Istio Service Mesh Security with AuthorizationPolicy & RequestAuthentication
Question
The authentication using kyecloak isn't working as expected, it been used Istio vs Keycloak. Istio components configured: Gateway, Virtualservice, AuthorizationPolicy, RequestAuthentication
using a valid token: 401 Jwt issuer is not configured
ISTIO CONFIGURATION FOR SECURITY:
---
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "http://localhost:30080/auth/realms/master"
jwksUri: "http://localhost:30080/auth/realms/master/protocol/openid-connect/certs"
forwardOriginalToken: true
outputPayloadToHeader: x-jwt-payload
EOF
---
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
principalBinding: USE_ORIGIN
EOF
---
once there is no authorization Bearer
for double check i used istio's example and worked:
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
EOF
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "frontend-ingress"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
EOF
ISTIO GTW and VS:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: keycloak-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: enterprise-vs
spec:
hosts:
- '*'
gateways:
- default/keycloak-gateway
http:
- match:
- uri:
prefix: '/enterprise/'
rewrite:
uri: /
fault:
delay:
fixedDelay: 1s
route:
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s1
weight: 90
- destination:
host: enterprise
port:
number: 8080
subset: enterprise-s2
weight: 10
2 answers
solution1
0 2021-11-15 09:28:55
I encountered similar issue.
The JWT token had following value for issuer: "iss": "http://localhost:8080/auth/realms/dev"
I matched the same value in my JwtRules ie localhost. However I changed jwksUri to cluster IP address of Keycloak. This seems to have worked.
jwtRules:
- issuer: 'http://localhost:8080/auth/realms/dev'
jwksUri: 'http://10.105.250.41:8080/auth/realms/dev/protocol/openid-connect/certs'
solution2
0 2021-12-23 16:17:54
You can check to see if the ingressgateway can actually access your jwks_uri. I'm going to guess you get 404 because it's on a different cluster or spun up on local docker, et. al.
kubectl exec -i -t -n istio-system YOUR_ISTIOINGRESS_GATEWAY_POD -c istio-proxy -- sh -c "clear; (bash || ash || sh)"
> curl -i http://YOUR_DOMAIN:YOUR_PORT/auth/realms/master/protocol/openid-connect/certs
HTTP/1.1 404 Not Found
date: Thu, 23 Dec 2021 16:11:17 GMT
server: istio-envoy
content-length: 0
My workaround for local testing was to run ngrok to expose keycloak running on port 8080.
npm install -g ngrok
ngrok http 8080
Replace localhost in the jwksUri with the generated ngrok domain in your RequestAuthentication resource worked for me.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.