ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Minor organization refactor.

Browse Source 
Partially done 06-mTLS from the traffic management documentation.

Deleted some unnecessary files.

some other minor changes
This commit is contained in:
savagebidoof
2023-04-21 04:39:00 +02:00
parent c850b09d0a
commit 8a4a1e5548
70 changed files with 823 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Istio/sidecar/01-ingress-proxy-forwarding/README.md
View File

@ -2,7 +2,9 @@
- 01-hello_world_1_service_1_deployment
# TO TRAFFIC PATH DIAGRAM etc -> "POD" -> sidecar -> service container
# TO TRAFFIC PATH DIAGRAM
`etc -> "POD" -> sidecar -> service container`
# Description

2
Istio/sidecar/01-ingress-proxy-forwarding/deployment.yaml
View File

@ -4,7 +4,7 @@ kind: Service
metadata:
name: helloworld
labels:
app-name: helloworld
app: helloworld
spec:
ports:
- port: 8080

12
Istio/sidecar/02-egress-proxy-forwarding/README.md
View File

@ -1,12 +0,0 @@
# Continues from
- 01-hello_world_1_service_1_deployment
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
- Configure egress to a different namespace?

14
Istio/sidecar/02-egress-proxy-forwarding/sidecar.yaml
View File

@ -1,14 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar
spec:
workloadSelector:
labels:
app: helloworld
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80

47
Istio/sidecar/README.md
View File

@ -7,6 +7,7 @@
Duplicate 01, and show how it also affects traffic between services.00
@ -17,9 +18,55 @@ mtls
examples showing application priority (root < namespace < workload)
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```shell
$ kubectl get istiooperators.install.istio.io -n istio-system
NAME REVISION STATUS AGE
installed-state 8d
```
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml --type merge
---
Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
---
https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
https://github.com/istio/istio/issues/33387
https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations ?
https://istio.io/latest/docs/reference/config/networking/sidecar/

0
Istio/sidecar/02-egress-proxy-forwarding/01-namespace.yaml → Istio/sidecar/__02-egress-proxy-forwarding/01-namespace.yaml
View File

2
Istio/sidecar/02-egress-proxy-forwarding/deployment.yaml → Istio/sidecar/__02-egress-proxy-forwarding/02-deployment_1.yaml
View File

@ -4,7 +4,7 @@ kind: Service
metadata:
name: helloworld
labels:
app-name: helloworld
app: helloworld
spec:
ports:
- port: 8080

27
Istio/sidecar/02-egress-proxy-forwarding/02-deployment.yaml → Istio/sidecar/__02-egress-proxy-forwarding/02-deployment_2.yaml
View File

@ -2,38 +2,41 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
name: internal
labels:
app-name: helloworld
namespace: not-default
app: internal
namespace: foo
spec:
ports:
- port: 8080
name: http
- port: 80
name: http-default
selector:
app: helloworld
app: internal
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
name: internal
labels:
app: helloworld
namespace: not-default
app: internal
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
app: internal
template:
metadata:
labels:
app: helloworld
# namespace: not-default
app: internal
service: apache
spec:
containers:
- name: helloworld
image: nginx
- name: internal
image: httpd
resources:
requests:
cpu: "100m"

71
Istio/sidecar/__02-egress-proxy-forwarding/03-default-sidecar.yaml Normal file
View File

@ -0,0 +1,71 @@
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: root-default
# namespace: default
namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
egress:
- hosts:
- "./*"
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: helloworld-default
namespace: default
# namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
# egress:
# - port:
# number: 8080
# protocol: HTTP
# name: egresshttp
## - "internal.foo.svc.cluster.local"
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: internal-default
namespace: foo
spec:
workloadSelector:
labels:
app: internal
egress:
- hosts:
- "./*"
- "istio-system/*"
#- "wikipedia.com"
ingress:
# - hosts:
# - "./*"
# - "istio-system/*"
- port:
number: 8080
protocol: HTTP
name: myingressport
defaultEndpoint: 127.0.0.1:80

51
Istio/sidecar/__02-egress-proxy-forwarding/README.md Executable file
View File

@ -0,0 +1,51 @@
# Continues from
- 01-ingress-proxy-forwarding
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
- Configure egress to a different namespace?
> the configured meshconfig.rootNamespace namespace (istio-system by default)
https://istio.io/latest/docs/ops/best-practices/traffic-management/#cross-namespace-configuration
CANT MAKE IT WORK CANT MAKE IT WORK CANT MAKE IT WORK
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
---
kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}'
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- /bin/bash
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl internal.foo.svc.cluster.local
curl helloworld.default.svc.cluster.local
curl internal.foo.svc.cluster.local
curl: (6) Could not resolve host: internal.foo.svc.cluster.local
helloworld.default.svc.cluster.local:8080
kubectl exec -i -n foo -t "$(kubectl get pod -l app=internal -n foo | tail -n 1 | awk '{print $1}')" -- /bin/bash

5
Istio/sidecar/__02-egress-proxy-forwarding/patch/patch.yaml Normal file
View File

@ -0,0 +1,5 @@
spec:
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
# Doesnt work

62
Istio/sidecar/__02-egress-proxy-forwarding/sidecar.yaml Executable file
View File

@ -0,0 +1,62 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-config
#spec:
## workloadSelector:
## labels:
## app: helloworld
## egress:
## - hosts:
## - "./*"
## - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: helloworld-sidecar
#spec:
# workloadSelector:
# labels:
# app: helloworld
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-system
#spec:
# workloadSelector:
# labels:
# app: helloworld2
# egress:
# - port:
# number: 9080
# protocol: HTTP
# name: httpingress
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---