> For the complete documentation index, see [llms.txt](https://doc.cncf.vip/istio-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.cncf.vip/istio-handbook/pei-zhi/index-1/request-authentication.md).

# RequestAuthentication

## RequestAuthentication

`RequestAuthentication`（请求认证）定义了工作负载支持哪些请求认证方法。如果请求包含无效的认证信息，它将根据配置的认证规则拒绝该请求。不包含任何认证凭证的请求将被接受，但不会有任何认证的身份。

### 示例

为了限制只对经过认证的请求进行访问，应该伴随着一个授权规则。

例如，要求对具有标签 `app:httpbin` 的工作负载的所有请求使用 JWT 认证。

```yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "issuer-foo"
    jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
```

下一个例子展示了如何为不同的 `host` 设置不同的 JWT 要求。`RequestAuthentication` 声明它可以接受由 `issuer-foo` 或 `issuer-bar` 签发的 JWT（公钥集是由 OpenID Connect 规范隐性设置的）。

```yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "issuer-foo"
  - issuer: "issuer-bar"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["issuer-foo/*"]
    to:
    - operation:
        hosts: ["example.com"]
  - from:
    - source:
        requestPrincipals: ["issuer-bar/*"]
    to:
    - operation:
        hosts: ["another-host.com"]
```

你可以对授权策略进行微调，为每个路径设置不同的要求。例如，除了 `/healthz`，所有路径都需要 JWT，可以使用相同的 `RequestAuthentication`，但授权策略可以是：

```yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/healthz"]
```

关于 `RequestAuthentication` 配置的详细用法请参考 [Istio 官方文档](https://istio.io/latest/docs/reference/config/security/request_authentication/)。

## 参考

* [RequestAuthentication - istio.io](https://istio.io/latest/docs/reference/config/security/request_authentication/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.cncf.vip/istio-handbook/pei-zhi/index-1/request-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.