diff --git a/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml b/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml index a9a45e5eb1b..6a773281045 100644 --- a/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml +++ b/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml @@ -8,10 +8,21 @@ spec: matchLabels: app: ml-pipeline-ui rules: + # Allow all requests from the ingress gateway - from: - source: - namespaces: - - istio-system + principals: + - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account + + # Allow all requests with an `authorization` header but NOT a `kubeflow-userid` header. + # This is needed to allow Kubernetes JWTs to be passed to the KFP API. + - when: + - key: request.headers[authorization] + values: + - "*" + - key: request.headers[kubeflow-userid] + notValues: + - "*" --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy @@ -32,7 +43,7 @@ spec: - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache - # For user workloads, which cannot user http headers for authentication + # Allow all requests that dont have a `kubeflow-userid` header. - when: - key: request.headers[kubeflow-userid] notValues: ['*']