Hi All
I am setting the following def.
apiVersion: “security.istio.io/v1beta1”
kind: “RequestAuthentication”
metadata:
name: “jwt-example”
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: http://xxxxxx…/auth/realms/istio
jwksUri: http://xxxxxx…/auth/realms/istio/protocol/openid-connect/certs
forwardOriginalToken: true
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: frontend-ingress
namespace: istio-system
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals:
- source:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bookinfo
spec:
action: ALLOW
rules:
- from:
- source:
namespaces:- istio-system
when:
- istio-system
- key: request.auth.claims[“preferred_username”]
values:- prod001
selector:
matchLabels:
app: productpage
- prod001
- source:
On istio ingressgateway I can see my token getting passed so my rules are getting passed successfully (enforced all )
key: “envoy.filters.http.jwt_authn” │
│ value { │
│ fields { │
│ key: “http://keycloak.keycloak.shk8s.de/auth/realms/istio”
–
}
While when the request reaches to productpage in bookinfo namespace ,it fails as my tokens are not getting forwarded
in spite of forwardOriginalToken:true
If I remove the when section in following def ,it works like a charm .But I wan to check on request.auth.claims[“preferred_username”]
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bookinfo
spec:
action: ALLOW
rules:
- from:
- source:
namespaces:- istio-system
selector:
matchLabels:
app: productpage
- istio-system
- source:
Idea is that MeshAdministrator set the the policy at istio-system that nobody is allowed to pass ingress gateway without valid token
And then application developer set his own Authz policy on the base of certain user name in his own namepace
regards
Shrish