What are the differences between Authorization Policy and Request Authentication in Istio?

Question

I'm testing the Istio(service mesh) Authorization and Authentication feature and been doing some tests to implement JWT on micro services environment. And the docs isn't clear about the differences between the object kind "AuthorizationPolicy" and "RequestAuthentication",

Answer 1

Not sure if you have checked those 2 documentation pages:

Authorization Policy and RequestAuthentication.

Using Authorization Policy you can ALLOW or DENY a request, but you can't define Authentication, so the requests will be accepted or not, but without considering authentication methods.

The RequestAuthentication, on the other hand will define the authentication method that will be used to validate the request, but that do not restrict the requests without authentication at all, so you would need an authorization rule linked to it.

This phrase within the RequestAuthentication doc explains it:

A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule.

So in your Authorization Policy you can define the policies to ALLOW or DENY a request, and with the RequestAuthentication you can define your authentication methods.

If you want to limit it to authenticated requests, then you will need both. Basically, the best approach will depend on your use case.