istio: Unable to configure EnvoyFilter to do auth redirect
Bug description
I’m trying to prepare a setup with TLS termination at ingress-gateway, JWT based authz and automated redirection to the login page when user arrives without a valid JWT token. Currently everything works fine apart from redirection to login page.
I’ve tried to used both “new” and “old” style to define EnvoyFilters: New:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
# For some reason, INSERT_FIRST doesn't work
operation: INSERT_BEFORE
value:
name: "envoy.filters.http.ext_authz"
config:
http_service:
server_uri:
uri: http://oauthproxy-service.auth-proxy.svc.cluster.local
cluster: outbound|4180||oauthproxy-service.auth-proxy.svc.cluster.local
timeout: 10s
authorization_request:
allowed_headers:
patterns:
- exact: "cookie"
- exact: "x-forwarded-access-token"
- exact: "x-forwarded-user"
- exact: "x-forwarded-email"
- exact: "authorization"
- exact: "x-forwarded-proto"
- exact: "proxy-authorization"
- exact: "user-agent"
- exact: "x-forwarded-host"
- exact: "from"
- exact: "x-forwarded-for"
- exact: "accept"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
authorization_response:
allowedClientHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
allowedUpstreamHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
old:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
workloadLabels:
app: istio-ingressgateway
filters:
- filterConfig:
http_service:
server_uri:
uri: http://oauthproxy-service.auth-proxy.svc.cluster.local
cluster: outbound|4180||oauthproxy-service.auth-proxy.svc.cluster.local
timeout: 10s
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "x-forwarded-access-token"
- exact: "x-forwarded-user"
- exact: "x-forwarded-email"
- exact: "authorization"
- exact: "x-forwarded-proto"
- exact: "proxy-authorization"
- exact: "user-agent"
- exact: "x-forwarded-host"
- exact: "from"
- exact: "x-forwarded-for"
- exact: "accept"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
allowedUpstreamHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
statusOnError:
code: GatewayTimeout
filterName: envoy.ext_authz
filterType: HTTP
insertPosition:
index: FIRST
listenerMatch:
portNumber: 443
listenerType: GATEWAY
Unfortunately non of them works. Nothing happens when I create those resources I always get “RBAC: access denied” just like it was before creating EnvoyFilter.
[x ] Configuration Infrastructure [ x] Docs [ ] Installation [ x] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [x ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure
Expected behavior
When I access the webpage without a valid JWT token I should be redirected to the login page
Steps to reproduce the bug
Create any service, expose it via ingress and add JWT filtering.
Version (include the output of istioctl version --remote
and kubectl version
and helm version
if you used Helm)
Kubectl
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.11", GitCommit:"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede", GitTreeState:"clean", BuildDate:"2020-03-12T21:08:59Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.11", GitCommit:"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede", GitTreeState:"clean", BuildDate:"2020-03-12T21:00:06Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}
istioctl
client version: 1.6.0
control plane version: 1.6.0
data plane version: 1.6.0 (16 proxies)
Environment where bug was observed (cloud vendor, OS, etc) OpenStack VM, kubernetes 1.15.11
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 5
- Comments: 20 (3 by maintainers)
Any hint how to extract this from a running instance?