kserve enforce authentication

[madmecodes]

✏️ Summary of Changes

KServe JWT Authentication PR Analysis

Core Security Features

• JWT-based authentication for cluster-local-gateway: Added RequestAuthentication and AuthorizationPolicy to secure the gateway that KServe uses by default.

• Two authentication overlays:

  • m2m-auth: Basic JWT authentication requiring valid Kubernetes service account tokens.
  • m2m-auth-strict: Enhanced version with namespace-level isolation.

• Comprehensive test suite: Multiple test scripts to validate authentication scenarios.

• Documentation: Added KSERVE_JWT_AUTHENTICATION.md with a detailed implementation guide.

Technical Implementation Details

1. RequestAuthentication: Validates JWT tokens from Kubernetes API server with proper issuer configuration.
2. AuthorizationPolicy (DENY): Blocks all requests without valid JWT principals, except health checks.
3. AuthorizationPolicy (ALLOW): Permits requests with valid JWT principals and exempts health check endpoints.
4. External access support: Example configurations for secure external access via istio-ingressgateway.
5. Namespace isolation examples: Templates for restricting access to same-namespace or explicit cross-namespace.

2. How It Addresses the Core Security Issue

The implementation directly addresses issue #2811 by:

• Closing the authentication gap: Previously, cluster-local-gateway had no authentication while istio-ingressgateway had oauth2-proxy.
• Consistent security model: Both gateways now require authentication (JWT for cluster-local, oauth2-proxy for ingress).
• Default secure configuration: Authentication is enforced by default in the knative-cni install script.
• Flexible authorization: Supports both permissive (any valid JWT) and strict (namespace-isolated) modes.

---

The PR represents a significant security improvement but leaves room for further enhancements based on community feedback and production usage patterns.

📦 Dependencies

None

🐛 Related Issues

#2811

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[juliusvonkohout]

lets move this to the other kserve test files. Do not create a new /examples folder.

[juliusvonkohout]

why are you adding this ?
kustomize build common/istio/cluster-local-gateway/overlays/m2m-auth | kubectl apply -f - should be enough instead of 12 lines

[juliusvonkohout]

tests/knative_authENTICATION_test.sh

[juliusvonkohout]

Lets remove most of the logging stuff. We just want to fail directly if something is wrong.

[juliusvonkohout]

300s is a bit much, lets use 180s

[juliusvonkohout]

Please fix the filename here as well

[juliusvonkohout]

what is the difference to the other tests? I think also the filename is not clear enough to explain what you are doing.

[juliusvonkohout]

tests/kserve_setup_external_access.sh

[juliusvonkohout]

Please also fix the tests.

[orfeas-k]

Does this also secure from this issue mentioned in KServe docs?

Currently when activator is on the request path, it is not able to check the originated namespace or original identity due to the net-istio issue.

My understanding is that this is actually not feasible to tackle on kubeflow's side, so users will still be able to access ISVCs in other users' namespaces, when activator intercepts them.

[madmecodes]

Does this also secure from this issue mentioned in KServe docs?

Currently when activator is on the request path, it is not able to check the originated namespace or original identity due to the net-istio issue.

My understanding is that this is actually not feasible to tackle on kubeflow's side, so users will still be able to access ISVCs in other users' namespaces, when activator intercepts them.

I agree, the core problem: When Knative's activator is in the request path (during cold starts or scale-to-zero), it bypasses namespace-based JWT authentication because the activator has broad access permissions and the original request identity is lost.

From the issue: knative-extensions/net-istio#554 "services in different namespace will be able to communicate with each other whenever activator is in path, because activator is allowed to access any service"

I also thinnk this is not fixable at the manifests level - it's an architectural limitation that requires changes to Knative/KServe itself.

[madmecodes]

Does this also secure from this issue mentioned in KServe docs?

Currently when activator is on the request path, it is not able to check the originated namespace or original identity due to the net-istio issue.

My understanding is that this is actually not feasible to tackle on kubeflow's side, so users will still be able to access ISVCs in other users' namespaces, when activator intercepts them.

So namespace level wont be possible, but we can try enforcing JWT, atleast that is doable, but im facing errors hard to find whats causing the tests failing.

[orfeas-k]

IMO It 'd be good to mention this architectural limitation in the new setup/overlay provided, given that people using it should be aware of this quite important limitation.

[madmecodes]

IMO It 'd be good to mention this architectural limitation in the new setup/overlay provided, given that people using it should be aware of this quite important limitation.

Like in the manifest Readme for Istio, we should update that?

[madmecodes]

@juliusvonkohout can you please re run these 2 tests?

[juliusvonkohout]

@juliusvonkohout can you please re run these 2 tests?

You should be able to do so with

/retest

if not we have to add you as member to Kubeflow. Do you mind creating a PR to add the 4 GSOC students as member to the kubeflow organization @madmecodes ?

[orfeas-k]

Like in the manifest Readme for Istio, we should update that?

Yep exactly, preferably with sth like a warning box if it's aligned with the style of readmes in this repo

[juliusvonkohout]

Thank you, that significantly improves the status quo.

/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment