I try to create a simple configuration, based on Istio example:
- I have RequestAuthentication in istio-system. I want to have one RequestAuthentication on stand.
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "[email protected]"
jwksUri: ".25/security/tools/jwt/samples/jwks.json"
outputClaimToHeaders:
- header: "x-aaaa"
claim: "foo"
- and AuthorizationPolicy in foo namespace
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
paths: ["/headers"]
when:
- key: request.auth.claims[foo]
values: ["bar"]
RequestAuthentication is executed on istioingress envoy, there is my record: "request.auth.principal:{"foo":"bar","exp":4685989700,"iat":1532389700,"iss":"[email protected]","sub":"[email protected]"} "request.auth.role:bar in log file, but AuthorizationPolicy is executed on httpbin envoy. I see in httpbin envoy log file and there isn't any principal on request
"request.auth.principal:- "request.auth.role:-,
but there is my header "x-aaaa":
'x-envoy-external-address', '10.112.128.1' 'x-request-id', '8ef2b198-b633-4478-8adf-2105e2c036bc' 'x-aaaa', 'bar' 'x-envoy-attempt-count', '1'
request is blocked by envoy: enforced denied, matched policy none
why principal is not passed between envoys ?