ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Rebasing

Browse Source
This commit is contained in:
savagebidoof
2023-04-22 05:03:30 +02:00
parent 48b26acf0d
commit 92ada97e07
86 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
Istio/03-Sidecar/01-ingress-proxy-forwarding/README.md Executable file
View File

@ -0,0 +1,172 @@
# Continues from
- 01-hello_world_1_service_1_deployment
# TO TRAFFIC PATH DIAGRAM
`etc -> "POD" -> sidecar -> service container`
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic incoming from the port `8080` to the port `80`
## Files
- deployment.yaml
- gateway.yaml
- sidecar.yaml
> Added the `sidecar.yaml` file.
## deployment.yaml
### Creates
#### Service
- helloworld
#### Deployments
- helloworld-nginx (Nginx container)
## gateway.yaml
### Creates
#### Gateway
##### helloworld-gateway
###### Configuration
```yml
...
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
#### VirtualService
##### helloworld-vs
###### Configuration
```yaml
...
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"
```
- On this example, we are using the port `8080` as a destination.
## sidecar.yaml
### creates
#### sidecar
##### helloworld-sidecar
###### Configuration
```yaml
...
spec:
workloadSelector:
labels:
app: helloworld
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
````
workloadSelector:
> `workloadSelector` is used to target the `PODS`, on which apply this sidecar configuration. \
> Bear in mind that this configuration doesn't target kinds `Service`, nor `Deployment`, it's applied to a kind `Pod` or `ServiceEntry` \
> If there is no `workloadSelector` specified, it will be used as default configuration for the namespace on which was created. \
> More info in the [Istio documentation for workloadSelector](https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector)
ingress:
> Configure the behavior of the ingress traffic.\
> On this "grabs"/targets the ingress traffic with port 8080, and forwards it to the port IP `127.0.0.1` (loopback) respective to the destination pod, with the destination port set to 80, which is the port that the service is currently listening to.
# Run example
## Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
sidecar.networking.istio.io/helloworld-sidecar created
```
## Wait for the pods to be ready
```shell
$ kubectl get deployment helloworld-nginx -w
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 39s
```
## Test the service
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl
```shell
$ curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"
<title>Welcome to nginx!</title>
```
### Delete the sidecar configuration to force failure.
```shell
$ kubectl delete sidecars.networking.istio.io helloworld-sidecar
sidecar.networking.istio.io "helloworld-sidecar" deleted
```
### Curl again
```shell
$ curl 192.168.1.50/helloworld -s
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: delayed connect error: 111
```

39
Istio/03-Sidecar/01-ingress-proxy-forwarding/deployment.yaml Executable file
View File

@ -0,0 +1,39 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

35
Istio/03-Sidecar/01-ingress-proxy-forwarding/gateway.yaml Executable file
View File

@ -0,0 +1,35 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"

14
Istio/03-Sidecar/01-ingress-proxy-forwarding/sidecar.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar
spec:
workloadSelector:
labels:
app: helloworld
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80

157
Istio/03-Sidecar/README.md Executable file
View File

@ -0,0 +1,157 @@
## Examples
- 01-ingress-proxy-forwarding
-
Duplicate 01, and show how it also affects traffic between services.00
egress from (pod to pod)
mtls
examples showing application priority (root < namespace < workload)
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```shell
$ kubectl get istiooperators.install.istio.io -n istio-system
NAME REVISION STATUS AGE
installed-state 8d
```
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml --type merge
---
Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
---
https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
https://github.com/istio/istio/issues/33387
https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations ?
https://istio.io/latest/docs/reference/config/networking/sidecar/
https://istio.io/latest/docs/reference/glossary/#workload
I am not very sure on how or why to use this...
NOT HOW TO TRIGGER / UNTRIGGER IT
```yaml
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
```
whats this again??
istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress
kubectl get io -A
2023-04-17T00:08:00.086475Z info validationController Not ready to switch validation to fail-closed: dummy invalid config not rejected
2023-04-17T00:08:04.012630Z info validationServer configuration is invalid: gateway must have at least one server
kubectl logs -f deployments/istiod -n istio-system
https://istio.io/latest/docs/reference/config/networking/sidecar/
egress:
- port:
number: 8080
protocol: HTTP
hosts:
- "staging/*"
With the YAML above, the sidecar proxies the traffic thats bound for port 8080 for services running in the staging namespace.
- Confirm pod ingress port forwarding
- Confirm it can reach other places / namespaces / resources (pod egress)
- mtls (somehow)
# Ingress
Does stuff
# Egress
What is "bind"
# CaptureMode
Not my problem rn

7
Istio/03-Sidecar/__02-egress-proxy-forwarding/01-namespace.yaml Executable file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: foo
labels:
istio-injection: "enabled"
---

39
Istio/03-Sidecar/__02-egress-proxy-forwarding/02-deployment_1.yaml Executable file
View File

@ -0,0 +1,39 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

45
Istio/03-Sidecar/__02-egress-proxy-forwarding/02-deployment_2.yaml Normal file
View File

@ -0,0 +1,45 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: internal
labels:
app: internal
namespace: foo
spec:
ports:
- port: 8080
name: http
- port: 80
name: http-default
selector:
app: internal
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: internal
labels:
app: internal
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: internal
template:
metadata:
labels:
app: internal
service: apache
spec:
containers:
- name: internal
image: httpd
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

71
Istio/03-Sidecar/__02-egress-proxy-forwarding/03-default-sidecar.yaml Normal file
View File

@ -0,0 +1,71 @@
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: root-default
# namespace: default
namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
egress:
- hosts:
- "./*"
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: helloworld-default
namespace: default
# namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
# egress:
# - port:
# number: 8080
# protocol: HTTP
# name: egresshttp
## - "internal.foo.svc.cluster.local"
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: internal-default
namespace: foo
spec:
workloadSelector:
labels:
app: internal
egress:
- hosts:
- "./*"
- "istio-system/*"
#- "wikipedia.com"
ingress:
# - hosts:
# - "./*"
# - "istio-system/*"
- port:
number: 8080
protocol: HTTP
name: myingressport
defaultEndpoint: 127.0.0.1:80

51
Istio/03-Sidecar/__02-egress-proxy-forwarding/README.md Executable file
View File

@ -0,0 +1,51 @@
# Continues from
- 01-ingress-proxy-forwarding
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
- Configure egress to a different namespace?
> the configured meshconfig.rootNamespace namespace (istio-system by default)
https://istio.io/latest/docs/ops/best-practices/traffic-management/#cross-namespace-configuration
CANT MAKE IT WORK CANT MAKE IT WORK CANT MAKE IT WORK
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
---
kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}'
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- /bin/bash
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl internal.foo.svc.cluster.local
curl helloworld.default.svc.cluster.local
curl internal.foo.svc.cluster.local
curl: (6) Could not resolve host: internal.foo.svc.cluster.local
helloworld.default.svc.cluster.local:8080
kubectl exec -i -n foo -t "$(kubectl get pod -l app=internal -n foo | tail -n 1 | awk '{print $1}')" -- /bin/bash

46
Istio/03-Sidecar/__02-egress-proxy-forwarding/gateway.yaml Executable file
View File

@ -0,0 +1,46 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"
- match:
- uri:
exact: /internal
route:
- destination:
# host: helloworld.default.svc.cluster.local
host: internal.foo.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"

5
Istio/03-Sidecar/__02-egress-proxy-forwarding/patch/patch.yaml Normal file
View File

@ -0,0 +1,5 @@
spec:
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
# Doesnt work

62
Istio/03-Sidecar/__02-egress-proxy-forwarding/sidecar.yaml Executable file
View File

@ -0,0 +1,62 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-config
#spec:
## workloadSelector:
## labels:
## app: helloworld
## egress:
## - hosts:
## - "./*"
## - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: helloworld-sidecar
#spec:
# workloadSelector:
# labels:
# app: helloworld
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-system
#spec:
# workloadSelector:
# labels:
# app: helloworld2
# egress:
# - port:
# number: 9080
# protocol: HTTP
# name: httpingress
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---

9
Istio/03-Sidecar/placeholder/01-namespace.yaml Executable file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: visiblent
labels:
# istio-injection: "false"
istio-injection: "enabled"
f: "3"
---

66
Istio/03-Sidecar/placeholder/README.md Executable file
View File

@ -0,0 +1,66 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment
the labbel `workloadSelector` only affects the pods.
```yaml
workloadSelector:
```
whats this command again?
istioctl operator init
https://istio.io/latest/docs/ops/common-problems/injection/
```sh
kubectl create namespace istio-config
```
No fucking clue on how to make it NOT work.
https://istio.io/latest/blog/2021/discovery-selectors/#discovery-selectors-vs-sidecar-resource
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Sidecar notes
Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the
workload instance it is attached to.
By default, Istio will program all sidecar proxies in the mesh with the necessary
configuration required to reach every workload instance in the mesh, as well as accept traffic on all the ports associated
with the workload.
The Sidecar configuration provides a way to fine tune the set of ports, protocols that the proxy will
accept when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that
the proxy can reach when forwarding outbound traffic from workload instances.
The behavior of the system is undefined if two or more Sidecar configurations with a workloadSelector select the same workload instance.
https://youtu.be/lnYTqNfyzNk
https://www.youtube.com/watch?v=UJ86BNQEcTA

19
Istio/03-Sidecar/placeholder/deployment-SE.yaml Executable file
View File

@ -0,0 +1,19 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: ServiceEntry
#metadata:
# name: external-svc
# namespace: visiblent
#spec:
# hosts:
# - help.websiteos.com
# # /websiteos/example_of_a_simple_html_page.htm
## - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
# ports:
# - number: 80
# name: http
# protocol: HTTP
# resolution: DNS
# location: MESH_EXTERNAL
#---

51
Istio/03-Sidecar/placeholder/deployment.yaml Executable file
View File

@ -0,0 +1,51 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helliworld
labels:
app: helloworld
service: helloworld
# namespace: visiblent
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
#---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
# namespace: visiblent
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
# namespace: visiblent
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

64
Istio/03-Sidecar/placeholder/gateway.yaml Executable file
View File

@ -0,0 +1,64 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helliworld
# host: helloworlddo
# host: helloworld-nginx-56c5c77cd7-9mxmf.visiblent
port:
number: 8080
rewrite:
uri: "/"
---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
# - timeout: 3s
# match:
# - uri:
# - exact: "/external"
# route:
# - destination:
# host: help.websiteos.com
# port:
# number: 80
# rewrite:
# uri: "/websiteos/example_of_a_simple_html_page.htm"
# headers:
# request:
# set:
# HOST: "help.websiteos.com"

47
Istio/03-Sidecar/placeholder/sidecar.yaml Executable file
View File

@ -0,0 +1,47 @@
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworlddo
# namespace: visiblent
spec:
workloadSelector:
labels:
app: helloworld
ingress:
# - bind: 192.168.1.50
# - bind: 172.17.121.220
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
# defaultEndpoint: unix:///var/run/someuds.sock
# captureMode: DEFAULT
# egress:
# - port:
# number: 80
# protocol: HTTP
# name: egressport
# hosts:
# - "prod-us1/*"
# - hosts:
# - "istio-system/*"
# egress:
# hosts:
# - "./*"
# - "istio-system/*"
# captureMode: DEFAULT

23
Istio/03-Sidecar/placeholder/tmp.yaml Executable file
View File

@ -0,0 +1,23 @@
#apiVersion:
# networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default
# namespace: default
#spec:
# egress:
# - hosts:
# - "./*"
# - "istio-system/*"
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default-sidecar
# namespace: default
#spec:
# egress:
# - hosts:
# - "default/*"
# - "istio-system/*"
# - "staging/*"

53
Istio/03-Sidecar/placeholder/txt.txt Executable file
View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: Service
metadata:
name: ratings
labels:
app: ratings
service: ratings
spec:
ports:
- port: 8443
name: https
targetPort: 80
selector:
app: ratings
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-peer-auth
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
mtls:
mode: STRICT
portLevelMtls:
80:
mode: DISABLE
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 80
protocol: HTTPS
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
tls:
mode: SIMPLE
privateKey: "/etc/certs/privatekey.pem"
serverCertificate: "/etc/certs/servercert.pem"

8
Istio/03-Sidecar/tmp-visibility/README.txt Executable file
View File

@ -0,0 +1,8 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment

27
Istio/03-Sidecar/tmp-visibility/sidecar.yaml Executable file
View File

@ -0,0 +1,27 @@
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
workloadSelector:
labels:
version: v1
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"
---

11
Istio/03-Sidecar/tmp-visibility/workload.yaml Executable file
View File

@ -0,0 +1,11 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"