Knative: Operator’s Handbook

Service-to-service authentication

By default, Knative does not check if Service A can query Service B, as it does not have any builtin authentication or authorization mechanisms.

You can use Istio Authentication Policies if you have installed Knative with Istio sidecar-injection enabled with mTLS (mutual TLS). (Not part of default Knative installation procedure.)

With Istio sidecar enabled, the sidecar can automatically add its JWT identity token on tahe client side, use TLS as transport, and on the receiving-side the sidecar validates this identity and allows/rejects traffic to Pod. Read this on how to configure Istio Auth Policies.

Alternatively, you can use Kubernetes Network Policies if you have a CNI provider installed in your cluster that supports this feature (e.g. Calico, Weave, Cilium). This feature use Pod labels to identify workloads in policies. See NetworkPolicy recipes and how-to guide for more.

Google Cloud Run (fully-managed) requires you to query instance metadata service and get an “identity token” and provide it in your outgoing request as Authorization header. Learn more.