UNCLASSIFIED - NO CUI

Skip to content

Draft: Use Istio AuthN and AuthZ

blake.burkhart requested to merge filterChain into main

TL;DR: P1's Authservice configuration is only "safe" due to a case sensitivity error in Authservice's source code. If requests have an Authorization: header they are supposed to be able to bypass Authservice. However, our configuration uses capitalized Authorization which means the broken code forces all requests through Authservice anyway.

The correct/upstream-documented way to securely configure Authservice involves using Istio AuthN and AuthZ to validate and require a JWT. Authservice's bookinfo example uses the old Istio AuthN Policy and an AuthZ AuthorizationPolicy. Istio replaced the alpha Policy resource with RequestAuthentication, the configuration is almost the same. My example policy uses RequestAuthentication and AuthorizationPolicy.

This MR:

  1. Changes the Envoy filter to INSERT_BEFORE envoy.filters.http.jwt_authn. This is a breaking change, if you have no AuthN configured, Authservice's filter will never be inserted. This change is required, otherwise Authservice's filter runs after jwt_authn which prevents using AuthN/AuthZ.
  2. An example AuthN/AuthZ configuration is provided. This must be installed in all app namespaces protected by Authservice.
  3. Adds documentation for the above to the README.

Submitting this as a Draft MR so we can discuss it first.

Edited by blake.burkhart

Merge request reports