You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.8 KiB
42 lines
1.8 KiB
apiVersion: security.istio.io/v1beta1
|
|
kind: RequestAuthentication
|
|
metadata:
|
|
name: m2m-token-issuer
|
|
namespace: istio-system
|
|
spec:
|
|
# we only apply to the ingress-gateway because:
|
|
# - there is no need to verify the same tokens at each sidecar
|
|
# - having no selector will apply the RequestAuthentication to ALL
|
|
# Pods in the mesh, even ones which are not part of Kubeflow
|
|
selector:
|
|
matchLabels:
|
|
app: istio-ingressgateway
|
|
|
|
jwtRules:
|
|
- # The `issuer` must be replaced with a Kustomize patch.
|
|
issuer: PATCH_ME
|
|
|
|
# `forwardOriginalToken` is not strictly required to be true.
|
|
# there are pros and cons to each value:
|
|
# - true: the original token is forwarded to the destination service
|
|
# which raises the risk of the token leaking
|
|
# - false: the original token is stripped from the request
|
|
# which will prevent the destination service from
|
|
# verifying the token (possibly with its own RequestAuthentication)
|
|
forwardOriginalToken: true
|
|
|
|
# This will unpack the JWTs issued by Kubernetes into the expected headers.
|
|
outputClaimToHeaders:
|
|
- header: kubeflow-userid
|
|
claim: sub
|
|
- # NOTE: K8S SA Tokens (e.g. those created with `kubectl create token`) do not contain a `groups` claim,
|
|
# but we need to ensure that any groups header provided by the request is overwritten to avoid
|
|
# users passing a valid JWT with `kubeflow-groups` header to impersonate other users.
|
|
header: kubeflow-groups
|
|
claim: groups
|
|
|
|
# We explicitly set `fromHeaders` to ensure that the JWT is only extracted from the `Authorization` header.
|
|
# This is because we exclude requests that have an `Authorization` header from oauth2-proxy.
|
|
fromHeaders:
|
|
- name: Authorization
|
|
prefix: "Bearer "
|
|
|