I have the following policy, which integrates with our Auth0 account:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: my-service
origins:
- jwt:
issuer: "https://<redacted>.eu.auth0.com/"
jwksUri: "https://<redacted>.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGINwhich applies our Auth0 config to everything, but I want to disable this for a single service. I suppose I want to set targets as 'everything except x'.
Is there a way of doing this?
On Policy's spec.targets you only specified one service name my-service which applies only to one service with this name only. On Target selector docs you can find information that using this way you need to specify each service name but you can specify also port number. There also mentioned about 3 types of policies: Mesh-wide, Namespace-wide and Service-specific.
Regarding solution for your question I can advise you 3 options:
1. Separate namespaces for enabled and disabled services
You can place your services which should be authenticate to another namespace and enable namespace-wide policy. Another variation of this option would be to move services which should not be authenticate to different namespace and enable authentication in default namespace.
2. Namespace-wide policy with individual service It is similar to previous but instead of creating new namespace-wide policy you just need to create a service-specific policy which will disable authentication in one service.
It should work as the priority order is
service-specific > namespace-wide > mesh-wide
3. MeshPolicy with Individual service If you want to keep all services in one namespace you can use MeshPolicy to apply this policy to all services in all namespaces in mesh and then create another service-specific policy to disable authentication. As before mentioned service-specific has higher priority than MeshPolicy.
Hope it will help.