namespace: default
spec:
  containers:
  - image: proxyv2:1.3.1
    name: istio-proxy
---
# only selector is set, should be ineffective
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  namespace: default
  name: ra-ineffective
spec:
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
---
# only selector is set, should be ineffective

}

func (a policyApplier) setAuthnFilterForRequestAuthn(config *authn_filter.FilterConfig) *authn_filter.FilterConfig {
	if len(a.processedJwtRules) == 0 {
		// (beta) RequestAuthentication is not set for workload, do nothing.
		authnLog.Debug("AuthnFilter: RequestAuthentication (beta policy) not found, keep settings with alpha API")
		return config
	}

	if config == nil {
		config = defaultAuthnFilter()
	}

## Example end-user authentication policy using the mock jwks.json data

```yaml
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "******@****.***"

// Map of all configs that do not impact RDS
var skippedRdsConfigs = sets.New[kind.Kind](
	kind.WorkloadEntry,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.PeerAuthentication,
	kind.Secret,
	kind.WasmPlugin,
	kind.Telemetry,
	kind.ProxyConfig,
	kind.DNSName,
)

func rdsNeedsPush(req *model.PushRequest) bool {
	if req == nil {
		return true

# Enforce access control based on JWT subject.

# The following policy enables JWT authentication on destination service.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: default
spec:
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "******@****.***"

			name:       "empty spec",
			configName: constants.DefaultAuthenticationPolicyName,
			in:         &security_beta.RequestAuthentication{},
			valid:      true,
		},
		{
			name:       "another empty spec",
			configName: constants.DefaultAuthenticationPolicyName,
			in: &security_beta.RequestAuthentication{
				Selector: &api.WorkloadSelector{},
			},
			valid:   true,
			warning: true,
		},
		{

    release: istio
  name: requestauthentications.security.istio.io
spec:
  group: security.istio.io
  names:
    categories:
    - istio-io
    - security-istio-io
    kind: RequestAuthentication
    listKind: RequestAuthenticationList
    plural: requestauthentications
    shortNames:
    - ra
    singular: requestauthentication
  scope: Namespaced
  versions:

	kind.Gateway,
	kind.VirtualService,
	kind.DestinationRule,
	kind.Secret,
	kind.Telemetry,
	kind.EnvoyFilter,
	kind.WorkloadEntry,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.PeerAuthentication,
	kind.WasmPlugin,
	kind.ProxyConfig,
	kind.MeshConfig,

	kind.KubernetesGateway,
	kind.HTTPRoute,
	kind.TCPRoute,
	kind.TLSRoute,
	kind.GRPCRoute,
)

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: default
  namespace: {{ .SystemNamespace.Name }}
spec:
  jwtRules:
    - issuer: "******@****.***"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    - issuer: "******@****.***"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---

		err = f.GenerateStruct(in)
		if err != nil {
			return 0
		}
		c.Spec = in
		_, _ = validation.ValidateAuthorizationPolicy(c)
	case 5:
		in := &security_beta.RequestAuthentication{}
		err = f.GenerateStruct(in)
		if err != nil {
			return 0
		}
		c.Spec = in
		_, _ = validation.ValidateRequestAuthentication(c)
	case 6:
		in := &security_beta.PeerAuthentication{}