Draft: Use Istio AuthN and AuthZ
TL;DR: P1's Authservice configuration is only "safe" due to a case sensitivity error in Authservice's source code. If requests have an Authorization:
header they are supposed to be able to bypass Authservice. However, our configuration uses capitalized Authorization
which means the broken code forces all requests through Authservice anyway.
The correct/upstream-documented way to securely configure Authservice involves using Istio AuthN and AuthZ to validate and require a JWT. Authservice's bookinfo example uses the old Istio AuthN Policy
and an AuthZ AuthorizationPolicy
. Istio replaced the alpha Policy
resource with RequestAuthentication
, the configuration is almost the same. My example policy uses RequestAuthentication
and AuthorizationPolicy
.
This MR:
- Changes the Envoy filter to INSERT_BEFORE
envoy.filters.http.jwt_authn
. This is a breaking change, if you have no AuthN configured, Authservice's filter will never be inserted. This change is required, otherwise Authservice's filter runs afterjwt_authn
which prevents using AuthN/AuthZ.- This matches the documented Authservice example EnvoyFilter configuration.
- An example AuthN/AuthZ configuration is provided. This must be installed in all app namespaces protected by Authservice.
- Adds documentation for the above to the README.
Submitting this as a Draft MR so we can discuss it first.