Istio exclusion principle not woking

Hi team,

my authenticator is this,

apiVersion: security.istio.io/v1beta1

kind: RequestAuthentication
metadata:
name: farmsanta-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

• issuer: “testing@secure.istio.io”
  jwksUri: “https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json”

Next my authorizer is

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy
metadata:
name: farmsanta-dev-only-authorized-api
namespace: istio-system
spec:
action: ALLOW
rules:

• from:
  • source:
    requestPrincipals: ["*"]

My need is to exclude health api from jwt, for that i created another policy,

apiVersion: "security.istio.io/v1beta1"

kind: AuthorizationPolicy
metadata:
name: “farmsanta-dev-disable-jwt-for-healthz”
namespace: dev
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:

• from:
  • source:
    notRequestPrincipals: ["*"]
    to:
  • operation:
    notPaths: ["/message/ping","/user/ping"]

but still am not getting this worked, istio expected /message/ping with token. can somebody help on this as am new to istio ?

The proper way to exclude health api from jwt is to just add them to the farmsanta-dev-only-authorized-api authorization policy as a new rule, like the following

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: farmsanta-dev-only-authorized-api
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
     - operation:
         paths: ["/message/ping","/user/ping"]

Creating a deny policy will not work because deny policy is evaluated before allow policy, your request will still be denied because it’s not in the allow policy.

thanks, it worked, appreciate the time and effort u took here to provide the solution!