Istio

Istio Security API

The Istio Security API (security.istio.io) provides configuration resources for managing security policies within an Istio service mesh. It includes AuthorizationPolicy for fine-grained access control on workloads with ALLOW, DENY, AUDIT, and CUSTOM actions, PeerAuthentication for configuring mutual TLS (mTLS) between service proxies, and RequestAuthentication for validating JWT tokens attached to incoming requests. These resources enforce zero-trust security across the mesh.

GitHub OpenAPI

Documentation

📖
Documentation
https://istio.io/latest/docs/reference/config/security/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/istio/refs/heads/main/openapi/istio-security-api-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/istio/refs/heads/main/json-schema/authorization-policy.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/istio/refs/heads/main/json-schema/peer-authentication.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/istio/refs/heads/main/json-schema/request-authentication.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/istio/refs/heads/main/json-ld/istio-context.jsonld

OpenAPI Specification

istio-security-api-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Istio Security API
  description: >-
    The Istio Security API (security.istio.io) provides configuration resources
    for managing security policies within an Istio service mesh. It includes
    AuthorizationPolicy for fine-grained access control on workloads,
    PeerAuthentication for configuring mutual TLS (mTLS) between service
    proxies, and RequestAuthentication for validating JWT tokens attached to
    incoming requests. These resources are defined as Kubernetes Custom Resource
    Definitions (CRDs) and are accessed via the Kubernetes API server.
  version: v1
  contact:
    name: Istio
    url: https://istio.io/
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
  description: Istio Security Configuration Reference
  url: https://istio.io/latest/docs/reference/config/security/
servers:
  - url: https://{cluster}/apis/security.istio.io/v1
    description: Kubernetes API server endpoint for Istio Security v1
    variables:
      cluster:
        default: kubernetes.default.svc
        description: Kubernetes API server hostname
paths:
  /namespaces/{namespace}/authorizationpolicies:
    get:
      operationId: listAuthorizationPolicies
      summary: Istio List AuthorizationPolicies
      description: >-
        List all AuthorizationPolicy resources in the specified namespace. An
        AuthorizationPolicy enables access control on workloads in the mesh,
        supporting ALLOW, DENY, AUDIT, and CUSTOM actions based on source,
        operation, and condition matching.
      tags:
        - AuthorizationPolicy
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/labelSelector'
        - $ref: '#/components/parameters/limit'
        - $ref: '#/components/parameters/continue'
      responses:
        '200':
          description: Successful response containing list of AuthorizationPolicies
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationPolicyList'
        '401':
          description: Unauthorized
    post:
      operationId: createAuthorizationPolicy
      summary: Istio Create an AuthorizationPolicy
      description: Create a new AuthorizationPolicy resource in the specified namespace.
      tags:
        - AuthorizationPolicy
      parameters:
        - $ref: '#/components/parameters/namespace'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthorizationPolicy'
      responses:
        '201':
          description: AuthorizationPolicy created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationPolicy'
        '401':
          description: Unauthorized
        '409':
          description: Conflict - resource already exists
  /namespaces/{namespace}/authorizationpolicies/{name}:
    get:
      operationId: getAuthorizationPolicy
      summary: Istio Get an AuthorizationPolicy
      description: Read the specified AuthorizationPolicy resource.
      tags:
        - AuthorizationPolicy
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationPolicy'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    put:
      operationId: replaceAuthorizationPolicy
      summary: Istio Replace an AuthorizationPolicy
      description: Replace the specified AuthorizationPolicy resource.
      tags:
        - AuthorizationPolicy
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthorizationPolicy'
      responses:
        '200':
          description: AuthorizationPolicy replaced
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationPolicy'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    delete:
      operationId: deleteAuthorizationPolicy
      summary: Istio Delete an AuthorizationPolicy
      description: Delete the specified AuthorizationPolicy resource.
      tags:
        - AuthorizationPolicy
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: AuthorizationPolicy deleted
        '401':
          description: Unauthorized
        '404':
          description: Not found
  /namespaces/{namespace}/peerauthentications:
    get:
      operationId: listPeerAuthentications
      summary: Istio List PeerAuthentications
      description: >-
        List all PeerAuthentication resources in the specified namespace. A
        PeerAuthentication defines how traffic will be tunneled (or not) to the
        sidecar proxy, configuring mutual TLS mode for inbound connections.
      tags:
        - PeerAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/labelSelector'
        - $ref: '#/components/parameters/limit'
        - $ref: '#/components/parameters/continue'
      responses:
        '200':
          description: Successful response containing list of PeerAuthentications
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PeerAuthenticationList'
        '401':
          description: Unauthorized
    post:
      operationId: createPeerAuthentication
      summary: Istio Create a PeerAuthentication
      description: Create a new PeerAuthentication resource in the specified namespace.
      tags:
        - PeerAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PeerAuthentication'
      responses:
        '201':
          description: PeerAuthentication created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PeerAuthentication'
        '401':
          description: Unauthorized
        '409':
          description: Conflict
  /namespaces/{namespace}/peerauthentications/{name}:
    get:
      operationId: getPeerAuthentication
      summary: Istio Get a PeerAuthentication
      description: Read the specified PeerAuthentication resource.
      tags:
        - PeerAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PeerAuthentication'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    put:
      operationId: replacePeerAuthentication
      summary: Istio Replace a PeerAuthentication
      description: Replace the specified PeerAuthentication resource.
      tags:
        - PeerAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PeerAuthentication'
      responses:
        '200':
          description: PeerAuthentication replaced
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PeerAuthentication'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    delete:
      operationId: deletePeerAuthentication
      summary: Istio Delete a PeerAuthentication
      description: Delete the specified PeerAuthentication resource.
      tags:
        - PeerAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: PeerAuthentication deleted
        '401':
          description: Unauthorized
        '404':
          description: Not found
  /namespaces/{namespace}/requestauthentications:
    get:
      operationId: listRequestAuthentications
      summary: Istio List RequestAuthentications
      description: >-
        List all RequestAuthentication resources in the specified namespace. A
        RequestAuthentication defines the request authentication methods
        supported by a workload. It will reject requests with invalid
        authentication information based on configured JWT rules.
      tags:
        - RequestAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/labelSelector'
        - $ref: '#/components/parameters/limit'
        - $ref: '#/components/parameters/continue'
      responses:
        '200':
          description: Successful response containing list of RequestAuthentications
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RequestAuthenticationList'
        '401':
          description: Unauthorized
    post:
      operationId: createRequestAuthentication
      summary: Istio Create a RequestAuthentication
      description: Create a new RequestAuthentication resource in the specified namespace.
      tags:
        - RequestAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RequestAuthentication'
      responses:
        '201':
          description: RequestAuthentication created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RequestAuthentication'
        '401':
          description: Unauthorized
        '409':
          description: Conflict
  /namespaces/{namespace}/requestauthentications/{name}:
    get:
      operationId: getRequestAuthentication
      summary: Istio Get a RequestAuthentication
      description: Read the specified RequestAuthentication resource.
      tags:
        - RequestAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RequestAuthentication'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    put:
      operationId: replaceRequestAuthentication
      summary: Istio Replace a RequestAuthentication
      description: Replace the specified RequestAuthentication resource.
      tags:
        - RequestAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RequestAuthentication'
      responses:
        '200':
          description: RequestAuthentication replaced
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RequestAuthentication'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    delete:
      operationId: deleteRequestAuthentication
      summary: Istio Delete a RequestAuthentication
      description: Delete the specified RequestAuthentication resource.
      tags:
        - RequestAuthentication
      parameters:
        - $ref: '#/components/parameters/namespace'
        - $ref: '#/components/parameters/name'
      responses:
        '200':
          description: RequestAuthentication deleted
        '401':
          description: Unauthorized
        '404':
          description: Not found
components:
  parameters:
    namespace:
      name: namespace
      in: path
      required: true
      description: The Kubernetes namespace
      schema:
        type: string
    name:
      name: name
      in: path
      required: true
      description: The resource name
      schema:
        type: string
    labelSelector:
      name: labelSelector
      in: query
      description: A selector to restrict the list of returned objects by their labels
      schema:
        type: string
    limit:
      name: limit
      in: query
      description: Maximum number of resources to return
      schema:
        type: integer
    continue:
      name: continue
      in: query
      description: Continue token for paginated list requests
      schema:
        type: string
  schemas:
    ObjectMeta:
      type: object
      properties:
        name:
          type: string
          description: Name of the resource
        namespace:
          type: string
          description: Namespace of the resource
        labels:
          type: object
          additionalProperties:
            type: string
        annotations:
          type: object
          additionalProperties:
            type: string
        creationTimestamp:
          type: string
          format: date-time
        resourceVersion:
          type: string
    ListMeta:
      type: object
      properties:
        resourceVersion:
          type: string
        continue:
          type: string
    AuthorizationPolicy:
      type: object
      properties:
        apiVersion:
          type: string
          enum:
            - security.istio.io/v1
        kind:
          type: string
          enum:
            - AuthorizationPolicy
        metadata:
          $ref: '#/components/schemas/ObjectMeta'
        spec:
          type: object
          properties:
            selector:
              type: object
              properties:
                matchLabels:
                  type: object
                  additionalProperties:
                    type: string
              description: Workload selector to apply the policy to specific workloads.
            action:
              type: string
              enum:
                - ALLOW
                - DENY
                - AUDIT
                - CUSTOM
              description: The action to take when a request matches the policy rules.
            provider:
              type: object
              properties:
                name:
                  type: string
              description: >-
                Specifies the name of the extension provider. Required when
                action is CUSTOM.
            rules:
              type: array
              items:
                $ref: '#/components/schemas/AuthorizationRule'
              description: >-
                Rules to match for the policy. A match occurs when at least one
                rule is matched. An empty rule list means all requests are
                matched.
            targetRefs:
              type: array
              items:
                type: object
                properties:
                  kind:
                    type: string
                  group:
                    type: string
                  name:
                    type: string
              description: >-
                References to the target resources to which the policy applies.
    AuthorizationPolicyList:
      type: object
      properties:
        apiVersion:
          type: string
        kind:
          type: string
          enum:
            - AuthorizationPolicyList
        metadata:
          $ref: '#/components/schemas/ListMeta'
        items:
          type: array
          items:
            $ref: '#/components/schemas/AuthorizationPolicy'
    AuthorizationRule:
      type: object
      properties:
        from:
          type: array
          items:
            type: object
            properties:
              source:
                type: object
                properties:
                  principals:
                    type: array
                    items:
                      type: string
                    description: Peer identities derived from the peer certificate.
                  notPrincipals:
                    type: array
                    items:
                      type: string
                  requestPrincipals:
                    type: array
                    items:
                      type: string
                    description: Request identities derived from the JWT token.
                  notRequestPrincipals:
                    type: array
                    items:
                      type: string
                  namespaces:
                    type: array
                    items:
                      type: string
                    description: Namespaces derived from the peer certificate.
                  notNamespaces:
                    type: array
                    items:
                      type: string
                  ipBlocks:
                    type: array
                    items:
                      type: string
                    description: IP blocks in CIDR notation.
                  notIpBlocks:
                    type: array
                    items:
                      type: string
          description: Source identities (peers and request principals) to match.
        to:
          type: array
          items:
            type: object
            properties:
              operation:
                type: object
                properties:
                  hosts:
                    type: array
                    items:
                      type: string
                    description: The request host header values.
                  notHosts:
                    type: array
                    items:
                      type: string
                  ports:
                    type: array
                    items:
                      type: string
                    description: The request port values.
                  notPorts:
                    type: array
                    items:
                      type: string
                  methods:
                    type: array
                    items:
                      type: string
                    description: The request HTTP methods (GET, POST, etc.).
                  notMethods:
                    type: array
                    items:
                      type: string
                  paths:
                    type: array
                    items:
                      type: string
                    description: The request URL paths.
                  notPaths:
                    type: array
                    items:
                      type: string
          description: Operations (hosts, ports, methods, paths) to match.
        when:
          type: array
          items:
            type: object
            properties:
              key:
                type: string
                description: >-
                  The name of an Istio attribute (e.g.
                  request.headers[X-Custom]).
              values:
                type: array
                items:
                  type: string
              notValues:
                type: array
                items:
                  type: string
          description: Additional conditions to match.
    PeerAuthentication:
      type: object
      properties:
        apiVersion:
          type: string
          enum:
            - security.istio.io/v1
        kind:
          type: string
          enum:
            - PeerAuthentication
        metadata:
          $ref: '#/components/schemas/ObjectMeta'
        spec:
          type: object
          properties:
            selector:
              type: object
              properties:
                matchLabels:
                  type: object
                  additionalProperties:
                    type: string
              description: Workload selector to apply the policy to specific workloads.
            mtls:
              type: object
              properties:
                mode:
                  type: string
                  enum:
                    - UNSET
                    - DISABLE
                    - PERMISSIVE
                    - STRICT
                  description: >-
                    Defines the mTLS mode used for peer authentication.
                    PERMISSIVE allows both plaintext and mTLS, STRICT requires
                    mTLS, DISABLE turns off mTLS.
              description: Mutual TLS settings for workload-to-workload communication.
            portLevelMtls:
              type: object
              additionalProperties:
                type: object
                properties:
                  mode:
                    type: string
                    enum:
                      - UNSET
                      - DISABLE
                      - PERMISSIVE
                      - STRICT
              description: Port-specific mutual TLS settings.
    PeerAuthenticationList:
      type: object
      properties:
        apiVersion:
          type: string
        kind:
          type: string
          enum:
            - PeerAuthenticationList
        metadata:
          $ref: '#/components/schemas/ListMeta'
        items:
          type: array
          items:
            $ref: '#/components/schemas/PeerAuthentication'
    RequestAuthentication:
      type: object
      properties:
        apiVersion:
          type: string
          enum:
            - security.istio.io/v1
        kind:
          type: string
          enum:
            - RequestAuthentication
        metadata:
          $ref: '#/components/schemas/ObjectMeta'
        spec:
          type: object
          properties:
            selector:
              type: object
              properties:
                matchLabels:
                  type: object
                  additionalProperties:
                    type: string
              description: Workload selector to apply the policy to specific workloads.
            jwtRules:
              type: array
              items:
                type: object
                properties:
                  issuer:
                    type: string
                    description: >-
                      Identifies the issuer that issued the JWT. The issuer
                      claim (iss) in the JWT token must match this value.
                  audiences:
                    type: array
                    items:
                      type: string
                    description: >-
                      The list of JWT audiences. The JWT aud claim must match at
                      least one of the specified audiences.
                  jwksUri:
                    type: string
                    description: URL of the provider's public key set to validate the JWT signature.
                  jwks:
                    type: string
                    description: JSON Web Key Set of public keys to validate the JWT signature (inline).
                  fromHeaders:
                    type: array
                    items:
                      type: object
                      properties:
                        name:
                          type: string
                        prefix:
                          type: string
                    description: Headers to extract the JWT token from.
                  fromParams:
                    type: array
                    items:
                      type: string
                    description: Query parameters to extract the JWT token from.
                  outputPayloadToHeader:
                    type: string
                    description: Header name to output the validated JWT payload.
                  forwardOriginalToken:
                    type: boolean
                    description: Whether to forward the original JWT token to the upstream.
                  outputClaimToHeaders:
                    type: array
                    items:
                      type: object
                      properties:
                        header:
                          type: string
                        claim:
                          type: string
                    description: Claims to extract from the JWT and output as headers.
              description: >-
                List of rules that define the authentication requirements for
                incoming requests.
            targetRefs:
              type: array
              items:
                type: object
                properties:
                  kind:
                    type: string
                  group:
                    type: string
                  name:
                    type: string
              description: References to the target resources.
    RequestAuthenticationList:
      type: object
      properties:
        apiVersion:
          type: string
        kind:
          type: string
          enum:
            - RequestAuthenticationList
        metadata:
          $ref: '#/components/schemas/ListMeta'
        items:
          type: array
          items:
            $ref: '#/components/schemas/RequestAuthentication'
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: Kubernetes API server bearer token authentication
tags:
  - name: AuthorizationPolicy
    description: Fine-grained access control policies for workloads
    externalDocs:
      url: https://istio.io/latest/docs/reference/config/security/authorization-policy/
  - name: PeerAuthentication
    description: Mutual TLS configuration for peer-to-peer communication
    externalDocs:
      url: https://istio.io/latest/docs/reference/config/security/peer_authentication/
  - name: RequestAuthentication
    description: JWT-based request authentication policies
    externalDocs:
      url: https://istio.io/latest/docs/reference/config/security/request_authentication/