Directory renaming

Istio/02-Traffic_management/09-HTTPS-backend/README.md

@@ -197,7 +197,7 @@ spec:
 ```
 
 > **Note**:\
-> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
+> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
 
 # Walkthrough
 

Istio/06-AuthorizationPolicy/04-audit/README.md

@@ -0,0 +1,17 @@
+
+# Based on
+
+Resources:
+
+- [01-Simple/01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment)
+
+AuthorizationPolicies:
+
+- [01-target-namespaces](../01-target-namespaces)
+
+# Description
+
+This example aims to trigger Audit rules, and where to see these events.
+
+
+https://istio.io/latest/docs/reference/config/security/authorization-policy/

Istio/06-AuthorizationPolicy/04-audit/authentication.yaml

@@ -0,0 +1,45 @@
+# Deny all requests to namespace foo
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-nothing
+  namespace: foo
+spec:
+  {}
+---
+# Deny all requests to namespace default
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-nothing
+  namespace: default
+spec:
+  {}
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-from-istio-system
+  namespace: foo
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: ["istio-system"]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-head-from-default
+  namespace: foo
+spec:
+  action: ALLOW
+  rules:
+    - from:
+      - source:
+          namespaces: ["default"]
+      to:
+      - operation:
+          methods: ["HEAD"]
+          notPaths: ["/secret*"]

Istio/06-AuthorizationPolicy/04-audit/deployment.yaml

@@ -0,0 +1,48 @@
+# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld
+---
+#apiVersion: v1
+#kind: ServiceAccount
+#metadata:
+#  name: istio-helloworld
+#  labels:
+#    account:
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+#      serviceAccountName: istio-helloworld
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80

Istio/06-AuthorizationPolicy/04-audit/gateway.yaml

@@ -1,8 +1,7 @@
-
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
-  name: bookinfo-gateway
+  name: helloworld-gateway
 spec:
   selector:
     istio: ingressgateway # use istio default controller
@@ -17,36 +16,20 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: bookinfo
+  name: helloworld-vs
 spec:
   hosts:
     - "*"
   gateways:
-    - bookinfo-gateway
+    - helloworld-gateway
   http:
-    - match:
-        - uri:
-            exact: /productpage
-        - uri:
-            prefix: /static
-        - uri:
-            exact: /login
-        - uri:
-            exact: /logout
-        - uri:
-            prefix: /api/v1/products
-      route:
-        - destination:
-            host: productpage
-            port:
-              number: 9080
     - match:
         - uri:
             exact: /helloworld
       route:
         - destination:
-            host: productpage
+            host: helloworld
             port:
-              number: 9080
+              number: 80
       rewrite:
-        uri: "/productpage"
+        uri: "/"

Istio/06-AuthorizationPolicy/README.md

@@ -10,7 +10,17 @@
 
 - Audit / logs (should be the 3th)
 
+- disable mTLS (4th)
 
 JWT seems important, refer to source.requestPrincipals
 
-https://istio.io/latest/docs/tasks/security/authentication/
+https://istio.io/latest/docs/tasks/security/authentication/
+
+
+
+Per deployment:
+```yaml
+  selector:
+    matchLabels:
+      app: myapi
+```

Istio/__bookshelf/README.md

@@ -1 +0,0 @@
-# Example from istio, storing it for testing purposes

Istio/__bookshelf/bookinfo.yaml

@@ -1,343 +0,0 @@
-# Copyright Istio Authors
-#
-#   Licensed under the Apache License, Version 2.0 (the "License");
-#   you may not use this file except in compliance with the License.
-#   You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-#   Unless required by applicable law or agreed to in writing, software
-#   distributed under the License is distributed on an "AS IS" BASIS,
-#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#   See the License for the specific language governing permissions and
-#   limitations under the License.
-
-##################################################################################################
-# This file defines the services, service accounts, and deployments for the Bookinfo sample.
-#
-# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments:
-#
-#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
-#
-# Alternatively, you can deploy any resource separately:
-#
-#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service
-#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount
-#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment
-##################################################################################################
-
-##################################################################################################
-# Details service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
-  name: details
-  labels:
-    app: details
-    service: details
-spec:
-  ports:
-    - port: 9080
-      name: http
-  selector:
-    app: details
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: bookinfo-details
-  labels:
-    account: details
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: details-v1
-  labels:
-    app: details
-    version: v1
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: details
-      version: v1
-  template:
-    metadata:
-      labels:
-        app: details
-        version: v1
-    spec:
-      serviceAccountName: bookinfo-details
-      containers:
-        - name: details
-          image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 9080
-          securityContext:
-            runAsUser: 1000
----
-##################################################################################################
-# Ratings service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
-  name: ratings
-  labels:
-    app: ratings
-    service: ratings
-spec:
-  ports:
-    - port: 9080
-      name: http
-  selector:
-    app: ratings
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: bookinfo-ratings
-  labels:
-    account: ratings
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ratings-v1
-  labels:
-    app: ratings
-    version: v1
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ratings
-      version: v1
-  template:
-    metadata:
-      labels:
-        app: ratings
-        version: v1
-    spec:
-      serviceAccountName: bookinfo-ratings
-      containers:
-        - name: ratings
-          image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 9080
-          securityContext:
-            runAsUser: 1000
----
-##################################################################################################
-# Reviews service
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
-  name: reviews
-  labels:
-    app: reviews
-    service: reviews
-spec:
-  ports:
-    - port: 9080
-      name: http
-  selector:
-    app: reviews
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: bookinfo-reviews
-  labels:
-    account: reviews
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: reviews-v1
-  labels:
-    app: reviews
-    version: v1
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: reviews
-      version: v1
-  template:
-    metadata:
-      labels:
-        app: reviews
-        version: v1
-    spec:
-      serviceAccountName: bookinfo-reviews
-      containers:
-        - name: reviews
-          image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: LOG_DIR
-              value: "/tmp/logs"
-          ports:
-            - containerPort: 9080
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-            - name: wlp-output
-              mountPath: /opt/ibm/wlp/output
-          securityContext:
-            runAsUser: 1000
-      volumes:
-        - name: wlp-output
-          emptyDir: {}
-        - name: tmp
-          emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: reviews-v2
-  labels:
-    app: reviews
-    version: v2
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: reviews
-      version: v2
-  template:
-    metadata:
-      labels:
-        app: reviews
-        version: v2
-    spec:
-      serviceAccountName: bookinfo-reviews
-      containers:
-        - name: reviews
-          image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: LOG_DIR
-              value: "/tmp/logs"
-          ports:
-            - containerPort: 9080
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-            - name: wlp-output
-              mountPath: /opt/ibm/wlp/output
-          securityContext:
-            runAsUser: 1000
-      volumes:
-        - name: wlp-output
-          emptyDir: {}
-        - name: tmp
-          emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: reviews-v3
-  labels:
-    app: reviews
-    version: v3
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: reviews
-      version: v3
-  template:
-    metadata:
-      labels:
-        app: reviews
-        version: v3
-    spec:
-      serviceAccountName: bookinfo-reviews
-      containers:
-        - name: reviews
-          image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: LOG_DIR
-              value: "/tmp/logs"
-          ports:
-            - containerPort: 9080
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-            - name: wlp-output
-              mountPath: /opt/ibm/wlp/output
-          securityContext:
-            runAsUser: 1000
-      volumes:
-        - name: wlp-output
-          emptyDir: {}
-        - name: tmp
-          emptyDir: {}
----
-##################################################################################################
-# Productpage services
-##################################################################################################
-apiVersion: v1
-kind: Service
-metadata:
-  name: productpage
-  labels:
-    app: productpage
-    service: productpage
-spec:
-  ports:
-    - port: 9080
-      name: http
-  selector:
-    app: productpage
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: bookinfo-productpage
-  labels:
-    account: productpage
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: productpage-v1
-  labels:
-    app: productpage
-    version: v1
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: productpage
-      version: v1
-  template:
-    metadata:
-      labels:
-        app: productpage
-        version: v1
-    spec:
-      serviceAccountName: bookinfo-productpage
-      containers:
-        - name: productpage
-          image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 9080
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-          securityContext:
-            runAsUser: 1000
-      volumes:
-        - name: tmp
-          emptyDir: {}
----