3

I'm using the pre-packaged Kubernetes cluster that comes with docker desktop. I'm on a windows machine, running the Kubernetes on a Ubuntu-18.04 VM using WSL 2. On my Kubernetes cluster I run:

istioctl install --set profile=demo --set values.global.jwtPolicy=third-party-jwt

But I get the message:

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.

After that, it freezes on this until it times out:

Processing resources for Istiod. Waiting for Deployment/istio-system/istiod

Is there a way of enabling third party JWT in my cluster?

João Areias
  • 1,192
  • 11
  • 41

1 Answers1

1

In the error message that you've received there is a link that points to the documentation on that specific issue:

Citing the official documentation:

Configure third party service account tokens

To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:

Third party tokens, which have a scoped audience and expiration. First party tokens, which have no expiration and are mounted into all pods. Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.

If you are using istioctl to install, support will be automatically detected. This can be done manually as well, and configured by passing --set values.global.jwtPolicy=third-party-jwt or --set values.global.jwtPolicy=first-party-jwt.

To determine if your cluster supports third party tokens, look for the TokenRequest API. If this returns no response, then the feature is not supported:

$ kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'

{
    "name": "serviceaccounts/token",
    "singularName": "",
    "namespaced": true,
    "group": "authentication.k8s.io",
    "version": "v1",
    "kind": "TokenRequest",
    "verbs": [
        "create"
    ]
}

While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the Kubernetes documentation.

I'm not sure if this feature is supported by Kubernetes (1.19.7) created with Docker Desktop but Kubernetes documentation shows a way how you could enable it:

Service Account Token Volume Projection

FEATURE STATE: Kubernetes v1.20 [stable]

Note:

To enable and use token request projection, you must specify each of the following command line arguments to kube-apiserver:

--service-account-issuer
--service-account-key-file
--service-account-signing-key-file
--api-audiences

You can edit your kubeapi-server manifest in a Docker Desktop with Kubernetes in a somewhat hacky way. You can read more about it by following this answer (which I am the author of):

Workaround

As you are using Docker on your host, you could also consider using minikube with its --driver=docker. It supports third party JWT tokens as described in the Istio documentation (it produces the response from the $ kubectl get --raw ... command).

A side note!

I've tested this on a minikube version 1.19.0 and Kubernetes version 1.20.2.

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45