mirror of https://github.com/istio/istio.io.git
Remove the destination rule in peer authn doc. (#10117)
* Remove the destination rule in peer authn doc. * update with snip test. * fix test.sh. * update the test.sh * test.sh again. * test 3rd time. * test.sh 5th * test.sh 6th time.
This commit is contained in:
Jianfei Hu
GitHub
parent
d8792a4548
commit
00f76de374
|
|
@ -158,7 +158,7 @@ You see requests still succeed, except for those from the client that doesn't ha
|
|||
|
||||
### Cleanup part 1
|
||||
|
||||
Remove global authentication policy and destination rules added in the session:
|
||||
Remove global authentication policy added in the session:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete peerauthentication -n istio-system default
|
||||
|
|
@ -201,9 +201,7 @@ sleep.legacy to httpbin.legacy: 200
|
|||
|
||||
### Enable mutual TLS per workload
|
||||
|
||||
To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. However, Istio cannot aggregate workload-level policies for outbound mutual TLS traffic to a service. Configure a destination rule to manage that behavior.
|
||||
|
||||
For example, the following peer authentication policy and destination rule enable strict mutual TLS for the `httpbin.bar` workload:
|
||||
To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. For example, the following peer authentication policy enables strict mutual TLS for the `httpbin.bar` workload:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n bar -f -
|
||||
|
|
@ -221,22 +219,6 @@ spec:
|
|||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
And a destination rule:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n bar -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "httpbin"
|
||||
spec:
|
||||
host: "httpbin.bar.svc.cluster.local"
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
Again, run the probing command. As expected, request from `sleep.legacy` to `httpbin.bar` starts failing with the same reasons.
|
||||
|
||||
{{< text bash >}}
|
||||
|
|
@ -281,28 +263,7 @@ spec:
|
|||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
As before, you also need a destination rule:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n bar -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "httpbin"
|
||||
spec:
|
||||
host: httpbin.bar.svc.cluster.local
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 8000
|
||||
tls:
|
||||
mode: DISABLE
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
1. The port value in the peer authentication policy is the container's port. The value the destination rule is the service's port.
|
||||
1. The port value in the peer authentication policy is the container's port.
|
||||
1. You can only use `portLevelMtls` if the port is bound to a service. Istio ignores it otherwise.
|
||||
|
||||
{{< text bash >}}
|
||||
|
|
@ -341,22 +302,6 @@ spec:
|
|||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
and destination rule:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n foo -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "overwrite-example"
|
||||
spec:
|
||||
host: httpbin.foo.svc.cluster.local
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: DISABLE
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
Re-running the request from `sleep.legacy`, you should see a success return code again (200), confirming service-specific policy overrides the namespace-wide policy.
|
||||
|
||||
{{< text bash >}}
|
||||
|
|
@ -366,13 +311,11 @@ $ kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..me
|
|||
|
||||
### Cleanup part 2
|
||||
|
||||
Remove policies and destination rules created in the above steps:
|
||||
Remove policies created in the above steps:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete peerauthentication default overwrite-example -n foo
|
||||
$ kubectl delete peerauthentication httpbin -n bar
|
||||
$ kubectl delete destinationrules overwrite-example -n foo
|
||||
$ kubectl delete destinationrules httpbin -n bar
|
||||
{{< /text >}}
|
||||
|
||||
## End-user authentication
|
||||
|
|
|
|||
|
|
@ -174,24 +174,10 @@ EOF
|
|||
}
|
||||
|
||||
snip_enable_mutual_tls_per_workload_2() {
|
||||
cat <<EOF | kubectl apply -n bar -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "httpbin"
|
||||
spec:
|
||||
host: "httpbin.bar.svc.cluster.local"
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
EOF
|
||||
}
|
||||
|
||||
snip_enable_mutual_tls_per_workload_3() {
|
||||
for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
|
||||
}
|
||||
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_3_out <<\ENDSNIP
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_2_out <<\ENDSNIP
|
||||
sleep.foo to httpbin.foo: 200
|
||||
sleep.foo to httpbin.bar: 200
|
||||
sleep.foo to httpbin.legacy: 200
|
||||
|
|
@ -205,13 +191,13 @@ command terminated with exit code 56
|
|||
sleep.legacy to httpbin.legacy: 200
|
||||
ENDSNIP
|
||||
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_4 <<\ENDSNIP
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_3 <<\ENDSNIP
|
||||
...
|
||||
sleep.legacy to httpbin.bar: 000
|
||||
command terminated with exit code 56
|
||||
ENDSNIP
|
||||
|
||||
snip_enable_mutual_tls_per_workload_5() {
|
||||
snip_enable_mutual_tls_per_workload_4() {
|
||||
cat <<EOF | kubectl apply -n bar -f -
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: PeerAuthentication
|
||||
|
|
@ -230,30 +216,11 @@ spec:
|
|||
EOF
|
||||
}
|
||||
|
||||
snip_enable_mutual_tls_per_workload_6() {
|
||||
cat <<EOF | kubectl apply -n bar -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "httpbin"
|
||||
spec:
|
||||
host: httpbin.bar.svc.cluster.local
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 8000
|
||||
tls:
|
||||
mode: DISABLE
|
||||
EOF
|
||||
}
|
||||
|
||||
snip_enable_mutual_tls_per_workload_7() {
|
||||
snip_enable_mutual_tls_per_workload_5() {
|
||||
for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
|
||||
}
|
||||
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_7_out <<\ENDSNIP
|
||||
! read -r -d '' snip_enable_mutual_tls_per_workload_5_out <<\ENDSNIP
|
||||
sleep.foo to httpbin.foo: 200
|
||||
sleep.foo to httpbin.bar: 200
|
||||
sleep.foo to httpbin.legacy: 200
|
||||
|
|
@ -283,32 +250,16 @@ EOF
|
|||
}
|
||||
|
||||
snip_policy_precedence_2() {
|
||||
cat <<EOF | kubectl apply -n foo -f -
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: "overwrite-example"
|
||||
spec:
|
||||
host: httpbin.foo.svc.cluster.local
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: DISABLE
|
||||
EOF
|
||||
}
|
||||
|
||||
snip_policy_precedence_3() {
|
||||
kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name})" -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
|
||||
}
|
||||
|
||||
! read -r -d '' snip_policy_precedence_3_out <<\ENDSNIP
|
||||
! read -r -d '' snip_policy_precedence_2_out <<\ENDSNIP
|
||||
200
|
||||
ENDSNIP
|
||||
|
||||
snip_cleanup_part_2_1() {
|
||||
kubectl delete peerauthentication default overwrite-example -n foo
|
||||
kubectl delete peerauthentication httpbin -n bar
|
||||
kubectl delete destinationrules overwrite-example -n foo
|
||||
kubectl delete destinationrules httpbin -n bar
|
||||
}
|
||||
|
||||
snip_enduser_authentication_1() {
|
||||
|
|
|
|||
|
|
@ -54,25 +54,17 @@ _verify_same snip_namespacewide_policy_2 "$snip_namespacewide_policy_2_out"
|
|||
snip_enable_mutual_tls_per_workload_1
|
||||
snip_enable_mutual_tls_per_workload_2
|
||||
_wait_for_istio peerauthentication bar httpbin
|
||||
_wait_for_istio destinationrule bar httpbin
|
||||
|
||||
_verify_same snip_enable_mutual_tls_per_workload_3 "$snip_enable_mutual_tls_per_workload_3_out"
|
||||
|
||||
# Ignore snip_enable_mutual_tls_per_workload_4()--it's just text.
|
||||
|
||||
snip_enable_mutual_tls_per_workload_5
|
||||
snip_enable_mutual_tls_per_workload_6
|
||||
snip_enable_mutual_tls_per_workload_4
|
||||
_wait_for_istio peerauthentication bar httpbin
|
||||
_wait_for_istio destinationrule bar httpbin
|
||||
|
||||
_verify_same snip_enable_mutual_tls_per_workload_7 "$snip_enable_mutual_tls_per_workload_7_out"
|
||||
_verify_same snip_enable_mutual_tls_per_workload_5 "$snip_enable_mutual_tls_per_workload_5_out"
|
||||
|
||||
snip_policy_precedence_1
|
||||
snip_policy_precedence_2
|
||||
_wait_for_istio peerauthentication foo overwrite-example
|
||||
_wait_for_istio destinationrule foo overwrite-example
|
||||
|
||||
_verify_same snip_policy_precedence_3 "$snip_policy_precedence_3_out"
|
||||
|
||||
snip_cleanup_part_2_1
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue