From a9ac7ceded93728f1278dcd20aaa35aefdc937e9 Mon Sep 17 00:00:00 2001 From: Oriol Date: Fri, 14 Apr 2023 17:44:16 +0100 Subject: [PATCH] backup --- Istio/sidecar/01-visibility/01-namespace.yaml | 8 + Istio/sidecar/01-visibility/README.md | 19 + Istio/sidecar/01-visibility/deployment.yaml | 3 + Istio/sidecar/01-visibility/gateway.yaml | 2 +- Istio/sidecar/01-visibility/sidecar.yaml | 20 +- Istio/sidecar/01-visibility/tmp.yaml | 464 +++++++++--------- Istio/sidecar/tmp-visibility/sidecar.yaml | 27 + Istio/sidecar/tmp-visibility/workload.yaml | 11 + 8 files changed, 317 insertions(+), 237 deletions(-) create mode 100644 Istio/sidecar/01-visibility/01-namespace.yaml create mode 100644 Istio/sidecar/tmp-visibility/sidecar.yaml create mode 100644 Istio/sidecar/tmp-visibility/workload.yaml diff --git a/Istio/sidecar/01-visibility/01-namespace.yaml b/Istio/sidecar/01-visibility/01-namespace.yaml new file mode 100644 index 0000000..e63c0e0 --- /dev/null +++ b/Istio/sidecar/01-visibility/01-namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: visiblent + labels: +# istio-injection: "false" + istio-injection: "enabled" +--- \ No newline at end of file diff --git a/Istio/sidecar/01-visibility/README.md b/Istio/sidecar/01-visibility/README.md index 733e31c..f37efb2 100644 --- a/Istio/sidecar/01-visibility/README.md +++ b/Istio/sidecar/01-visibility/README.md @@ -6,3 +6,22 @@ https://istio.io/latest/docs/reference/config/networking/sidecar/ # Continues from - 01-hello_world_1_service_1_deployment + + + +the labbel `workloadSelector` only affects the pods. + +```yaml + workloadSelector: +``` + + + + +```sh +kubectl create namespace istio-config +``` + + + +No fucking clue on how to make it NOT work. \ No newline at end of file diff --git a/Istio/sidecar/01-visibility/deployment.yaml b/Istio/sidecar/01-visibility/deployment.yaml index 36e6b76..da44c94 100644 --- a/Istio/sidecar/01-visibility/deployment.yaml +++ b/Istio/sidecar/01-visibility/deployment.yaml @@ -6,6 +6,7 @@ metadata: labels: app: helloworld service: helloworld + namespace: visiblent spec: ports: - port: 80 @@ -26,6 +27,7 @@ metadata: name: helloworld-nginx labels: app: helloworld + namespace: visiblent spec: replicas: 1 selector: @@ -35,6 +37,7 @@ spec: metadata: labels: app: helloworld + namespace: visiblent spec: # serviceAccountName: istio-helloworld containers: diff --git a/Istio/sidecar/01-visibility/gateway.yaml b/Istio/sidecar/01-visibility/gateway.yaml index 8ba8a20..ea57ed8 100644 --- a/Istio/sidecar/01-visibility/gateway.yaml +++ b/Istio/sidecar/01-visibility/gateway.yaml @@ -29,7 +29,7 @@ spec: exact: /helloworld route: - destination: - host: helloworld + host: helloworld.visiblent.svc.cluster.local port: number: 80 rewrite: diff --git a/Istio/sidecar/01-visibility/sidecar.yaml b/Istio/sidecar/01-visibility/sidecar.yaml index f3f7b3f..7faeb95 100644 --- a/Istio/sidecar/01-visibility/sidecar.yaml +++ b/Istio/sidecar/01-visibility/sidecar.yaml @@ -1,11 +1,23 @@ -apiVersion: - networking.istio.io/v1alpha3 +## First we overide the default configuration. +# This configures the egress, to only allow egress within the same namespace, and to `istio-system` +apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default - namespace: foo + namespace: istio-config spec: egress: - hosts: - "./*" - - "istio-system/*" \ No newline at end of file +# - "istio-system/*" +--- +apiVersion: networking.istio.io/v1beta1 +kind: Sidecar +metadata: + name: default + namespace: visiblent +spec: + egress: + - hosts: + - "visiblent/*" + - "istio-system/*" diff --git a/Istio/sidecar/01-visibility/tmp.yaml b/Istio/sidecar/01-visibility/tmp.yaml index bdb6202..7c95865 100644 --- a/Istio/sidecar/01-visibility/tmp.yaml +++ b/Istio/sidecar/01-visibility/tmp.yaml @@ -1,235 +1,235 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- +## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml #apiVersion: v1 -#kind: ServiceAccount +#kind: Service #metadata: -# name: istio-helloworld +# name: helloworld # labels: -# account: ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - app: helloworld - name: helloworld-nginx -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - strategy: {} - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: helloworld - kubectl.kubernetes.io/default-logs-container: helloworld - prometheus.io/path: /stats/prometheus - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: null - labels: - app: helloworld - security.istio.io/tlsMode: istio - service.istio.io/canonical-name: helloworld - service.istio.io/canonical-revision: latest - spec: - containers: - - image: nginx - imagePullPolicy: IfNotPresent - name: helloworld - ports: - - containerPort: 80 - resources: - requests: - cpu: 100m - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":80} - ] - - name: ISTIO_META_APP_CONTAINERS - value: helloworld - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: istio/proxyv2:1.16.1 - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 1 - periodSeconds: 2 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - image: istio/proxyv2:1.16.1 - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - name: workload-socket - - name: credential-socket - - name: workload-certs - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert -status: {} ---- +# app: helloworld +# service: helloworld +#spec: +# ports: +# - port: 80 +# name: http +# selector: +# app: helloworld +#--- +##apiVersion: v1 +##kind: ServiceAccount +##metadata: +## name: istio-helloworld +## labels: +## account: +#--- +#apiVersion: apps/v1 +#kind: Deployment +#metadata: +# creationTimestamp: null +# labels: +# app: helloworld +# name: helloworld-nginx +#spec: +# replicas: 1 +# selector: +# matchLabels: +# app: helloworld +# strategy: {} +# template: +# metadata: +# annotations: +# kubectl.kubernetes.io/default-container: helloworld +# kubectl.kubernetes.io/default-logs-container: helloworld +# prometheus.io/path: /stats/prometheus +# prometheus.io/port: "15020" +# prometheus.io/scrape: "true" +# sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' +# creationTimestamp: null +# labels: +# app: helloworld +# security.istio.io/tlsMode: istio +# service.istio.io/canonical-name: helloworld +# service.istio.io/canonical-revision: latest +# spec: +# containers: +# - image: nginx +# imagePullPolicy: IfNotPresent +# name: helloworld +# ports: +# - containerPort: 80 +# resources: +# requests: +# cpu: 100m +# - args: +# - proxy +# - sidecar +# - --domain +# - $(POD_NAMESPACE).svc.cluster.local +# - --proxyLogLevel=warning +# - --proxyComponentLogLevel=misc:error +# - --log_output_level=default:info +# - --concurrency +# - "2" +# env: +# - name: JWT_POLICY +# value: third-party-jwt +# - name: PILOT_CERT_PROVIDER +# value: istiod +# - name: CA_ADDR +# value: istiod.istio-system.svc:15012 +# - name: POD_NAME +# valueFrom: +# fieldRef: +# fieldPath: metadata.name +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# fieldPath: metadata.namespace +# - name: INSTANCE_IP +# valueFrom: +# fieldRef: +# fieldPath: status.podIP +# - name: SERVICE_ACCOUNT +# valueFrom: +# fieldRef: +# fieldPath: spec.serviceAccountName +# - name: HOST_IP +# valueFrom: +# fieldRef: +# fieldPath: status.hostIP +# - name: PROXY_CONFIG +# value: | +# {} +# - name: ISTIO_META_POD_PORTS +# value: |- +# [ +# {"containerPort":80} +# ] +# - name: ISTIO_META_APP_CONTAINERS +# value: helloworld +# - name: ISTIO_META_CLUSTER_ID +# value: Kubernetes +# - name: ISTIO_META_INTERCEPTION_MODE +# value: REDIRECT +# - name: ISTIO_META_MESH_ID +# value: cluster.local +# - name: TRUST_DOMAIN +# value: cluster.local +# image: istio/proxyv2:1.16.1 +# name: istio-proxy +# ports: +# - containerPort: 15090 +# name: http-envoy-prom +# protocol: TCP +# readinessProbe: +# failureThreshold: 30 +# httpGet: +# path: /healthz/ready +# port: 15021 +# initialDelaySeconds: 1 +# periodSeconds: 2 +# timeoutSeconds: 3 +# resources: +# limits: +# cpu: "2" +# memory: 1Gi +# requests: +# cpu: 100m +# memory: 128Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# privileged: false +# readOnlyRootFilesystem: true +# runAsGroup: 1337 +# runAsNonRoot: true +# runAsUser: 1337 +# volumeMounts: +# - mountPath: /var/run/secrets/workload-spiffe-uds +# name: workload-socket +# - mountPath: /var/run/secrets/credential-uds +# name: credential-socket +# - mountPath: /var/run/secrets/workload-spiffe-credentials +# name: workload-certs +# - mountPath: /var/run/secrets/istio +# name: istiod-ca-cert +# - mountPath: /var/lib/istio/data +# name: istio-data +# - mountPath: /etc/istio/proxy +# name: istio-envoy +# - mountPath: /var/run/secrets/tokens +# name: istio-token +# - mountPath: /etc/istio/pod +# name: istio-podinfo +# initContainers: +# - args: +# - istio-iptables +# - -p +# - "15001" +# - -z +# - "15006" +# - -u +# - "1337" +# - -m +# - REDIRECT +# - -i +# - '*' +# - -x +# - "" +# - -b +# - '*' +# - -d +# - 15090,15021,15020 +# - --log_output_level=default:info +# image: istio/proxyv2:1.16.1 +# name: istio-init +# resources: +# limits: +# cpu: "2" +# memory: 1Gi +# requests: +# cpu: 100m +# memory: 128Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# add: +# - NET_ADMIN +# - NET_RAW +# drop: +# - ALL +# privileged: false +# readOnlyRootFilesystem: false +# runAsGroup: 0 +# runAsNonRoot: false +# runAsUser: 0 +# volumes: +# - name: workload-socket +# - name: credential-socket +# - name: workload-certs +# - emptyDir: +# medium: Memory +# name: istio-envoy +# - emptyDir: {} +# name: istio-data +# - downwardAPI: +# items: +# - fieldRef: +# fieldPath: metadata.labels +# path: labels +# - fieldRef: +# fieldPath: metadata.annotations +# path: annotations +# name: istio-podinfo +# - name: istio-token +# projected: +# sources: +# - serviceAccountToken: +# audience: istio-ca +# expirationSeconds: 43200 +# path: istio-token +# - configMap: +# name: istio-ca-root-cert +# name: istiod-ca-cert +#status: {} +#--- diff --git a/Istio/sidecar/tmp-visibility/sidecar.yaml b/Istio/sidecar/tmp-visibility/sidecar.yaml new file mode 100644 index 0000000..e4ccc71 --- /dev/null +++ b/Istio/sidecar/tmp-visibility/sidecar.yaml @@ -0,0 +1,27 @@ +apiVersion: + networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default + namespace: foo +spec: + egress: + - hosts: + - "./*" + - "istio-system/*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default-sidecar + namespace: default +spec: + workloadSelector: + labels: + version: v1 + egress: + - hosts: + - "default/*" + - "istio-system/*" + - "staging/*" +--- diff --git a/Istio/sidecar/tmp-visibility/workload.yaml b/Istio/sidecar/tmp-visibility/workload.yaml new file mode 100644 index 0000000..652014c --- /dev/null +++ b/Istio/sidecar/tmp-visibility/workload.yaml @@ -0,0 +1,11 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default-sidecar + namespace: default +spec: + egress: + - hosts: + - "default/*" + - "istio-system/*" + - "staging/*" \ No newline at end of file