apiVersion: serving.knative.dev/v1
kind: service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...
You can use JSON Web Token (JWT) authentication with Knative services by using service Mesh 2.x and OpenShift Serverless. To do this, you must create authentication requests and policies in the application namespace that is a member of the serviceMeshMemberRoll
object. You must also enable sidecar injection for the service.
Adding sidecar injection to pods in system namespaces, such as For OpenShift Container Platform, if you require sidecar injection for pods in these namespaces, see the OpenShift Serverless documentation on Integrating service Mesh with OpenShift Serverless natively. |
You have installed the OpenShift Serverless Operator, Knative Serving, and Red Hat OpenShift service Mesh on your cluster.
Install the OpenShift CLI (oc
).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
Add the sidecar.istio.io/inject="true"
annotation to your service:
apiVersion: serving.knative.dev/v1
kind: service
metadata:
name: <service_name>
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" (1)
sidecar.istio.io/rewriteAppHTTPProbers: "true" (2)
...
1 | Add the sidecar.istio.io/inject="true" annotation. |
2 | You must set the annotation sidecar.istio.io/rewriteAppHTTPProbers: "true" in your Knative service, because OpenShift Serverless versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default. |
Apply the service
resource:
$ oc apply -f <filename>
Create a RequestAuthentication
resource in each serverless application namespace that is a member in the serviceMeshMemberRoll
object:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-example
namespace: <namespace>
spec:
jwtRules:
- issuer: testing@secure.istio.io
jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json
Apply the RequestAuthentication
resource:
$ oc apply -f <filename>
Allow access to the RequestAuthenticaton
resource from system pods for each serverless application namespace that is a member in the serviceMeshMemberRoll
object, by creating the following AuthorizationPolicy
resource:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allowlist-by-paths
namespace: <namespace>
spec:
action: ALLOW
rules:
- to:
- operation:
paths:
- /metrics (1)
- /healthz (2)
1 | The path on your application to collect metrics by system pod. |
2 | The path on your application to probe by system pod. |
Apply the AuthorizationPolicy
resource:
$ oc apply -f <filename>
For each serverless application namespace that is a member in the serviceMeshMemberRoll
object, create the following AuthorizationPolicy
resource:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: <namespace>
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]
Apply the AuthorizationPolicy
resource:
$ oc apply -f <filename>
If you try to use a curl
request to get the Knative service URL, it is denied:
$ curl http://hello-example-1-default.apps.mycluster.example.com/
RBAC: access denied
Verify the request with a valid JWT.
Get the valid JWT token:
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
Access the service by using the valid token in the curl
request header:
$ curl -H "Authorization: Bearer $TOKEN" http://hello-example-1-default.apps.example.com
The request is now allowed:
Hello OpenShift!