Istio Exclusion matching not working for healthz api without jwt principal

Question

My RequestAuthentication is this

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
    jwksUri: "https://securetoken.google.com/<project-name>"

My AuthorizationPolicy is this

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: test-dev-authorizer-all-svc
 namespace: dev
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       notRequestPrincipals: ["*"]
   to:
   - operation:
       notPaths: ["/message/ping"]

My requirement is i dont want jwt auth to check in the healthz(my case is /message/ping), but am getting always Response of the above is "RBAC: access denied"

It seems like a issue with your application, if it was Authorization Policy issue then you would get `RBAC: access denied` error instead of `upstream connect error or disconnect/reset before headers`. Could you check if your app is healthy and running? Does it work without AuthorizationPolicy? Is there anything in the applications logs? — Jakub, Jan 11 '21 at 08:21
yes it was a mistake, corrected that and now getting the error as "RBAC: access denied". I'ii edit the response. But my need is i wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time, can u pls help? — Jithin Kumar S, Jan 11 '21 at 17:13

Jakub · Accepted Answer · 2021-01-12T13:24:40.493

I wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time

I've reproduced your issue and I think it's working as you wanted it to work.

There are my RequestAuthentication and AuthorizationPolicy yamls.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"

---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
    to:
    - operation:
        paths: ["/productpage"]
  - to:
    - operation:
        paths: ["/api/v1/products"]

You can use the following to exclude path (e.g. "/api/v1/products" ) from JWT, when "/productpage" require JWT and will reject all requests without the token.

If you want to exclude more than one path then this should work:

paths: ["/api/v1/products","/login"]

So in your case that would be

paths: ["/user/ping", "/message/ping"]

I have tested above configuration on bookinfo application.

There is the token I have used

TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s)

Tests:

api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200

You also mentioned that you want to do that in particular namespace, then you could try with these RequestAuthentication and AuthorizationPolicy yamls.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: testing-dev-authenticator
  namespace: dev
spec:
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"

---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: test-dev-only-authorized-api
 namespace: dev
spec:
 action: DENY
 rules:
 - from:
   - source:
        notRequestPrincipals: ["*"]
   to:
   - operation:
       paths: ["/productpage"]

Also based on the bookinfo application.

Tests:

api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200

Additional resources:

Thanks @Jakub!. From the istio documentation it is stated like this, which didnt worked. But your config works. Is the documentation wrong? Link : https://istio.io/latest/docs/concepts/security/ --navigate to the para "Exclusion matching" — Jithin Kumar S, Jan 20 '21 at 14:37
@Jithin Kumar S Happy it works for you. From what I see it's very close to the second example I made, so it should work. But on the istio site there is `allow`, `notpaths` and `requestprincipals`, you've used `allow` with `notpaths` and `notrequestprincipals`, that could be a problem, but I haven't tested that so I'm not sure. — Jakub, Jan 20 '21 at 15:03
hmm, i'll test that and will let you know.anyway thanks Jakub! — Jithin Kumar S, Jan 21 '21 at 02:47

Istio Exclusion matching not working for healthz api without jwt principal

1 Answers1