My RequestAuthentication is this
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
jwksUri: "https://securetoken.google.com/<project-name>"
My AuthorizationPolicy is this
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-authorizer-all-svc
namespace: dev
spec:
action: ALLOW
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
notPaths: ["/message/ping"]
My requirement is i dont want jwt auth to check in the healthz(my case is /message/ping), but am getting always Response of the above is "RBAC: access denied"
I wanted all the pods deployed in "dev" namespace to be authenticated except a healthcheck, path of it is path : ["/user/ping", "/message/ping"] but iam unable to give both at a time
I've reproduced your issue and I think it's working as you wanted it to work.
There are my RequestAuthentication and AuthorizationPolicy yamls.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
- to:
- operation:
paths: ["/api/v1/products"]
You can use the following to exclude path (e.g. "/api/v1/products" ) from JWT, when "/productpage" require JWT and will reject all requests without the token.
If you want to exclude more than one path then this should work:
paths: ["/api/v1/products","/login"]
So in your case that would be
paths: ["/user/ping", "/message/ping"]
I have tested above configuration on bookinfo application.
There is the token I have used
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s)
Tests:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
You also mentioned that you want to do that in particular namespace, then you could try with these RequestAuthentication and AuthorizationPolicy yamls.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: testing-dev-authenticator
namespace: dev
spec:
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-dev-only-authorized-api
namespace: dev
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
paths: ["/productpage"]
Also based on the bookinfo application.
Tests:
api/v1/products
Without token
200
With token
200
------------------------------------------------------------------
/productpage
Without token
403
With token
200
Additional resources: