add specific policies to ambient getting started guide (#16091)

* add specific policies to ambient getting started guide * review feedback
2024-12-17 00:49:15 +13:00 · 2024-12-17 00:49:15 +13:00 · 224ca15b96
parent ceccef9048
commit 224ca15b96
9 changed files with 77 additions and 32 deletions
--- a/content/en/docs/ambient/getting-started/cleanup/index.md
+++ b/content/en/docs/ambient/getting-started/cleanup/index.md
@ -34,10 +34,10 @@ To delete the Bookinfo sample application and the `curl` deployment, run the fol
 {{< text bash >}}
 $ kubectl delete httproute reviews
 $ kubectl delete authorizationpolicy productpage-viewer
-$ kubectl delete -f samples/curl/curl.yaml
-$ kubectl delete -f samples/bookinfo/platform/kube/bookinfo.yaml
-$ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
-$ kubectl delete -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+$ kubectl delete -f @samples/curl/curl.yaml@
+$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo.yaml@
+$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
+$ kubectl delete -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@

 {{< /text >}}

--- a/content/en/docs/ambient/getting-started/deploy-sample-app/index.md
+++ b/content/en/docs/ambient/getting-started/deploy-sample-app/index.md
@ -17,8 +17,8 @@ As part of this guide, you'll deploy the Bookinfo application and expose the `pr
 Start by deploying the application:

 {{< text bash >}}
-$ kubectl apply -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo.yaml
-$ kubectl apply -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
+$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
 {{< /text >}}

 To verify that the application is running, check the status of the pods:
@ -41,7 +41,7 @@ To access the `productpage` service from outside the cluster, you need to config
 You will use the Kubernetes Gateway API to deploy a gateway called `bookinfo-gateway`:

 {{< text syntax=bash snip_id=deploy_bookinfo_gateway >}}
-$ kubectl apply -f {{< github_file >}}/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+$ kubectl apply -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@
 {{< /text >}}

 By default, Istio creates a `LoadBalancer` service for a gateway. As you will access this gateway by a tunnel, you don't need a load balancer. Change the service type to `ClusterIP` by annotating the gateway:
--- a/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh
+++ b/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh
@ -21,12 +21,12 @@
 ####################################################################################################

 snip_deploy_the_bookinfo_application_1() {
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
 }

 snip_deploy_bookinfo_gateway() {
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
 }

 snip_annotate_bookinfo_gateway() {
--- a/content/en/docs/ambient/getting-started/enforce-auth-policies/index.md
+++ b/content/en/docs/ambient/getting-started/enforce-auth-policies/index.md
@ -20,7 +20,7 @@ $ kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
-  name: productpage-viewer
+  name: productpage-ztunnel
  namespace: default
 spec:
  selector:
@ -40,7 +40,7 @@ If you open the Bookinfo application in your browser (`http://localhost:8080/pro
 Let's try accessing Bookinfo application from a different client in the cluster:

 {{< text syntax=bash snip_id=deploy_curl >}}
-$ kubectl apply -f samples/curl/curl.yaml
+$ kubectl apply -f @samples/curl/curl.yaml@
 {{< /text >}}

 Since the `curl` pod is using a different service account, it will not have access the `productpage` service:
@ -75,7 +75,7 @@ $ kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
-  name: productpage-viewer
+  name: productpage-waypoint
  namespace: default
 spec:
  targetRefs:
@ -96,8 +96,31 @@ EOF

 Note the `targetRefs` field is used to specify the target service for the authorization policy of a waypoint proxy. The rules section is similar as before, but this time you added the `to` section to specify the operation that is allowed.

+Remember that our L4 policy instructed the ztunnel to only allow connections from the gateway? We now need to update it to also allow connections from the waypoint.
+
+{{< text syntax=bash snip_id=update_l4_policy >}}
+$ kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: productpage-ztunnel
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: productpage
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/default/sa/bookinfo-gateway-istio
+        - cluster.local/ns/default/sa/waypoint
+EOF
+{{< /text >}}
+
 {{< tip >}}
-To learn about how to enable more Istio's features, read the [Use Layer 7 features user guide](/docs/ambient/usage/l7-features/).
+To learn about how to enable more of Istio's features, read the [Layer 7 features user guide](/docs/ambient/usage/l7-features/).
 {{< /tip >}}

 Confirm the new waypoint proxy is enforcing the updated authorization policy:
--- a/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh
+++ b/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh
@ -25,7 +25,7 @@ kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
-  name: productpage-viewer
+  name: productpage-ztunnel
  namespace: default
 spec:
  selector:
@ -75,7 +75,7 @@ kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
-  name: productpage-viewer
+  name: productpage-waypoint
  namespace: default
 spec:
  targetRefs:
@ -94,18 +94,30 @@ spec:
 EOF
 }

-snip_enforce_layer_7_authorization_policy_4() {
-# This fails with an RBAC error because you're not using a GET operation
-kubectl exec deploy/curl -- curl -s "http://productpage:9080/productpage" -X DELETE
+snip_update_l4_policy() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: productpage-ztunnel
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: productpage
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/default/sa/bookinfo-gateway-istio
+        - cluster.local/ns/default/sa/waypoint
+EOF
 }

-! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_4_out <<\ENDSNIP
-RBAC: access denied
-ENDSNIP
-
 snip_enforce_layer_7_authorization_policy_5() {
-# This fails with an RBAC error because the identity of the reviews-v1 service is not allowed
-kubectl exec deploy/reviews-v1 -- curl -s http://productpage:9080/productpage
+# This fails with an RBAC error because you're not using a GET operation
+kubectl exec deploy/curl -- curl -s "http://productpage:9080/productpage" -X DELETE
 }

 ! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_5_out <<\ENDSNIP
@ -113,10 +125,19 @@ RBAC: access denied
 ENDSNIP

 snip_enforce_layer_7_authorization_policy_6() {
+# This fails with an RBAC error because the identity of the reviews-v1 service is not allowed
+kubectl exec deploy/reviews-v1 -- curl -s http://productpage:9080/productpage
+}
+
+! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_6_out <<\ENDSNIP
+RBAC: access denied
+ENDSNIP
+
+snip_enforce_layer_7_authorization_policy_7() {
 # This works as you're explicitly allowing GET requests from the curl pod
 kubectl exec deploy/curl -- curl -s http://productpage:9080/productpage | grep -o "<title>.*</title>"
 }

-! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_6_out <<\ENDSNIP
+! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_7_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP
--- a/content/en/docs/ambient/getting-started/secure-and-visualize/index.md
+++ b/content/en/docs/ambient/getting-started/secure-and-visualize/index.md
@ -30,8 +30,8 @@ You now have mTLS encryption between all your pods — without even restarting o
 Using Istio's dashboard, Kiali, and the Prometheus metrics engine, you can visualize the Bookinfo application. Deploy them both:

 {{< text syntax=bash snip_id=none >}}
-$ kubectl apply -f {{< github_file >}}/samples/addons/prometheus.yaml
-$ kubectl apply -f {{< github_file >}}/samples/addons/kiali.yaml
+$ kubectl apply -f @samples/addons/prometheus.yaml@
+$ kubectl apply -f @samples/addons/kiali.yaml@
 {{< /text >}}

 You can access the Kiali dashboard by running the following command:
--- a/content/en/docs/ambient/getting-started/test.sh
+++ b/content/en/docs/ambient/getting-started/test.sh
@ -48,10 +48,11 @@ _verify_contains snip_deploy_waypoint "$snip_deploy_waypoint_out"
 _verify_like snip_enforce_layer_7_authorization_policy_2 "$snip_enforce_layer_7_authorization_policy_2_out"

 snip_deploy_l7_policy
+snip_update_l4_policy

-_verify_contains snip_enforce_layer_7_authorization_policy_4 "$snip_enforce_layer_7_authorization_policy_4_out"
 _verify_contains snip_enforce_layer_7_authorization_policy_5 "$snip_enforce_layer_7_authorization_policy_5_out"
 _verify_contains snip_enforce_layer_7_authorization_policy_6 "$snip_enforce_layer_7_authorization_policy_6_out"
+_verify_contains snip_enforce_layer_7_authorization_policy_7 "$snip_enforce_layer_7_authorization_policy_7_out"

 snip_deploy_httproute
 snip_test_traffic_split
--- a/content/en/docs/setup/getting-started/index.md
+++ b/content/en/docs/setup/getting-started/index.md
@ -110,7 +110,7 @@ You have configured Istio to inject sidecar containers into any application you
 1.  Deploy the [`Bookinfo` sample application](/docs/examples/bookinfo/):

    {{< text bash >}}
-    $ kubectl apply -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo.yaml
+    $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
    service/details created
    serviceaccount/bookinfo-details created
    deployment.apps/details-v1 created
@ -217,7 +217,7 @@ Use the following instructions to deploy the [Kiali](/docs/ops/integrations/kial
 1.  Install [Kiali and the other addons]({{< github_tree >}}/samples/addons) and wait for them to be deployed.

    {{< text bash >}}
-    $ kubectl apply -f samples/addons
+    $ kubectl apply -f @samples/addons@
    $ kubectl rollout status deployment/kiali -n istio-system
    Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are available...
    deployment "kiali" successfully rolled out
--- a/content/en/docs/setup/getting-started/snips.sh
+++ b/content/en/docs/setup/getting-started/snips.sh
@ -54,7 +54,7 @@ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
 }

 snip_deploy_the_sample_application_1() {
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
 }

 ! IFS=$'\n' read -r -d '' snip_deploy_the_sample_application_1_out <<\ENDSNIP