红帽全球峰会This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.12.2. Using JSON Web Token authentication with Service Mesh and OpenShift Serverless
You can enable JSON Web Token (JWT) authentication for Knative services by creating a policy in your serverless application namespace that only allows requests with valid JWTs.
Prerequisites
- Install OpenShift Serverless.
- Install Red Hat OpenShift Service Mesh.
- Configure Service Mesh with OpenShift Serverless, including enabling sidecar injection for your Knative services.
Adding sidecar injection to pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.
Procedure
Copy the following
Policyresource into a YAML file:重要The paths
/metricsand/healthzmust be included inexcludedPathsbecause they are accessed from system pods in theknative-servingnamespace.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the
Policyresource YAML file:oc apply -f <filename>
$ oc apply -f <filename>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
If you try to use a
curlrequest to get the Knative service URL, it is denied.curl http://hello-example-default.apps.mycluster.example.com/
$ curl http://hello-example-default.apps.mycluster.example.com/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
Origin authentication failed.
Origin authentication failed.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify the request with a valid JWT.
Get the valid JWT token by entering the following command:
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -Copy to Clipboard Copied! Toggle word wrap Toggle overflow Access the service by using the valid token in the
curlrequest header:curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"
$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"Copy to Clipboard Copied! Toggle word wrap Toggle overflow The request is now allowed.
Example output
Hello OpenShift!
Hello OpenShift!Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.2.1. Additional resources
- See Red Hat OpenShift Service Mesh architecture.
-
For more information about verifying Knative services and using
curlrequests, see Verifying your serverless application deployment.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}