Member-only story
How to Authorize Non-Kubernetes Clients With Istio on Your K8s Cluster
Use JSON web tokens to authorize clients to interact with your Kubernetes microservices using Istio
Istio is one of the most desired Kubernetes aware-service mesh technologies that grants you immense power if you host microservices on Kubernetes.
In my last article, “Enable Access Control Between Your Kubernetes Workloads Using Istio,” we discussed how to use Istio to manage access between Kubernetes microservices.
That works well for internal communication. However, most use cases require you authorise non-Kubernetes clients to connect with your Kubernetes workloads — for example, if you expose APIs for third parties to integrate with.
Istio furnishes this capability through its Layer 7 Envoy proxies and utilises JSON Web Tokens (JWT) for authorisation. In this article, we’ll explore how we can leverage Istio to facilitate this with a hands-on demonstration.
What Are JSON Web Tokens?
JSON Web Tokens (JWT) are tokens based on RFC 7519 that represent claims between two parties. You can employ them to hold identity information and other metadata.
A web token is produced by digitally signing a JSON string with a JSON Web Key (JWK) by a trusted identity provider. The signing process constructs a MAC, which becomes the JWT signature.
The server needs to confirm whether the JWK has signed the JWT during the authorisation process.
Below is an example of a JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkdhdXJhdiBBZ2Fyd2FsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1ODk0MDc5Mjh9.KJzt_O-Xwtd1DF_Ie0yi5lVpEiH4spoyZBr3rATTHqwThe bold part is the header that contains the payload type and key algorithm.
{
"alg": "HS256",
"typ": "JWT"
}The non-formatted string is the payload. This payload includes claims, the issued time (iat), and the expiry…
