Once this policy applied, in order to access httpbin service we shall need to pass the JWT token in the header of the request only then the httpbin service will be accessable.
Here are some of the question arised :-
- Does istio each time checks the uri mentioned in the policy file, each time a request checks in ?
- We are aware mixer does caching, does mixer cache this requests/token ?
- Need to understand where the policy lies in the control plane, istio says it has a istio config store( which uses k8s CRD’s)…
- Who validates the request, does istio-proxy or mixer or pilot validate the request by hitting the jwksuri each time a request checks in or they cache it.
Few things which i discovered :-
- Mixer logs show detailed information about the request check in with all the details, so mixer is aware each time a request checks in.
- Istio-proxy running in the httpbin pod as a sidecar has the envoy config_status endpoint which shows the jwksuri mentioned in the policy. So the proxy is aware of the policy.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "jwt-example"
spec:
targets:
- name: httpbin
origins:
- jwt:
issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.2/security/tools/jwt/samples/jwks.json"
trigger_rules:
- excluded_paths:
- exact: /user-agent
principalBinding: USE_ORIGIN