ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

backup

Browse Source
This commit is contained in:
Oriol 2023-04-14 17:44:16 +01:00
parent 325a316ae2
commit a9ac7ceded
8 changed files with 317 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Istio/sidecar/01-visibility/01-namespace.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: visiblent
labels:
# istio-injection: "false"
istio-injection: "enabled"
---

19
Istio/sidecar/01-visibility/README.md
View File

@ -6,3 +6,22 @@ https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment
the labbel `workloadSelector` only affects the pods.
```yaml
workloadSelector:
```
```sh
kubectl create namespace istio-config
```
No fucking clue on how to make it NOT work.

3
Istio/sidecar/01-visibility/deployment.yaml
View File

@ -6,6 +6,7 @@ metadata:
labels:
app: helloworld
service: helloworld
namespace: visiblent
spec:
ports:
- port: 80
@ -26,6 +27,7 @@ metadata:
name: helloworld-nginx
labels:
app: helloworld
namespace: visiblent
spec:
replicas: 1
selector:
@ -35,6 +37,7 @@ spec:
metadata:
labels:
app: helloworld
namespace: visiblent
spec:
# serviceAccountName: istio-helloworld
containers:

2
Istio/sidecar/01-visibility/gateway.yaml
View File

@ -29,7 +29,7 @@ spec:
exact: /helloworld
route:
- destination:
host: helloworld
host: helloworld.visiblent.svc.cluster.local
port:
number: 80
rewrite:

20
Istio/sidecar/01-visibility/sidecar.yaml
View File

@ -1,11 +1,23 @@
apiVersion:
networking.istio.io/v1alpha3
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: foo
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
# - "istio-system/*"
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: visiblent
spec:
egress:
- hosts:
- "visiblent/*"
- "istio-system/*"

464
Istio/sidecar/01-visibility/tmp.yaml
View File

@ -1,235 +1,235 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
#apiVersion: v1
#kind: ServiceAccount
#kind: Service
#metadata:
# name: istio-helloworld
# name: helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: helloworld
name: helloworld-nginx
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: helloworld
kubectl.kubernetes.io/default-logs-container: helloworld
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
creationTimestamp: null
labels:
app: helloworld
security.istio.io/tlsMode: istio
service.istio.io/canonical-name: helloworld
service.istio.io/canonical-revision: latest
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: helloworld
ports:
- containerPort: 80
resources:
requests:
cpu: 100m
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{}
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":80}
]
- name: ISTIO_META_APP_CONTAINERS
value: helloworld
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
value: cluster.local
image: istio/proxyv2:1.16.1
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 1
periodSeconds: 2
timeoutSeconds: 3
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
initContainers:
- args:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020
- --log_output_level=default:info
image: istio/proxyv2:1.16.1
name: istio-init
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
- name: workload-socket
- name: credential-socket
- name: workload-certs
- emptyDir:
medium: Memory
name: istio-envoy
- emptyDir: {}
name: istio-data
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: istio-podinfo
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
status: {}
---
# app: helloworld
# service: helloworld
#spec:
# ports:
# - port: 80
# name: http
# selector:
# app: helloworld
#---
##apiVersion: v1
##kind: ServiceAccount
##metadata:
## name: istio-helloworld
## labels:
## account:
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# creationTimestamp: null
# labels:
# app: helloworld
# name: helloworld-nginx
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: helloworld
# strategy: {}
# template:
# metadata:
# annotations:
# kubectl.kubernetes.io/default-container: helloworld
# kubectl.kubernetes.io/default-logs-container: helloworld
# prometheus.io/path: /stats/prometheus
# prometheus.io/port: "15020"
# prometheus.io/scrape: "true"
# sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
# creationTimestamp: null
# labels:
# app: helloworld
# security.istio.io/tlsMode: istio
# service.istio.io/canonical-name: helloworld
# service.istio.io/canonical-revision: latest
# spec:
# containers:
# - image: nginx
# imagePullPolicy: IfNotPresent
# name: helloworld
# ports:
# - containerPort: 80
# resources:
# requests:
# cpu: 100m
# - args:
# - proxy
# - sidecar
# - --domain
# - $(POD_NAMESPACE).svc.cluster.local
# - --proxyLogLevel=warning
# - --proxyComponentLogLevel=misc:error
# - --log_output_level=default:info
# - --concurrency
# - "2"
# env:
# - name: JWT_POLICY
# value: third-party-jwt
# - name: PILOT_CERT_PROVIDER
# value: istiod
# - name: CA_ADDR
# value: istiod.istio-system.svc:15012
# - name: POD_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.name
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# fieldPath: metadata.namespace
# - name: INSTANCE_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
# - name: SERVICE_ACCOUNT
# valueFrom:
# fieldRef:
# fieldPath: spec.serviceAccountName
# - name: HOST_IP
# valueFrom:
# fieldRef:
# fieldPath: status.hostIP
# - name: PROXY_CONFIG
# value: |
# {}
# - name: ISTIO_META_POD_PORTS
# value: |-
# [
# {"containerPort":80}
# ]
# - name: ISTIO_META_APP_CONTAINERS
# value: helloworld
# - name: ISTIO_META_CLUSTER_ID
# value: Kubernetes
# - name: ISTIO_META_INTERCEPTION_MODE
# value: REDIRECT
# - name: ISTIO_META_MESH_ID
# value: cluster.local
# - name: TRUST_DOMAIN
# value: cluster.local
# image: istio/proxyv2:1.16.1
# name: istio-proxy
# ports:
# - containerPort: 15090
# name: http-envoy-prom
# protocol: TCP
# readinessProbe:
# failureThreshold: 30
# httpGet:
# path: /healthz/ready
# port: 15021
# initialDelaySeconds: 1
# periodSeconds: 2
# timeoutSeconds: 3
# resources:
# limits:
# cpu: "2"
# memory: 1Gi
# requests:
# cpu: 100m
# memory: 128Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# privileged: false
# readOnlyRootFilesystem: true
# runAsGroup: 1337
# runAsNonRoot: true
# runAsUser: 1337
# volumeMounts:
# - mountPath: /var/run/secrets/workload-spiffe-uds
# name: workload-socket
# - mountPath: /var/run/secrets/credential-uds
# name: credential-socket
# - mountPath: /var/run/secrets/workload-spiffe-credentials
# name: workload-certs
# - mountPath: /var/run/secrets/istio
# name: istiod-ca-cert
# - mountPath: /var/lib/istio/data
# name: istio-data
# - mountPath: /etc/istio/proxy
# name: istio-envoy
# - mountPath: /var/run/secrets/tokens
# name: istio-token
# - mountPath: /etc/istio/pod
# name: istio-podinfo
# initContainers:
# - args:
# - istio-iptables
# - -p
# - "15001"
# - -z
# - "15006"
# - -u
# - "1337"
# - -m
# - REDIRECT
# - -i
# - '*'
# - -x
# - ""
# - -b
# - '*'
# - -d
# - 15090,15021,15020
# - --log_output_level=default:info
# image: istio/proxyv2:1.16.1
# name: istio-init
# resources:
# limits:
# cpu: "2"
# memory: 1Gi
# requests:
# cpu: 100m
# memory: 128Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# add:
# - NET_ADMIN
# - NET_RAW
# drop:
# - ALL
# privileged: false
# readOnlyRootFilesystem: false
# runAsGroup: 0
# runAsNonRoot: false
# runAsUser: 0
# volumes:
# - name: workload-socket
# - name: credential-socket
# - name: workload-certs
# - emptyDir:
# medium: Memory
# name: istio-envoy
# - emptyDir: {}
# name: istio-data
# - downwardAPI:
# items:
# - fieldRef:
# fieldPath: metadata.labels
# path: labels
# - fieldRef:
# fieldPath: metadata.annotations
# path: annotations
# name: istio-podinfo
# - name: istio-token
# projected:
# sources:
# - serviceAccountToken:
# audience: istio-ca
# expirationSeconds: 43200
# path: istio-token
# - configMap:
# name: istio-ca-root-cert
# name: istiod-ca-cert
#status: {}
#---

27
Istio/sidecar/tmp-visibility/sidecar.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
workloadSelector:
labels:
version: v1
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"
---

11
Istio/sidecar/tmp-visibility/workload.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"