Create RequestAuthentication
and AuthorizationPolicy
resources
1apiVersion: security.istio.io/v1beta1
2kind: RequestAuthentication
3metadata:
4 name: "request-authentication-sso"
5 namespace: istio-system
6spec:
7 jwtRules:
8 - issuer: "https://issue.example.com/sso"
9 jwksUri: "https://issue.example.com/.well-known/openid-configuration/jwks"
10 outputClaimToHeaders:
11 - header: "x-jwt-claim-email"
12 claim: "email"
13
14---
15apiVersion: security.istio.io/v1beta1
16kind: AuthorizationPolicy
17metadata:
18 name: ingress-gateway-authorization
19 namespace: istio-system
20spec:
21 selector:
22 matchLabels:
23 app: istio-ingressgateway
24 action: ALLOW
25 rules:
26 - from:
27 - source:
28 requestPrincipals: ["*"]
29 - to:
30 - operation:
31 paths: [
32 "/productpage*",
33 "/login*",
34 "/logout*",
35 "/static*"
36 ]
May be need complex authorization
1---
2# apiVersion: security.istio.io/v1beta1
3# kind: AuthorizationPolicy
4# metadata:
5# name: reviews-deny-policy
6# namespace: apps
7# spec:
8# selector:
9# matchLabels:
10# app: reviews
11
12---
13apiVersion: security.istio.io/v1beta1
14kind: AuthorizationPolicy
15metadata:
16 name: httpbin-allow-policy
17 namespace: istio-system
18spec:
19 selector:
20 matchLabels:
21 app: istio-ingressgateway
22 action: ALLOW
23 rules:
24 - from:
25 - source:
26 principals: ["*"]
27 - to:
28 - operation:
29 paths: [
30 "/status/*"
31 ]
32
33 # - when:
34 # - key: request.auth.claims[iss]
35 # values: ["*"]
36
37 # spec:
38 # action: ALLOW
39 # rules:
40 # - from:
41 # - source:
42 # principals:
43 # - '*'
44 # - to:
45 # - operation:
46 # paths:
47 # - /healthcheck/*
48 # selector:
49 # matchLabels:
50 # app: aaa
51 # spec:
52 # action: ALLOW
53 # rules:
54 # - from:
55 # - source:
56 # namespaces:
57 # - apps
58 # - default
59 # - source:
60 # principals:
61 # - >-
62 # cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account