I’m currently facing an issue with the Istio AuthorizationPolicy configuration for JWT authentication. Our goal is to enable JWT authentication for traffic originating from outside the namespace, while allowing requests within the namespace to proceed without authentication.
Here is the relevant configuration:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
annotations:
name: auth-policy
namespace: istio-system
spec:
rules:
- from:
- source:
requestPrincipals:
- '*'
- source:
notNamespaces:
- <namespace>
selector:
matchLabels:
<key>: <value>
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: jwt
namespace: istio-system
spec:
selector:
matchLabels:
<key>: <value>
jwtRules:
- issuer: "<issuer>"
jwksUri: "<jwksUri>"
fromHeaders:
- name: x-jwt-assertion
prefix: "Bearer "
The problem we’re encountering is that requests within the specified namespace are also requiring authentication, despite using the notNamespaces field in the AuthorizationPolicy. We expected that requests within the namespace would be exempt from authentication.
If anyone has encountered a similar issue or has insights into the correct configuration to achieve our desired behavior, I would greatly appreciate your assistance. Thank you in advance for your help!