Anthos Service Mesh 1.5.9 introduces two beta security APIs,
RequestAuthentication. The alpha authentication
policy is being deprecated. This page explains how to update the alpha
authentication policy to the beta security policies.
Change service-selected policy to workload selector
All security beta policies must use workload-selector or namespace-based configuration models, as opposed to service-based.
Update to RequestAuthentication
The following example shows how to update from the alpha
# Alpha policy for authentication to enable Origin Authentication for service foo. apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "jwt-example" spec: targets: - name: httpbin origins: - jwt: issuer: "firstname.lastname@example.org" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"
Update to the corresponding beta
apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt-example" spec: selector: matchLabels: app: httpbin jwtRules: - issuer: "email@example.com" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"
Update to PeerAuthentication
You must also update authentication policies for mutual TLS (mTLS). The alpha
MeshPolicy enabled mesh-wide
STRICT mTLS. The beta
PeerAuthentication resource replaces the alpha
MeshPolicy. Specifically, if
you have a
MeshPolicy similar to the following:
apiVersion: "authentication.istio.io/v1alpha1" kind: "MeshPolicy" metadata: name: "default" labels: release: istio spec: peers: - mtls: mode: PERMISSIVE
Update it with a
PeerAuthentication resource in the root namespace:
apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "istio-system" spec: mtls: mode: PERMISSIVE
Prior to Anthos Service Mesh 1.5.9, the default installation includes
MeshPolicy with PERMISSIVE mode. Anthos Service Mesh 1.5.9 no longer
- We recommend that you use namespace-based
PeerAuthentication. Although Anthos Service Mesh supports auto mTLS, it only works well with mesh-level or namespace-level
PeerAuthentication. When you use workload-level
PeerAuthentication, you need to configure a corresponding
- You could configure the alpha authentication policy to use Origin
authentication to deny requests. The new
RequestAuthenticationhowever, only rejects requests when the token is invalid. We recommend that you use an
AuthorizationPolicyto define further access control.
- Although the alpha authentication policy still works in Anthos Service Mesh 1.5.9-asm.0, the alpha authentication policy will be fully deprecated in the next release. We recommend that you finish the migration as soon as possible.
- During the transition, if both alpha and beta policies exist, only the beta policies take effect and alpha policies are ignored.
- For more information, see Authentication Policy in the Istio documentation.