Using istio with requestauth and a jwt issuer, but currently need to exclude certain paths traffic to the sidecar from actually validating any incoming jwt headers, is that possible? else istio tries to validate the jwt header ( even if not in issuerurl ) it receives.
added authpolicy to ignore those paths but the sidecar still decodes incoming authorization headers and validates them with my issuer.
Yes, this is possible with an AuthorizationPolicy that looks like this:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-auth-policy
spec:
rules:
- from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/insecure"]
This authz policy defines two rules. The first is for all authenticated request principals to access everything. The second rule is for any source to access the /insecure path.
With this authz policy, an unauthenticated request can successfully reach the /insecure route, and only that one.
