istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add warning callout to securing Tiller installs (#3646) 

* Add warning callout to securing Tiller installs

There are 3 other `helm init` redundant sections.  I am likely
to just C&P this warning to those sections.  As a team, we need
to seriously rethink how to document these options longer term.

* Add C&P warning to all `helm init` sections

Clearly the C&P is not ideal.  What would be better is to consolidate
all install instructions in these various documents into our main helm
install page as the helm init instructions are not doing anything special.

* Fix linter errors

* Boilerplate the helm security warning

* Workaround <{{ not parsable by hugo

use <pre></pre> to get hugo moving on the boilerplate.  This needs
to be resolved at some point, but I'm hopeful this workaround will
work for now.

* Better workaround to problem of parsing a boiler

* Address reviewer comments
This commit is contained in:
Steven Dake 2019-03-12 10:41:36 -07:00 committed by istio-bot
parent 0a07eed302
commit 2849da674c
5 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/boilerplates/helm-security-warning.md Normal file
View File

@ -0,0 +1,6 @@
&nbsp;
{{< warning >}}
The instructions for using Helm with Tiller do not use secure defaults. See
the [Helm Security Guidelines](https://helm.sh/docs/using_helm/#securing-your-helm-installation)
for further steps to secure a Tiller-based installation.
{{< /warning >}}

2
content/docs/setup/kubernetes/install/helm/index.md
View File

@ -166,6 +166,8 @@ This option allows Helm and
[Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components) [Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components)
to manage the lifecycle of Istio. to manage the lifecycle of Istio.
{{< boilerplate helm-security-warning >}}
1. If a service account has not already been installed for Tiller, install one: 1. If a service account has not already been installed for Tiller, install one:
{{< text bash >}} {{< text bash >}}

2
content/docs/setup/kubernetes/install/multicluster/vpn/index.md
View File

@ -104,6 +104,8 @@ cluster. You can install the component in one of two ways:
{{% tab name="Helm+Tiller" cookie-value="Helm+Tiller" %}} {{% tab name="Helm+Tiller" cookie-value="Helm+Tiller" %}}
{{< boilerplate helm-security-warning >}}
1. If you haven't installed a service account for Helm, install one with the 1. If you haven't installed a service account for Helm, install one with the
following command: following command:

2
content/docs/setup/kubernetes/install/platform/alicloud/index.md
View File

@ -29,6 +29,8 @@ Kubernetes cluster quickly and easily in the `Container Service console`.
$ kubectl create namespace istio-system $ kubectl create namespace istio-system
{{< /text >}} {{< /text >}}
{{< boilerplate helm-security-warning >}}
- You installed a service account for Tiller. To install one if you haven't, - You installed a service account for Tiller. To install one if you haven't,
run the following command: run the following command:

2
content/docs/setup/kubernetes/install/platform/ibm/index.md
View File

@ -38,6 +38,8 @@ Make sure to use the `kubectl` CLI version that matches the Kubernetes version o
### Initialize Helm and Tiller ### Initialize Helm and Tiller
{{< boilerplate helm-security-warning >}}
1. Install the [Helm CLI](https://docs.helm.sh/using_helm/#installing-helm). 1. Install the [Helm CLI](https://docs.helm.sh/using_helm/#installing-helm).
1. If a service account has not already been installed for Tiller, install one: 1. If a service account has not already been installed for Tiller, install one: