OpenMCF logoOpenMCF

Loading...

Kubernetes Request Authentication

Provision an Istio RequestAuthentication -- the mesh primitive that defines which JSON Web Tokens (JWTs) are accepted on your workloads. Validate end-user / caller tokens from one or more issuers at the mesh layer, surface verified identities to authorization policies, and forward selected claims to your backends.

What Gets Created

  • A namespaced security.istio.io/v1 RequestAuthentication custom resource.
  • A set of jwt_rules plus an optional workload selector or target_refs.

Prerequisites

  • Istio CRDs installed on the cluster (KubernetesIstioBaseCrds).
  • A running Istio control plane, istiod (KubernetesIstio), to enforce the policy.
  • The target namespace (KubernetesNamespace).

Quick Start

apiVersion: kubernetes.openmcf.org/v1
kind: KubernetesRequestAuthentication
metadata:
  name: jwt-auth
spec:
  namespace:
    value: finance
  jwt_rules:
    - issuer: https://accounts.example.com
      jwks_uri: https://accounts.example.com/.well-known/jwks.json

openmcf apply -f requestauthentication.yaml

Configuration Reference

Required Fields

FieldTypeDescription
namespacereferenceNamespace the policy is created in.

Optional Fields

FieldTypeDescription
selector.match_labelsmapPod labels selecting target workloads; omit for namespace-wide scope. Mutually exclusive with target_refs.
target_refslistGateway / Service / ServiceEntry resources to bind to; required for waypoints. Mutually exclusive with selector.
jwt_ruleslistJWT rules: issuer, jwks_uri/jwks, token locations, audiences, claim forwarding, timeout.

Stack Outputs

OutputDescription
request_authentication_nameName of the created RequestAuthentication (equals metadata.name).
namespaceNamespace the RequestAuthentication was created in.

Related Components

  • Kubernetes Peer Authentication
  • Kubernetes Istio
  • Kubernetes Istio Base CRDs
  • Kubernetes Namespace

Next article

Kubernetes Rook Ceph Cluster

Kubernetes Rook Ceph Cluster Deploys a production-grade Ceph distributed storage cluster on Kubernetes using the Rook operator. Provides block (RBD), file (CephFS), and object (S3-compatible RGW) storage through a single declarative resource, with automatic StorageClass creation, Ceph dashboard, and toolbox support for debugging. What Gets Created When you deploy a KubernetesRookCephCluster resource, OpenMCF provisions: Kubernetes Namespace — created if createNamespace is true Rook Ceph Cluster...
Read next article
Presets
2 ready-to-deploy configurationsView presets →