istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove the destination rule in peer authn doc. (#10117) 

* Remove the destination rule in peer authn doc.

* update with snip test.

* fix test.sh.

* update the test.sh

* test.sh again.

* test 3rd time.

* test.sh 5th

* test.sh 6th time.
This commit is contained in:
Jianfei Hu 2021-08-14 22:08:55 -07:00 committed by GitHub
parent d8792a4548
commit 00f76de374
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
content/en/docs/tasks/security/authentication/authn-policy/index.md
View File

@ -158,7 +158,7 @@ You see requests still succeed, except for those from the client that doesn't ha
### Cleanup part 1 ### Cleanup part 1
Remove global authentication policy and destination rules added in the session: Remove global authentication policy added in the session:
{{< text bash >}} {{< text bash >}}
$ kubectl delete peerauthentication -n istio-system default $ kubectl delete peerauthentication -n istio-system default
@ -201,9 +201,7 @@ sleep.legacy to httpbin.legacy: 200
### Enable mutual TLS per workload ### Enable mutual TLS per workload
To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. However, Istio cannot aggregate workload-level policies for outbound mutual TLS traffic to a service. Configure a destination rule to manage that behavior. To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. For example, the following peer authentication policy enables strict mutual TLS for the `httpbin.bar` workload:
For example, the following peer authentication policy and destination rule enable strict mutual TLS for the `httpbin.bar` workload:
{{< text bash >}} {{< text bash >}}
$ cat <<EOF | kubectl apply -n bar -f - $ cat <<EOF | kubectl apply -n bar -f -
@ -221,22 +219,6 @@ spec:
EOF EOF
{{< /text >}} {{< /text >}}
And a destination rule:
{{< text bash >}}
$ cat <<EOF | kubectl apply -n bar -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "httpbin"
spec:
host: "httpbin.bar.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
{{< /text >}}
Again, run the probing command. As expected, request from `sleep.legacy` to `httpbin.bar` starts failing with the same reasons. Again, run the probing command. As expected, request from `sleep.legacy` to `httpbin.bar` starts failing with the same reasons.
{{< text bash >}} {{< text bash >}}
@ -281,28 +263,7 @@ spec:
EOF EOF
{{< /text >}} {{< /text >}}
As before, you also need a destination rule: 1. The port value in the peer authentication policy is the container's port.
{{< text bash >}}
$ cat <<EOF | kubectl apply -n bar -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "httpbin"
spec:
host: httpbin.bar.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
portLevelSettings:
- port:
number: 8000
tls:
mode: DISABLE
EOF
{{< /text >}}
1. The port value in the peer authentication policy is the container's port. The value the destination rule is the service's port.
1. You can only use `portLevelMtls` if the port is bound to a service. Istio ignores it otherwise. 1. You can only use `portLevelMtls` if the port is bound to a service. Istio ignores it otherwise.
{{< text bash >}} {{< text bash >}}
@ -341,22 +302,6 @@ spec:
EOF EOF
{{< /text >}} {{< /text >}}
and destination rule:
{{< text bash >}}
$ cat <<EOF | kubectl apply -n foo -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "overwrite-example"
spec:
host: httpbin.foo.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
EOF
{{< /text >}}
Re-running the request from `sleep.legacy`, you should see a success return code again (200), confirming service-specific policy overrides the namespace-wide policy. Re-running the request from `sleep.legacy`, you should see a success return code again (200), confirming service-specific policy overrides the namespace-wide policy.
{{< text bash >}} {{< text bash >}}
@ -366,13 +311,11 @@ $ kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..me
### Cleanup part 2 ### Cleanup part 2
Remove policies and destination rules created in the above steps: Remove policies created in the above steps:
{{< text bash >}} {{< text bash >}}
$ kubectl delete peerauthentication default overwrite-example -n foo $ kubectl delete peerauthentication default overwrite-example -n foo
$ kubectl delete peerauthentication httpbin -n bar $ kubectl delete peerauthentication httpbin -n bar
$ kubectl delete destinationrules overwrite-example -n foo
$ kubectl delete destinationrules httpbin -n bar
{{< /text >}} {{< /text >}}
## End-user authentication ## End-user authentication

61
content/en/docs/tasks/security/authentication/authn-policy/snips.sh
View File

@ -174,24 +174,10 @@ EOF
} }
snip_enable_mutual_tls_per_workload_2() { snip_enable_mutual_tls_per_workload_2() {
cat <<EOF | kubectl apply -n bar -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "httpbin"
spec:
host: "httpbin.bar.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
}
snip_enable_mutual_tls_per_workload_3() {
for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
} }
! read -r -d '' snip_enable_mutual_tls_per_workload_3_out <<\ENDSNIP ! read -r -d '' snip_enable_mutual_tls_per_workload_2_out <<\ENDSNIP
sleep.foo to httpbin.foo: 200 sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200 sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200 sleep.foo to httpbin.legacy: 200
@ -205,13 +191,13 @@ command terminated with exit code 56
sleep.legacy to httpbin.legacy: 200 sleep.legacy to httpbin.legacy: 200
ENDSNIP ENDSNIP
! read -r -d '' snip_enable_mutual_tls_per_workload_4 <<\ENDSNIP ! read -r -d '' snip_enable_mutual_tls_per_workload_3 <<\ENDSNIP
... ...
sleep.legacy to httpbin.bar: 000 sleep.legacy to httpbin.bar: 000
command terminated with exit code 56 command terminated with exit code 56
ENDSNIP ENDSNIP
snip_enable_mutual_tls_per_workload_5() { snip_enable_mutual_tls_per_workload_4() {
cat <<EOF | kubectl apply -n bar -f - cat <<EOF | kubectl apply -n bar -f -
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication kind: PeerAuthentication
@ -230,30 +216,11 @@ spec:
EOF EOF
} }
snip_enable_mutual_tls_per_workload_6() { snip_enable_mutual_tls_per_workload_5() {
cat <<EOF | kubectl apply -n bar -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "httpbin"
spec:
host: httpbin.bar.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
portLevelSettings:
- port:
number: 8000
tls:
mode: DISABLE
EOF
}
snip_enable_mutual_tls_per_workload_7() {
for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
} }
! read -r -d '' snip_enable_mutual_tls_per_workload_7_out <<\ENDSNIP ! read -r -d '' snip_enable_mutual_tls_per_workload_5_out <<\ENDSNIP
sleep.foo to httpbin.foo: 200 sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200 sleep.foo to httpbin.bar: 200
sleep.foo to httpbin.legacy: 200 sleep.foo to httpbin.legacy: 200
@ -283,32 +250,16 @@ EOF
} }
snip_policy_precedence_2() { snip_policy_precedence_2() {
cat <<EOF | kubectl apply -n foo -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "overwrite-example"
spec:
host: httpbin.foo.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
EOF
}
snip_policy_precedence_3() {
kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name})" -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n" kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name})" -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
} }
! read -r -d '' snip_policy_precedence_3_out <<\ENDSNIP ! read -r -d '' snip_policy_precedence_2_out <<\ENDSNIP
200 200
ENDSNIP ENDSNIP
snip_cleanup_part_2_1() { snip_cleanup_part_2_1() {
kubectl delete peerauthentication default overwrite-example -n foo kubectl delete peerauthentication default overwrite-example -n foo
kubectl delete peerauthentication httpbin -n bar kubectl delete peerauthentication httpbin -n bar
kubectl delete destinationrules overwrite-example -n foo
kubectl delete destinationrules httpbin -n bar
} }
snip_enduser_authentication_1() { snip_enduser_authentication_1() {

12
content/en/docs/tasks/security/authentication/authn-policy/test.sh
View File

@ -54,25 +54,17 @@ _verify_same snip_namespacewide_policy_2 "$snip_namespacewide_policy_2_out"
snip_enable_mutual_tls_per_workload_1 snip_enable_mutual_tls_per_workload_1
snip_enable_mutual_tls_per_workload_2 snip_enable_mutual_tls_per_workload_2
_wait_for_istio peerauthentication bar httpbin _wait_for_istio peerauthentication bar httpbin
_wait_for_istio destinationrule bar httpbin
_verify_same snip_enable_mutual_tls_per_workload_3 "$snip_enable_mutual_tls_per_workload_3_out"
# Ignore snip_enable_mutual_tls_per_workload_4()--it's just text. # Ignore snip_enable_mutual_tls_per_workload_4()--it's just text.
snip_enable_mutual_tls_per_workload_5 snip_enable_mutual_tls_per_workload_4
snip_enable_mutual_tls_per_workload_6
_wait_for_istio peerauthentication bar httpbin _wait_for_istio peerauthentication bar httpbin
_wait_for_istio destinationrule bar httpbin
_verify_same snip_enable_mutual_tls_per_workload_7 "$snip_enable_mutual_tls_per_workload_7_out" _verify_same snip_enable_mutual_tls_per_workload_5 "$snip_enable_mutual_tls_per_workload_5_out"
snip_policy_precedence_1 snip_policy_precedence_1
snip_policy_precedence_2 snip_policy_precedence_2
_wait_for_istio peerauthentication foo overwrite-example _wait_for_istio peerauthentication foo overwrite-example
_wait_for_istio destinationrule foo overwrite-example
_verify_same snip_policy_precedence_3 "$snip_policy_precedence_3_out"
snip_cleanup_part_2_1 snip_cleanup_part_2_1