Two beta security APIs, PeerAuthentication
and RequestAuthentication
, were
introduced in Anthos Service Mesh 1.5. The alpha authentication policy is being
deprecated. This page explains how to update the alpha authentication policy to
the beta security policies.
Change service-selected policy to workload selector
All security beta policies must use workload-selector or namespace-based configuration models, as opposed to service-based.
Update to RequestAuthentication
The following example shows how to update from the alpha Policy
to
RequestAuthentication
:
# Alpha policy for authentication to enable Origin Authentication for service foo.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "jwt-example"
spec:
targets:
- name: httpbin
origins:
- jwt:
issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"
Update to the corresponding beta RequestAuthentication
resource:
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json"
Update to PeerAuthentication
You must also update authentication policies for mutual TLS (mTLS). The alpha
MeshPolicy
enabled mesh-wide PERMISSIVE
or STRICT
mTLS. The beta
PeerAuthentication
resource replaces the alpha MeshPolicy
. Specifically, if
you have a MeshPolicy
similar to the following:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
release: istio
spec:
peers:
- mtls:
mode: PERMISSIVE
Update it with a PeerAuthentication
resource in the root namespace:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: PERMISSIVE
Prior to Anthos Service Mesh 1.6.14, the default installation includes
MeshPolicy
with PERMISSIVE mode. Anthos Service Mesh 1.6.14 no longer
generates MeshPolicy.
- We recommend that you use namespace-based
PeerAuthentication
. Although Anthos Service Mesh supports [auto mTLS](https://istio.io/v1.6/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls{: class="external"}, it only works well with mesh-level or namespace-levelPeerAuthentication
. When you use workload-levelPeerAuthentication
, you need to configure a correspondingDestinationRule
. - You could configure the alpha authentication policy to use Origin
authentication to deny requests. The new
RequestAuthentication
however, only rejects requests when the token is invalid. We recommend that you use anAuthorizationPolicy
to define further access control. - Although the alpha authentication policy still works in Anthos Service Mesh 1.6.14-asm.2, the alpha authentication policy will be fully deprecated in the next release. We recommend that you finish the migration as soon as possible.
- During the transition, if both alpha and beta policies exist, only the beta policies take effect and alpha policies are ignored.
- For more information, see Authentication Policy in the Istio documentation.