JWT
Algorithm
RS256
ssh-keygen -t rsa -b 2048 -m PEM -f jwt.key -N ""
openssl rsa -in jwt.key -pubout -outform PEM -out jwt.pub
Token
<header>.<payload>.<signature>
Payload
- 등록된 Claim
iss: Issuersub: Subject, 발행자 컨텍스트 내에서 고유한 값을 가지는 것이 좋습니다.aud: Audienceexp: Expiration Timenbf: Not Beforeiat: Issued Atjti: JWT ID
RequestAuthentication
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: <name>
namespace: <namespace for selector>
spec:
selector:
matchLabels:
<key>: <value>
jwtRules:
- issuer: <issuer>
jwksUri: <jwksUri>
forwardOriginalToken: false
outputPayloadToHeader: <header>
AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: <name>
namespace: <namespace for selector>
spec:
selector:
matchLabels:
<key>: <value>
action: ALLOW
rules:
- from:
- source:
namespaces:
- default
- source:
requestPrincipals: ["<iss>/<sub>"]
정보
rules에서 사용되는 값은 abc(일치), abc*(앞부분 일치), *abc(뒷부분 일치), *(빈 문자 제외)를 사용할 수 있습니다.