JWT Policy does not take affect!


#1

Hi Everyone,

I’ve been applying Authentication Policy to my testing service using JWT. I have followed the guide on this link: https://istio.io/docs/tasks/security/authn-policy/#end-user-authentication. And yes, it did work as expected. But when I tried to using a different pod image, it did not work even though almost everything is the same. Is there anyone facing this issue? And know the reason why it did not work in my case? Thank you very much!

Here is the full yaml content:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hostname
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hostname
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: hostname
        version: v1
    spec:
      containers:
      - image: rstarmer/hostname:v1
        imagePullPolicy: Always
        name: hostname
        resources: {}
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hostname
  name: hostname
spec:
  ports:
  - name: http
    port: 8001
    targetPort: 80
  selector:
    app: hostname
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hostname-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
piVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hostname-vs
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - hostname-gateway
  http:
  - route:
    - destination:
        port:
          number: 8001
        host: hostname.foo.svc.cluster.local
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  targets:
  - name: hostname
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN


#2

Which namespace are you deploying the hostname service? It should be in the same namespace as the jwt policy.


#3

Hi @YangminZhu,
Yes, I did deploy to namespace ‘foo’ for the hostname. I forgot to put it into the yaml above. Everything will be deployed into namespace ‘foo’. But it did not work!


#4

Could you try to follow the guide here: https://preliminary.istio.io/help/ops/security/end-user-auth/

Most importantly, could you attach the debug logs from Pilot and the Istio proxy (envoy)?

What do you mean it did not work? Is the request with the JWT token being rejected? or a request without JWT token being accepted?


#5

Hi @YangminZhu,

I have tried to use another image to test it and it’s working now.

What do you mean it did not work? Is the request with the JWT token being rejected? or a request without JWT token being accepted?
What I meant it did not work means the JWT policy did not take affect, the request still returns status of 200. Like there is no policy applied to the service.

I did not know why it did not affect with the image which I used in the yaml above. Sorry, I did refresh the cluster and use a different image, so I don’t have the log right now but as far as I remembered the Istio-proxy logs is normal, I don’t know how to get the Pilot logs yet (please guide me if you know).

Thanks!