kubernetes - Istio Exclusion matching not working for healthz api without jwt principal

Question

My RequestAuthentication is this

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
    jwksUri: "https://securetoken.google.com/<project-name>"

My AuthorizationPolicy is this

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: test-dev-authorizer-all-svc
 namespace: dev
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       notRequestPrincipals: ["*"]
   to:
   - operation:
       notPaths: ["/message/ping"]

My requirement is i dont want jwt auth to check in the healthz(my case is /message/ping), but am getting always Response of the above is "RBAC: access denied"

Answer 1

I wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time

I've reproduced your issue and I think it's working as you wanted it to work.

---

There are my RequestAuthentication and AuthorizationPolicy yamls.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "[email protected]"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"

---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
    to:
    - operation:
        paths: ["/productpage"]
  - to:
    - operation:
        paths: ["/api/v1/products"]

You can use the following to exclude path (e.g. "/api/v1/products" ) from JWT, when "/productpage" require JWT and will reject all requests without the token.

If you want to exclude more than one path then this should work:

paths: ["/api/v1/products","/login"]

So in your case that would be

paths: ["/user/ping", "/message/ping"] 

---

I have tested above configuration on bookinfo application.

There is the token I have used

TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s)

Tests:

api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200

---

You also mentioned that you want to do that in particular namespace, then you could try with these RequestAuthentication and AuthorizationPolicy yamls.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: dev
spec:
  jwtRules:
  - issuer: "[email protected]"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"

---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: test-dev-only-authorized-api
 namespace: dev
spec:
 action: DENY
 rules:
 - from:
   - source:
        notRequestPrincipals: ["*"]
   to:
   - operation:
       paths: ["/productpage"]

Also based on the bookinfo application.

Tests:

api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200

---

Additional resources:

• Disable RequestAuthentication JWT rules for specific paths
• Authorization with JWT
• Authentication Policy