Upgrading to the beta security policies

Anthos Service Mesh 1.5.10 introduces two beta security APIs, PeerAuthentication and RequestAuthentication. The alpha authentication policy is being deprecated. This page explains how to update the alpha authentication policy to the beta security policies.

Change service-selected policy to workload selector

All security beta policies must use workload-selector or namespace-based configuration models, as opposed to service-based.

Update to RequestAuthentication

The following example shows how to update from the alpha Policy to RequestAuthentication:

# Alpha policy for authentication to enable Origin Authentication for service foo.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
spec:
  targets:
  - name: httpbin
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"

Update to the corresponding beta RequestAuthenticationresource:

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"

Update to PeerAuthentication

You must also update authentication policies for mutual TLS (mTLS). The alpha MeshPolicy enabled mesh-wide PERMISSIVE or STRICT mTLS. The beta PeerAuthentication resource replaces the alpha MeshPolicy. Specifically, if you have a MeshPolicy similar to the following:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
  name: "default"
  labels:
    release: istio
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

Update it with a PeerAuthentication resource in the root namespace:

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: PERMISSIVE

Prior to Anthos Service Mesh 1.5.10, the default installation includes MeshPolicy with PERMISSIVE mode. Anthos Service Mesh 1.5.10 no longer generates MeshPolicy.

  1. We recommend that you use namespace-based PeerAuthentication. Although Anthos Service Mesh supports auto mTLS, it only works well with mesh-level or namespace-level PeerAuthentication. When you use workload-level PeerAuthentication, you need to configure a corresponding DestinationRule.
  2. You could configure the alpha authentication policy to use Origin authentication to deny requests. The new RequestAuthentication however, only rejects requests when the token is invalid. We recommend that you use an AuthorizationPolicyto define further access control.
  3. Although the alpha authentication policy still works in Anthos Service Mesh 1.5.10-asm.2, the alpha authentication policy will be fully deprecated in the next release. We recommend that you finish the migration as soon as possible.
  4. During the transition, if both alpha and beta policies exist, only the beta policies take effect and alpha policies are ignored.
  5. For more information, see Authentication Policy in the Istio documentation.

What's next