Hello,
We have a kube cluster hosting several services, those services are accessible via some DNS entries declared in CF DNS (proxied).
We have Istio deployed in this cluster and all the workloads are injected with a istio-proxy sidecar. We also use Istio gateways and virtual services.
We added zero trust for self hosted apps and it works as expected.
Thing is that if we bypass CF by connecting to the IP directly and adding a Host header. We want to avoid that.
To do so we want to add some RequestAuthentication and AuthorizationPolicy resources in order to validate the Zero Trust issuer and Audience.
We started with
apiVersion: "security.istio.io/v1"
kind: "RequestAuthentication"
metadata:
name: cloudflare-jwt
namespace: namespace
spec:
selector:
matchLabels:
app.kubernetes.io/name: app
jwtRules:
- issuer: "https://redacted.cloudflareaccess.com"
jwksUri: "https://redacted.cloudflareaccess.com/cdn-cgi/access/certs"
fromHeaders:
- name: "CF_Authorization"
audiences:
- "redacted"
But we realized that even if we placed dummy values for the issuer, jwksUri and audiences, we were still able to reach our services…
It seems that it’s due to the fact the token is sent via the Cookies. Is there a way to make CF create some headers with the CF_Authorization directly available there?
Or did someone managed to validate that the requests has been authorized by CF Zero Trust? Maybe we don’t go in the good direction?