From 052f5fbc7e628575a1a45f8051e14eca3faacbdc Mon Sep 17 00:00:00 2001 From: Arka Bhattacharya <21124287+find-arka@users.noreply.github.com> Date: Mon, 6 Mar 2023 11:58:45 -0500 Subject: [PATCH] TCP Traffic page edit (#12819) * Edits formatting of the long commands to improve readability * Adds snips by make gen * Adds back the connection rejected output Co-authored-by: Frank Budinsky * re-ran make gen to edit the snip --------- Co-authored-by: Frank Budinsky --- .../security/authorization/authz-tcp/index.md | 50 ++++++++++++++----- .../security/authorization/authz-tcp/snips.sh | 48 +++++++++++++----- 2 files changed, 73 insertions(+), 25 deletions(-) diff --git a/content/en/docs/tasks/security/authorization/authz-tcp/index.md b/content/en/docs/tasks/security/authorization/authz-tcp/index.md index f5e05db7fa..df0b3cf6a3 100644 --- a/content/en/docs/tasks/security/authorization/authz-tcp/index.md +++ b/content/en/docs/tasks/security/authorization/authz-tcp/index.md @@ -33,17 +33,21 @@ Deploy the example namespace and workloads using the following command: $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo {{< /text >}} -* Verify that `sleep` successfully communicates with `tcp-echo`on ports 9000 and 9001 +* Verify that `sleep` successfully communicates with `tcp-echo` on ports 9000 and 9001 using the following command: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9000 connection succeeded {{< /text >}} {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9001 connection succeeded {{< /text >}} @@ -55,7 +59,9 @@ Get the pod IP address and send the request with the following command: {{< text bash >}} $ TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}") - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9002 connection succeeded {{< /text >}} @@ -91,7 +97,9 @@ Run the following command to apply the policy to allow requests to port 9000 and 1. Verify that requests to port 9000 are allowed using the following command: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9000 connection succeeded {{< /text >}} @@ -99,7 +107,9 @@ Run the following command to apply the policy to allow requests to port 9000 and 1. Verify that requests to port 9001 are allowed using the following command: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9001 connection succeeded {{< /text >}} @@ -109,7 +119,9 @@ policy which also applies to the pass through filter chain, even if the port is explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} @@ -141,7 +153,9 @@ The final result is that the request is rejected, because it does not match any Run the following command and verify the output: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} @@ -149,7 +163,9 @@ Run the following command and verify the output: ALLOW rules. Run the following command and verify the output: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} @@ -180,14 +196,18 @@ ALLOW rules. Run the following command and verify the output: HTTP-only fields while creating a DENY rule for tcp port and due to it's restrictive nature it denies all the traffic to the tcp ports: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} 1. Verify that the requests to port 9001 are denied. Same reason as above. {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} @@ -216,7 +236,9 @@ HTTP-only fields while creating a DENY rule for tcp port and due to it's restric 1. Verify that requests to port 9000 is denied. This occurs because the request matches the `ports` in the above-mentioned deny policy. {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' connection rejected {{< /text >}} @@ -224,7 +246,9 @@ HTTP-only fields while creating a DENY rule for tcp port and due to it's restric the `ports` in the DENY policy: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' hello port 9001 connection succeeded {{< /text >}} diff --git a/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh b/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh index 9688fa349b..bbf1903e1b 100644 --- a/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh +++ b/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh @@ -27,7 +27,9 @@ kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo } snip_before_you_begin_2() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP @@ -36,7 +38,9 @@ connection succeeded ENDSNIP snip_before_you_begin_3() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP @@ -46,7 +50,9 @@ ENDSNIP snip_before_you_begin_4() { TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}") -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_before_you_begin_4_out <<\ENDSNIP @@ -74,7 +80,9 @@ EOF } snip_configure_allow_authorization_policy_for_a_tcp_workload_2() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_allow_authorization_policy_for_a_tcp_workload_2_out <<\ENDSNIP @@ -83,7 +91,9 @@ connection succeeded ENDSNIP snip_configure_allow_authorization_policy_for_a_tcp_workload_3() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_allow_authorization_policy_for_a_tcp_workload_3_out <<\ENDSNIP @@ -92,7 +102,9 @@ connection succeeded ENDSNIP snip_configure_allow_authorization_policy_for_a_tcp_workload_4() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_allow_authorization_policy_for_a_tcp_workload_4_out <<\ENDSNIP @@ -120,7 +132,9 @@ EOF } snip_configure_allow_authorization_policy_for_a_tcp_workload_6() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_allow_authorization_policy_for_a_tcp_workload_6_out <<\ENDSNIP @@ -128,7 +142,9 @@ connection rejected ENDSNIP snip_configure_allow_authorization_policy_for_a_tcp_workload_7() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_allow_authorization_policy_for_a_tcp_workload_7_out <<\ENDSNIP @@ -155,7 +171,9 @@ EOF } snip_configure_deny_authorization_policy_for_a_tcp_workload_2() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_deny_authorization_policy_for_a_tcp_workload_2_out <<\ENDSNIP @@ -163,7 +181,9 @@ connection rejected ENDSNIP snip_configure_deny_authorization_policy_for_a_tcp_workload_3() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_deny_authorization_policy_for_a_tcp_workload_3_out <<\ENDSNIP @@ -191,7 +211,9 @@ EOF } snip_configure_deny_authorization_policy_for_a_tcp_workload_5() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_deny_authorization_policy_for_a_tcp_workload_5_out <<\ENDSNIP @@ -199,7 +221,9 @@ connection rejected ENDSNIP snip_configure_deny_authorization_policy_for_a_tcp_workload_6() { -kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' +kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" \ + -c sleep -n foo -- sh -c \ + 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' } ! read -r -d '' snip_configure_deny_authorization_policy_for_a_tcp_workload_6_out <<\ENDSNIP