Istio JWT authentication passes traffic without token

3/19/2019

Background:

There was a similar question: Here but it didn't offer a solution to my issue.

I have deployed an application which is working as expected to my Istio Cluster. I wanted to enable JWT authentication, so adapting the instructions Here to my use-case.

ingressgateway:

I first applied the following policy to the istio-ingressgateway. This worked and any traffic sent without a JWT token was blocked.

kubectl apply -n istio-system -f mypolicy.yaml
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: core-api-policy
  namespace: istio-system
spec:
  targets:
  - name: istio-ingressgateway
    ports:
    - number: 80
  origins:
  - jwt:
      issuer: "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_pa9vj7sbL"
      jwksUri: "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_pa9vj7sbL/.well-known/jwks.json"
  principalBinding: USE_ORIGIN

Once that worked I deleted this policy and installed a new policy for my service.

kubectl delete -n istio-system -f mypolicy.yaml

service/core-api-service:

After editing the above policy, changing the namespace and target as below, I reapplied the policy to the correct namespace.

Policy:

kubectl apply -n solarmori -f mypolicy.yaml
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: core-api-policy
  namespace: solarmori
spec:
  targets:
  - name: core-api-service
    ports:
    - number: 80
  origins:
  - jwt:
      issuer: "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_pa9vj7sbL"
      jwksUri: "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_pa9vj7sbL/.well-known/jwks.json"
  principalBinding: USE_ORIGIN

Service:

apiVersion: v1
kind: Service
metadata:
  name: core-api-service
spec:
  type: LoadBalancer
  ports:
  - port: 80
    name: api-svc-port
    targetPort: api-app-port
  selector:
    app: core-api-app

The outcome of this action didn't appear to change anything in processing of traffic. I was still able to reach my service even though I did not provide a JWT.

I checked the istio-proxy of my service deployment and there was no creation of a local_jwks in the logs as described Here.

[procyclinsur@P-428 istio]$ kubectl logs -n solarmori core-api-app-5dd9666777-qhf5v -c istio-proxy | grep local_jwks
[procyclinsur@P-428 istio]$

If anyone knows where I am going wrong I would greatly appreciate any help.

-- rustysys-dev
istio
jwt
kubernetes

1 Answer

3/19/2019

For a Service to be part of Istio's service mesh you need to fulfill some requirements as shown in the official docs.

In your case, the service port name needs to be updated to: <protocol>[-<suffix>] with the <protocol> as either:

  • grpc
  • http
  • http2
  • https
  • mongo
  • mysql
  • redis
  • tcp
  • tls
  • udp

At that point requests forwarded to the service will go through the service mesh; Currently, requests are resolved by Kubernetes networking.

-- Rinor
Source: StackOverflow