What are the differences between Authorization Policy and Request Authentication in Istio?

authentication kubernetes authorization istio

Not sure if you have checked those 2 documentation pages:

Authorization Policy and RequestAuthentication.

Using Authorization Policy you can ALLOW or DENY a request, but you can't define Authentication, so the requests will be accepted or not, but without considering authentication methods.

The RequestAuthentication, on the other hand will define the authentication method that will be used to validate the request, but that do not restrict the requests without authentication at all, so you would need an authorization rule linked to it.

This phrase within the RequestAuthentication doc explains it:

A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule.

So in your Authorization Policy you can define the policies to ALLOW or DENY a request, and with the RequestAuthentication you can define your authentication methods.

If you want to limit it to authenticated requests, then you will need both.Basically, the best approach will depend on your use case.

CodeHunter

What are the differences between Authorization Policy and Request Authentication in Istio?

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last