I’m currently facing an issue with the Istio AuthorizationPolicy configuration for JWT authentication. Our goal is to enable JWT authentication for traffic originating from outside the namespace, while allowing requests within the namespace to proceed without authentication.
Here is the relevant configuration:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: annotations: name: auth-policy namespace: istio-system spec: rules: - from: - source: requestPrincipals: - '*' - source: notNamespaces: - <namespace> selector: matchLabels: <key>: <value> apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: jwt namespace: istio-system spec: selector: matchLabels: <key>: <value> jwtRules: - issuer: "<issuer>" jwksUri: "<jwksUri>" fromHeaders: - name: x-jwt-assertion prefix: "Bearer "
The problem we’re encountering is that requests within the specified namespace are also requiring authentication, despite using the
notNamespaces field in the AuthorizationPolicy. We expected that requests within the namespace would be exempt from authentication.
If anyone has encountered a similar issue or has insights into the correct configuration to achieve our desired behavior, I would greatly appreciate your assistance. Thank you in advance for your help!