From 325a316ae2e2b437291dfa2107f71717708bb69e Mon Sep 17 00:00:00 2001 From: Oriol Date: Fri, 14 Apr 2023 15:58:30 +0100 Subject: [PATCH] sidk still going and trying things --- Istio/README.md | 26 ++ Istio/bookshelf/README.md | 2 +- Istio/envoy/01-envoy_add_headers/README.md | 42 ++++ .../01-envoy_add_headers/deployment.yaml | 44 ++++ Istio/envoy/01-envoy_add_headers/envoy.yaml | 33 +++ Istio/envoy/01-envoy_add_headers/envoy2.yaml | 38 +++ Istio/envoy/01-envoy_add_headers/gateway.yaml | 36 +++ Istio/envoy/README.md | 6 + Istio/istio-classic/README.md | 7 +- Istio/istio-classic/ingress.yaml | 118 ++++++--- Istio/istio-classic/simple/README.md | 8 +- .../traffic_management/06-mTLS/README.md | 9 + .../06-mTLS/deployment.yaml | 48 ++++ .../traffic_management/06-mTLS/gateway.yaml | 36 +++ .../traffic_management/README.md | 17 ++ Istio/sidecar/01-visibility/README.md | 8 + Istio/sidecar/01-visibility/deployment.yaml | 48 ++++ Istio/sidecar/01-visibility/gateway.yaml | 36 +++ Istio/sidecar/01-visibility/sidecar.yaml | 11 + Istio/sidecar/01-visibility/tmp.yaml | 235 ++++++++++++++++++ Istio/sidecar/README.md | 23 ++ README.md | 4 +- 22 files changed, 799 insertions(+), 36 deletions(-) create mode 100644 Istio/README.md create mode 100644 Istio/envoy/01-envoy_add_headers/README.md create mode 100644 Istio/envoy/01-envoy_add_headers/deployment.yaml create mode 100644 Istio/envoy/01-envoy_add_headers/envoy.yaml create mode 100644 Istio/envoy/01-envoy_add_headers/envoy2.yaml create mode 100644 Istio/envoy/01-envoy_add_headers/gateway.yaml create mode 100644 Istio/envoy/README.md create mode 100644 Istio/istio-classic/traffic_management/06-mTLS/README.md create mode 100644 Istio/istio-classic/traffic_management/06-mTLS/deployment.yaml create mode 100644 Istio/istio-classic/traffic_management/06-mTLS/gateway.yaml create mode 100644 Istio/istio-classic/traffic_management/README.md create mode 100644 Istio/sidecar/01-visibility/README.md create mode 100644 Istio/sidecar/01-visibility/deployment.yaml create mode 100644 Istio/sidecar/01-visibility/gateway.yaml create mode 100644 Istio/sidecar/01-visibility/sidecar.yaml create mode 100644 Istio/sidecar/01-visibility/tmp.yaml create mode 100644 Istio/sidecar/README.md diff --git a/Istio/README.md b/Istio/README.md new file mode 100644 index 0000000..d830f78 --- /dev/null +++ b/Istio/README.md @@ -0,0 +1,26 @@ + +## Glossary + +https://istio.io/latest/docs/reference/glossary/ + + +## Workload + +https://istio.io/latest/docs/reference/glossary/#workload + +https://kiali.io/docs/architecture/terminology/concepts/#workload + + +https://istio.io/latest/docs/ops/deployment/vm-architecture/ + + +## Sidecar + +https://kubebyexample.com/learning-paths/istio/intro + + + + +My current issues: + +- Understanding authentication diff --git a/Istio/bookshelf/README.md b/Istio/bookshelf/README.md index e3c033b..4ce3894 100644 --- a/Istio/bookshelf/README.md +++ b/Istio/bookshelf/README.md @@ -1 +1 @@ -# Example from istio, using it for testing purposes \ No newline at end of file +# Example from istio, storing it for testing purposes \ No newline at end of file diff --git a/Istio/envoy/01-envoy_add_headers/README.md b/Istio/envoy/01-envoy_add_headers/README.md new file mode 100644 index 0000000..a8952b6 --- /dev/null +++ b/Istio/envoy/01-envoy_add_headers/README.md @@ -0,0 +1,42 @@ +https://github.com/istio/istio/wiki/EnvoyFilter-Samples + +https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway + + +https://istio.io/latest/docs/reference/config/networking/envoy-filter/ + +https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494 + + + +https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter + + +kubectl logs -f deployments/istiod -n istio-system + + + +This somewhat is monitoring, can do cool stuff I don't know how or what to do + + +enable export access logs to stdout + + +istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout + + + +https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/ + + + + +https://dev.to/aws-builders/understanding-istio-access-logs-2k5o + +```yaml +Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info. +``` + +https://youtu.be/yOtEG1luTwU + + diff --git a/Istio/envoy/01-envoy_add_headers/deployment.yaml b/Istio/envoy/01-envoy_add_headers/deployment.yaml new file mode 100644 index 0000000..f75b734 --- /dev/null +++ b/Istio/envoy/01-envoy_add_headers/deployment.yaml @@ -0,0 +1,44 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +# annotations: +# sidecar.istio.io/componentLogLevel: info +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + annotations: + sidecar.istio.io/componentLogLevel: lua:info + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/envoy/01-envoy_add_headers/envoy.yaml b/Istio/envoy/01-envoy_add_headers/envoy.yaml new file mode 100644 index 0000000..00a50dc --- /dev/null +++ b/Istio/envoy/01-envoy_add_headers/envoy.yaml @@ -0,0 +1,33 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-add-response-header + namespace: default +spec: + priority: 30 + workloadSelector: + labels: + app: helloworld + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + listener: + portNumber: 80 + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.lua + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" + inlineCode: | + function envoy_on_response(response_handle) + response_handle:headers():add("numbers", "lots of numbers") + response_handle:logInfo("Added header `numbers`") + response_handle:logInfo(">>>> Executed `envoy-add-response-header` <<<<") + end diff --git a/Istio/envoy/01-envoy_add_headers/envoy2.yaml b/Istio/envoy/01-envoy_add_headers/envoy2.yaml new file mode 100644 index 0000000..664b472 --- /dev/null +++ b/Istio/envoy/01-envoy_add_headers/envoy2.yaml @@ -0,0 +1,38 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-add-response-header2 + namespace: default +spec: + priority: 40 + workloadSelector: + labels: + app: helloworld + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + listener: + portNumber: 80 + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.lua + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" + inlineCode: | + function envoy_on_response(response_handle) + response_handle:headers():add("fruit", "watermelons") + response_handle:logCritical("Critical: Added header `fruit`") + response_handle:logErr("Error: Added header `fruit`") + response_handle:logWarn("Warning: Added header `fruit`") + response_handle:logInfo("Info: Added header `fruit`") + response_handle:logDebug("Debug: Added header `fruit`") + response_handle:logTrace("Trace: Added header `fruit`") + response_handle:logInfo(">>>> Executed `envoy-add-response-header2` <<<<") + end \ No newline at end of file diff --git a/Istio/envoy/01-envoy_add_headers/gateway.yaml b/Istio/envoy/01-envoy_add_headers/gateway.yaml new file mode 100644 index 0000000..8ba8a20 --- /dev/null +++ b/Istio/envoy/01-envoy_add_headers/gateway.yaml @@ -0,0 +1,36 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/envoy/README.md b/Istio/envoy/README.md new file mode 100644 index 0000000..42d222c --- /dev/null +++ b/Istio/envoy/README.md @@ -0,0 +1,6 @@ +https://youtu.be/yOtEG1luTwU + + +Rate Limit: + +https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ \ No newline at end of file diff --git a/Istio/istio-classic/README.md b/Istio/istio-classic/README.md index 0699900..0d1a212 100644 --- a/Istio/istio-classic/README.md +++ b/Istio/istio-classic/README.md @@ -8,4 +8,9 @@ https://youtu.be/QIkryA8HnQ0 https://github.com/redkubes/otomi-core/blob/main/charts/team-ns/templates/istio-gateway.yaml -https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/ \ No newline at end of file +https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/ + + + + + diff --git a/Istio/istio-classic/ingress.yaml b/Istio/istio-classic/ingress.yaml index ac5512a..12b0027 100644 --- a/Istio/istio-classic/ingress.yaml +++ b/Istio/istio-classic/ingress.yaml @@ -1,34 +1,34 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-lb - namespace: istio-system - labels: - istio: istio-ingress -spec: - type: LoadBalancer - ports: - - port: 80 - name: http - - port: 443 - name: https - selector: - istio: istio-ingress ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: my-istio-operator -spec: -# profile: default - profile: empty - components: - ingressGateways: - - name: istio-ingress - enabled: true - label: - istio: my-istio-ingress +#apiVersion: v1 +#kind: Service +#metadata: +# name: istio-lb +# namespace: istio-system +# labels: +# istio: istio-ingress +#spec: +# type: LoadBalancer +# ports: +# - port: 80 +# name: http +# - port: 443 +# name: https +# selector: +# istio: istio-ingress +#--- +#apiVersion: install.istio.io/v1alpha1 +#kind: IstioOperator +#metadata: +# namespace: istio-system +# name: my-istio-operator +#spec: +## profile: default +# profile: empty +# components: +# ingressGateways: +# - name: istio-ingress +# enabled: true +# label: +# istio: my-istio-ingress --- #apiVersion: install.istio.io/v1alpha1 #kind: IstioOperator @@ -62,4 +62,58 @@ spec: # gateways: # istio-ingressgateway: # sds: -# enabled: true \ No newline at end of file +# enabled: true +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + app: istio-ingressgateway +# install.operator.istio.io/owning-resource: unknown +# install.operator.istio.io/owning-resource-namespace: istio-system + istio: my-ingress-gateway +# istio.io/rev: default + operator.istio.io/component: IngressGateways +# operator.istio.io/managed: Reconcile +# operator.istio.io/version: 1.16.1 +# release: istio + name: my-ingress-gateway + namespace: istio-system + resourceVersion: "880342" + uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c +spec: +# allocateLoadBalancerNodePorts: true +# clusterIP: 10.110.130.2 +# clusterIPs: +# - 10.110.130.2 + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: status-port + nodePort: 30276 + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + nodePort: 32188 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https +# nodePort: 32437 + port: 443 + protocol: TCP +# targetPort: 8443 + selector: + app: istio-ingressgateway + istio: ingressgateway +# sessionAffinity: None + type: LoadBalancer +status: + loadBalancer: + ingress: + - ip: 192.168.1.50 \ No newline at end of file diff --git a/Istio/istio-classic/simple/README.md b/Istio/istio-classic/simple/README.md index 5ae94de..17405cc 100644 --- a/Istio/istio-classic/simple/README.md +++ b/Istio/istio-classic/simple/README.md @@ -16,4 +16,10 @@ ## 03-hello_world_1_service_2_deployments_managed_version -## 04-hello_world_1_service_2_deployments_managed_version_defaultnt_namespace \ No newline at end of file +## 04-hello_world_1_service_2_deployments_managed_version_defaultnt_namespace + +## 05-hello_world_1_Service_Entry + +do HTTPS ingress + +tcp ingress to minecraft/factorio/zomboid \ No newline at end of file diff --git a/Istio/istio-classic/traffic_management/06-mTLS/README.md b/Istio/istio-classic/traffic_management/06-mTLS/README.md new file mode 100644 index 0000000..6b19839 --- /dev/null +++ b/Istio/istio-classic/traffic_management/06-mTLS/README.md @@ -0,0 +1,9 @@ +https://istio.io/latest/docs/concepts/security/#authentication-policies + +https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/ + + + +# Continues from + +- 01-hello_world_1_service_1_deployment diff --git a/Istio/istio-classic/traffic_management/06-mTLS/deployment.yaml b/Istio/istio-classic/traffic_management/06-mTLS/deployment.yaml new file mode 100644 index 0000000..36e6b76 --- /dev/null +++ b/Istio/istio-classic/traffic_management/06-mTLS/deployment.yaml @@ -0,0 +1,48 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: +# serviceAccountName: istio-helloworld + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/istio-classic/traffic_management/06-mTLS/gateway.yaml b/Istio/istio-classic/traffic_management/06-mTLS/gateway.yaml new file mode 100644 index 0000000..8ba8a20 --- /dev/null +++ b/Istio/istio-classic/traffic_management/06-mTLS/gateway.yaml @@ -0,0 +1,36 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/istio-classic/traffic_management/README.md b/Istio/istio-classic/traffic_management/README.md new file mode 100644 index 0000000..af3ca86 --- /dev/null +++ b/Istio/istio-classic/traffic_management/README.md @@ -0,0 +1,17 @@ +Should try to do a double Virtual Service chain + +https://academy.tetrate.io/courses/take/istio-fundamentals/lessons/19068816-lab-2-observing-failure-injection + + + +Internal TLS between gateway and services + + + +mtls + +https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/ + +automatic mtls (old) + +https://istio.io/v1.4/docs/tasks/security/authentication/auto-mtls/ \ No newline at end of file diff --git a/Istio/sidecar/01-visibility/README.md b/Istio/sidecar/01-visibility/README.md new file mode 100644 index 0000000..733e31c --- /dev/null +++ b/Istio/sidecar/01-visibility/README.md @@ -0,0 +1,8 @@ +https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md + +https://istio.io/latest/docs/reference/config/networking/sidecar/ + + +# Continues from + +- 01-hello_world_1_service_1_deployment diff --git a/Istio/sidecar/01-visibility/deployment.yaml b/Istio/sidecar/01-visibility/deployment.yaml new file mode 100644 index 0000000..36e6b76 --- /dev/null +++ b/Istio/sidecar/01-visibility/deployment.yaml @@ -0,0 +1,48 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: +# serviceAccountName: istio-helloworld + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/sidecar/01-visibility/gateway.yaml b/Istio/sidecar/01-visibility/gateway.yaml new file mode 100644 index 0000000..8ba8a20 --- /dev/null +++ b/Istio/sidecar/01-visibility/gateway.yaml @@ -0,0 +1,36 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/sidecar/01-visibility/sidecar.yaml b/Istio/sidecar/01-visibility/sidecar.yaml new file mode 100644 index 0000000..f3f7b3f --- /dev/null +++ b/Istio/sidecar/01-visibility/sidecar.yaml @@ -0,0 +1,11 @@ +apiVersion: + networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default + namespace: foo +spec: + egress: + - hosts: + - "./*" + - "istio-system/*" \ No newline at end of file diff --git a/Istio/sidecar/01-visibility/tmp.yaml b/Istio/sidecar/01-visibility/tmp.yaml new file mode 100644 index 0000000..bdb6202 --- /dev/null +++ b/Istio/sidecar/01-visibility/tmp.yaml @@ -0,0 +1,235 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: helloworld + name: helloworld-nginx +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: helloworld + kubectl.kubernetes.io/default-logs-container: helloworld + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + creationTimestamp: null + labels: + app: helloworld + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: helloworld + service.istio.io/canonical-revision: latest + spec: + containers: + - image: nginx + imagePullPolicy: IfNotPresent + name: helloworld + ports: + - containerPort: 80 + resources: + requests: + cpu: 100m + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + - --concurrency + - "2" + env: + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {"containerPort":80} + ] + - name: ISTIO_META_APP_CONTAINERS + value: helloworld + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + image: istio/proxyv2:1.16.1 + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 1 + periodSeconds: 2 + timeoutSeconds: 3 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + initContainers: + - args: + - istio-iptables + - -p + - "15001" + - -z + - "15006" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - '*' + - -d + - 15090,15021,15020 + - --log_output_level=default:info + image: istio/proxyv2:1.16.1 + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + volumes: + - name: workload-socket + - name: credential-socket + - name: workload-certs + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: {} + name: istio-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert +status: {} +--- diff --git a/Istio/sidecar/README.md b/Istio/sidecar/README.md new file mode 100644 index 0000000..156694b --- /dev/null +++ b/Istio/sidecar/README.md @@ -0,0 +1,23 @@ +https://istio.io/latest/docs/reference/config/networking/sidecar/ + + +https://istio.io/latest/docs/reference/glossary/#workload + + +I am not very sure on how or why to use this... + + + +```yaml +apiVersion: + networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default + namespace: foo +spec: + egress: + - hosts: + - "./*" + - "istio-system/*" +``` \ No newline at end of file diff --git a/README.md b/README.md index 00bf9ef..0c08e8b 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ # Surely only the following folders work / have any meaningful information -- [Istio](./Istio) \ No newline at end of file +- [Istio](./Istio) + +