Kubernetes with Istio: Authenticate with External Oauth Service

1
votes

I'm looking for a way to authenticate an Istio-enabled Kubernetes cluster with an external Oauth2 provider. The Nginx Ingress controller has a way to do this when using vanilla Ingres resources.

https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

However, I'm not sure how to do this with Istio Gateway and VirtualService objects. Basically, I need to be able to provide an auth-url and an auth-sigin url to Istio, so it will authenticate the same way that the oauth Nginx ingress controller does. I've found a few examples of EnvoyFilters suggest ways to do this, but there isn't a lot of documentation on how to make this work.

Any advice to get Istio to integrate with an external Oauth would be much appreciated.

1
kubernetesoauthoauth-2.0istio
Just a thought..you can use istio without the istio provided ingress gateway and use Nginx as your ingressArghya Sadhu
Thank you @ArghyaSadhu for you suggestion on this. Do you know of any resources on how I might do this? Also, my use-case for Istio is so that I can direct traffic using DestinationRules. Is that still possible if using the Nginx Ingress?Joe J

1 Answers

2
votes

OriginAuthenticationMethod is the authentication policy that you are looking for.

Refer: https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1/#OriginAuthenticationMethod

Currently, only JWT is supported for origin authentication.

A workaround would be using another type of Ingress.