Version:

Expose and secure a workload with Istio

This tutorial shows how to expose and secure a workload using Istio's built-in security features. You will expose the workload by creating a VirtualService. Then, you will secure access to your workload by adding the JWT validation verified by the Istio security configuration with Authorization Policy and Request Authentication.

Prerequisites

Sample HttpBin service and sample Function deployed
JSON Web Token (JWT).
Set up your custom domain or use a Kyma domain instead.
Depending on whether you use your custom domain or a Kyma domain, export the necessary values as environment variables:
- Custom domain
- Kyma domain
Click to copy
export DOMAIN_TO_EXPOSE_WORKLOADS={DOMAIN_NAME} export GATEWAY=$NAMESPACE/httpbin-gateway

Expose your workload using a Virtual Service

Follow the instructions in the tabs to expose the HttpBin workload or the Function using a VirtualService.

Expose the HttpBin workload
Expose the Function

Create a VirtualService:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
  namespace: $NAMESPACE
spec:
  hosts:
  - "httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS"
  gateways:
  - $GATEWAY
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        port:
          number: 8000
        host: httpbin.$NAMESPACE.svc.cluster.local
EOF

Secure a workload or the Function using a JWT

To secure the HttpBin workload or the Function using a JWT, create a Request Authentication with Authorization Policy. Workloads with the matchLabels parameter specified require a JWT for all requests. Follow the instructions in the tabs:

Secure the Httpbin workload
Secure the Function

Create the Request Authentication and Authorization Policy resources:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-auth-httpbin
  namespace: $NAMESPACE
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: $ISSUER
    jwksUri: $JWKS_URI
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: $NAMESPACE
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
EOF

Access the workload you secured. You get the code 403 Forbidden error.
Click to copy
```
curl -ik -X GET https://httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS/status/200
```

Now, access the secured workload using the correct JWT. You get the code 200 OK response.

Click to copy

curl -ik -X GET https://httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS/status/200 --header "Authorization:Bearer $ACCESS_TOKEN"