ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

quality improvements

Browse Source
This commit is contained in:
savagebidoof 2023-04-22 05:19:59 +02:00
parent b70bed0ae2
commit 8bd07817dd
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Istio/00-Troubleshooting/README.md
View File

@ -1,14 +1,19 @@
IDK put some text in thQereSQ
IDK put some text in there
### Start the packet capture process
### Start the packet capture process on the istio-proxy from a pod.
```shell
$ kubectl exec -n default "$(kubectl get pod -n default -l app1 =helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
$ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
```
### Logs
### Logs
Istio system logs
```shell
kubectl logs -f deployments/istiod -n istio-system
```

6
Istio/06-Authentication/01-namespaces/README.md
View File

@ -30,7 +30,7 @@ metadata:
namespace: default
```
Citing the [Authorization Policy documentation from Istio](https://istio.io/latest/docs/reference/config/security/authorization-policy), regarding the evaluation behavior of this rules:
Citing the [Authorization Policy documentation from Istio](https://istio.io/latest/docs/reference/config/security/authorization-policy), regarding the evaluation behavior of these rules:
1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
2. If there are any DENY policies that match the request, deny the request.
@ -86,7 +86,7 @@ spec:
#### allow-get-from-default
As an additional example, I have set a new rule, that will allow the traffic comming from the namespace `default`, as long the method used is `HEAD` and is not targeting the path `/secret`.
As an additional example, I have set a new rule, that will allow the traffic coming from the namespace `default`, as long the method used is `HEAD` and is not targeting the path `/secret`.
```yaml
apiVersion: security.istio.io/v1beta1
@ -272,7 +272,7 @@ $ kubectl delete peerauthentications.security.istio.io default-mtls
### connectivity between byeworld towards helloworld
As the rule is no longer being set, and for such not being applied, the traffic from `byeworld` is able to reach the service `helloworld` without having the need to using mTLS.
As the rule is no longer being set, and for such not being applied, the traffic from `byeworld` is able to reach the service `helloworld` without having the need to use mTLS.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=byeworld | tail -n 1 | awk '{print $1}')" -- curl http://helloworld.default.svc.cluster.local:8080 | grep "<title>.*</title>"