespace that actually overrides its effect.

Topic		Replies	Views
Authorization policy for namespace other than istio-system	0	343	July 22, 2022
AuthorizationPolicy and Namespaces Security	1	1995	February 21, 2020
How to set up suitable authorizationpolicy for below requirement, thanks	2	352	January 21, 2021
Istio AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace Security security	0	298	June 12, 2023
Authorization policy istio 1.4+ is not letting whitelist service identity such as service account, namespace for traffic coming from non-mesh Security	2	448	January 28, 2021

Istio AuthN policy for Service deployed in a different namespace

Related Topics