Istio verify and parse jwt header

Create RequestAuthentication and AuthorizationPolicy resources

 1apiVersion: security.istio.io/v1beta1
 2kind: RequestAuthentication
 3metadata:
 4  name: "request-authentication-sso"
 5  namespace: istio-system
 6spec:
 7  jwtRules:
 8  - issuer: "https://issue.example.com/sso"
 9    jwksUri: "https://issue.example.com/.well-known/openid-configuration/jwks"
10    outputClaimToHeaders:
11      - header: "x-jwt-claim-email"
12        claim: "email"
13
14---
15apiVersion: security.istio.io/v1beta1
16kind: AuthorizationPolicy
17metadata:
18  name: ingress-gateway-authorization
19  namespace: istio-system
20spec:
21  selector:
22    matchLabels:
23      app: istio-ingressgateway
24  action: ALLOW
25  rules:
26  - from:
27    - source:
28        requestPrincipals: ["*"]
29  - to:
30    - operation:
31        paths: [
32          "/productpage*",
33          "/login*",
34          "/logout*",
35          "/static*"
36        ]

May be need complex authorization

 1---
 2# apiVersion: security.istio.io/v1beta1
 3# kind: AuthorizationPolicy
 4# metadata:
 5#   name: reviews-deny-policy
 6#   namespace: apps
 7# spec:
 8#   selector:
 9#     matchLabels:
10#       app: reviews
11
12---
13apiVersion: security.istio.io/v1beta1
14kind: AuthorizationPolicy
15metadata:
16  name: httpbin-allow-policy
17  namespace: istio-system
18spec:
19  selector:
20    matchLabels:
21      app: istio-ingressgateway
22  action: ALLOW
23  rules:
24  - from:
25    - source:
26        principals: ["*"]
27  - to:
28    - operation:
29        paths: [
30          "/status/*"
31        ]
32
33  # - when:
34  #   - key: request.auth.claims[iss]
35  #     values: ["*"]
36
37  # spec:
38  # action: ALLOW
39  # rules:
40  #   - from:
41  #       - source:
42  #           principals:
43  #             - '*'
44  #   - to:
45  #       - operation:
46  #           paths:
47  #             - /healthcheck/*
48  # selector:
49  #   matchLabels:
50  #     app: aaa
51  # spec:
52  # action: ALLOW
53  # rules:
54  #   - from:
55  #       - source:
56  #           namespaces:
57  #             - apps
58  #             - default
59        # - source:
60        #     principals:
61        #       - >-
62        #         cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account