JwtFailureDueToInvalidServicePortPrefix

Message NameJwtFailureDueToInvalidServicePortPrefix
Message CodeIST0119
DescriptionAuthentication policy with JWT targets Service with invalid port specification.
LevelWarning

This message occurs when a authentication Policy specifies the use of JWT authentication, but the targeted Kubernetes services is not configured properly. A properly targeted Kubernetes service requires the port to be named with a prefix of http|http2|https (see Protocol Selection) and also requires the protocol to be TCP; an empty protocol is acceptable as TCP is the default value.

Example

You will receive this message:

  1. Warn [IST0119] (Policy secure-httpbin.default) Authentication policy with JWT targets Service with invalid port specification (port: 8080, name: svc-8080, protocol: TCP, targetPort: 80).

when your cluster has following policy:

  1. apiVersion: authentication.istio.io/v1alpha1
  2. kind: Policy
  3. metadata:
  4. name: secure-httpbin
  5. namespace: default
  6. spec:
  7. targets:
  8. - name: httpbin
  9. origins:
  10. - jwt:
  11. issuer: "testing@secure.istio.io"
  12. jwksUri: "https://raw.githubusercontent.com/istio/istio-1.4/security/tools/jwt/samples/jwks.json"

that targets the following service:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: httpbin
  5. namespace: default
  6. labels:
  7. app: httpbin
  8. spec:
  9. ports:
  10. - name: svc-8080
  11. port: 8080
  12. targetPort: 80
  13. protocol: TCP
  14. selector:
  15. app: httpbin

In this example, the port svc-8080 does follow the syntax: name: <http|https|http2>[-<suffix>].

How to resolve

  • JWT authentication is only supported over http, https or http2. Rename the Service port name to conform with <http|https|http2>[-<suffix>]