Is it possible to use RequestAuthentication and AuthenticationPolicy for microservice to microservice communication

Question

We have recently setup istio on our kubernetes cluster and are trying to see if we can use RequestAuthentication and AuthenticationPolicy to enable us to only allow a pod in namespace x to communicate with a pod in namespace y when it has a valid jwt token.

All the examples I have seen online seem to only apply for end user authentication via the gateway rather than internal pod to pod communication.

We have tried a few different options but are yet to have any luck.

We can get AuthenticationPolicy to work for pod to pod traffic using "from" and the source being the IP address of the pod in namespace x:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: "request-jwt"
 namespace: y
spec:
  jwtRules:
  - issuer: "https://keycloak.example.com/auth/realms/istio"
    jwksUri: "https://keycloak.example.com/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "jwt-auth"
  namespace: y
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        ipBlocks: ["10.43.5.175"]

When we add when block for jwt it doesn't work:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: "request-jwt"
 namespace: y
spec:
  jwtRules:
  - issuer: "https://keycloak.example.com/auth/realms/istio"
    jwksUri: "https://keycloak.example.com/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "jwt-auth"
  namespace: y
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        ipBlocks: ["10.43.5.175"]
    when:
     - key: request.auth.claims[iss]
       values: ["https://keycloak.example.com/auth/realms/istio"]

Also tried this but doesn't seem to work either:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: "request-jwt"
 namespace: y
spec:
  jwtRules:
  - issuer: "https://keycloak.example.com/auth/realms/istio"
    jwksUri: "https://keycloak.example.com/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "deny-invalid-jwt"
  namespace: y
spec:
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]

Thanks in advance!

Answer 1

Yes, it is possible to use both Authorization Policies and Request Authentications.

But debugging is quite difficult because a lot is based on your environment and the JWT that is being used, and so on.

To troubleshoot these kinds of issues I'd start by setting the rbac scoped logs to debug for the services envoy proxy. In the rbac debug logs you'll see the data extracted from the JWT and stored into filter metadata. What you'll frequently find is that:

• The issuer in the filter metadata might not match the one in the RequestAuthentication resource, etc.

Learn more about logging scopes here https://istio.io/v1.12/docs/ops/diagnostic-tools/component-logging/#logging-scopes