mirror of https://github.com/istio/istio.io.git
Update lint checker configuration. (#12602)
* Update lint checker configuration. * Uses mdl.rb in the root * Fix trailing lines * Reset mdl.rb * Fix for adding an empty line
This commit is contained in:
Eric Van Norman
GitHub
parent
297056e6f4
commit
510f278525
|
|
@ -119,4 +119,3 @@ In terms of CPU consumption per transaction, Istio has used significantly more C
|
|||
## Conclusion
|
||||
|
||||
In this investigation, we tried different options to access an external TLS-enabled MongoDB to compare their performance. The introduction of the Egress Gateway did not have a significant impact on the performance nor meaningful additional CPU consumption. Only when enabling mutual TLS between sidecars and egress gateway or using an additional SNI proxy for wildcarded domains we could observe some degradation.
|
||||
|
||||
|
|
|
|||
|
|
@ -489,5 +489,3 @@ support the full `v1alpha1` semantics as of the date of this blog post.
|
|||
|
||||
The command to support the full `v1alpha1` semantics is expected in a patch
|
||||
release following Istio 1.4.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -19,4 +19,3 @@ There are two different approaches to doing this. The supported way for Gloo OSS
|
|||
See a quick demo of integrating open-source Gloo with Istio 1.5:
|
||||
|
||||
<iframe width="560" height="315" src="https://www.youtube.com/embed/zhUR3HgeFSg" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
|
||||
|
||||
|
|
|
|||
|
|
@ -45,4 +45,3 @@ Do you want to put your product or service in front of the most discerning Cloud
|
|||
For those of you who can't make it, keep your eyes peeled for announcements of IstioCon 2023 and Istio Day North America later this year.
|
||||
|
||||
Stay tuned to hear more about the event, and we hope you can join us at Istio Day Europe!
|
||||
|
||||
|
|
|
|||
|
|
@ -29,4 +29,3 @@ Based on this, here is the complete list of Istio Steering Committee members, in
|
|||
- [Zhonghu Xu](https://github.com/hzxuzhonghu) (Huawei)
|
||||
|
||||
Our sincerest thanks to Louis Ryan, Srihari Angaluri, Kebe Liu and Jason McGee, all long-time contributors to the Istio project, whose terms have come to an end.
|
||||
|
||||
|
|
|
|||
|
|
@ -65,4 +65,3 @@ The following checks were performed on each of these signatures:
|
|||
|
||||
[{"critical":{"identity":{"docker-reference":"gcr.io/istio-release/pilot"},"image":{"docker-manifest-digest":"sha256:c37fd83f6435ca0966d653dc6ac42c9fe5ac11d0d5d719dfe97de84acbf7a32d"},"type":"cosign container image signature"},"optional":null}]
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -319,5 +319,3 @@ To make sure services will have zero down-time when configuring routes with subs
|
|||
1. Wait a few seconds for the `VirtualService` configuration to propagate to the Envoy sidecars.
|
||||
|
||||
1. Update the `DestinationRule` to remove the unused subsets.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -234,4 +234,3 @@ spec:
|
|||
The client IP is retrieved from the PROXY protocol by the gateway and set (or appended) in the `X-Forwarded-For` and `X-Envoy-External-Address` header. Note that the PROXY protocol is mutually exclusive with L7 headers like `X-Forwarded-For` and `X-Envoy-External-Address`. When PROXY protocol is used in conjunction with the `gatewayTopology` configuration, the `numTrustedProxies` and the received `X-Forwarded-For` header takes precedence in determining the trusted client addresses, and PROXY protocol client information will be ignored.
|
||||
|
||||
Note that the above example only configures the Gateway to accept incoming PROXY protocol TCP traffic - See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency#proxy-protocol) for examples of how to configure Envoy itself to communicate with upstream services using PROXY protocol.
|
||||
|
||||
|
|
|
|||
|
|
@ -61,4 +61,3 @@ In this example, the port `svc-8080` does follow the syntax: `name: <http|https|
|
|||
## How to resolve
|
||||
|
||||
- JWT authentication is only supported over http, https or http2. Rename the Service port name to conform with `<http|https|http2>[-<suffix>]`
|
||||
|
||||
|
|
|
|||
|
|
@ -38,4 +38,3 @@ In this example, the port name `tcp` follows the syntax: `name: <protocol>`. How
|
|||
|
||||
- If you have an ExternalName service type, and the protocol is TCP, rename the port to `<protocol>[-<suffix>]` or `<protocol>` where protocol is `https` or `tls`. To learn more, review
|
||||
docs on [explicit protocol selection](/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection).
|
||||
|
||||
|
|
|
|||
|
|
@ -172,4 +172,3 @@ spec:
|
|||
5000)
|
||||
end
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -125,4 +125,3 @@ For TCP traffic, Istio generates the following metrics:
|
|||
|
||||
* **gRPC Response Status**: This identifies the response status of the gRPC. This
|
||||
label is present only on gRPC metrics.
|
||||
|
||||
|
|
|
|||
|
|
@ -39,4 +39,3 @@ Istio supports the following service identities on different platforms:
|
|||
name, Istio service account, or GCP service account. The custom service
|
||||
account refers to the existing service account just like the identities that
|
||||
the customer’s Identity Directory manages.
|
||||
|
||||
|
|
|
|||
|
|
@ -5,4 +5,3 @@ test: n/a
|
|||
|
||||
Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to
|
||||
isolate workloads from one another and secure them individually.
|
||||
|
||||
|
|
|
|||
|
|
@ -155,5 +155,3 @@ For further detailed information about the concepts and techniques described in
|
|||
1. [IstioOperator - Customize Installation](/docs/setup/additional-setup/customize-installation)
|
||||
1. [Advanced Helm Techniques](https://helm.sh/docs/topics/advanced/)
|
||||
1. [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -120,4 +120,3 @@ Follow these instructions to set up Dashboard for kind.
|
|||
{{< warning >}}
|
||||
You have to save your token somewhere, otherwise you have to run step number 4 everytime you need a token to login to your Dashboard.
|
||||
{{< /warning >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -328,4 +328,3 @@ Delete the `sleep` service and deployment:
|
|||
$ kubectl delete service sleep
|
||||
$ kubectl delete deployment sleep
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,4 +17,3 @@ We're pleased to announce the availability of Istio 1.1.17. This will be the la
|
|||
## Bug fixes
|
||||
|
||||
- Fix a bug introduced by [our October 8th security release](/news/security/istio-security-2019-005) which incorrectly calculated HTTP header and body sizes ([Issue 17735](https://github.com/istio/istio/issues/17735).
|
||||
|
||||
|
|
|
|||
|
|
@ -20,4 +20,3 @@ This release contains bug fixes to improve robustness. This release note describ
|
|||
- **Fixed** a bug where setting the `retryRemoteLocalities` on a `VirtualService` would produce configuration that Envoy would reject. ([Issue #33737](https://github.com/istio/istio/issues/33737))
|
||||
|
||||
- **Improved** the `meshConfig.defaultConfig.proxyMetadata` field to do a deep merge when overridden rather than replacing all values.
|
||||
|
||||
|
|
|
|||
|
|
@ -33,4 +33,3 @@ This release fixes the security vulnerabilities described in our August 24th pos
|
|||
Note: this vulnerability does not impact downstream client connections.
|
||||
|
||||
- [CVE-2021-32781](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32781) (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability that affects Envoy's decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally.
|
||||
|
||||
|
|
|
|||
|
|
@ -34,4 +34,3 @@ This release contains bug fixes to improve robustness. This release note describ
|
|||
|
||||
- **Fixed** `DestinationRule` updates not triggering an update for `AUTO_PASSTHROUGH` listeners on gateways.
|
||||
([Issue #34944](https://github.com/istio/istio/issues/34944))
|
||||
|
||||
|
|
|
|||
|
|
@ -23,4 +23,3 @@ This release contains bug fixes to improve robustness. This release note describ
|
|||
|
||||
- **Fixed** an issue in webhook analysis which would make helm reconciler complain about overlapping webhooks.
|
||||
([Issue #36114](https://github.com/istio/istio/issues/36114))
|
||||
|
||||
|
|
|
|||
|
|
@ -16,4 +16,3 @@ This release contains bug fixes to improve robustness. This release note describ
|
|||
- **Fixed** building routes order where a catch-all route no longer short circuits other routes declared after it. ([Issue #39188](https://github.com/istio/istio/issues/39188))
|
||||
|
||||
- **Fixed** a bug where the previous cluster was not stopping when updating a multicluster secret. The previous cluster did not stop even when the secret was deleted. ([Issue #39366](https://github.com/istio/istio/issues/39366))
|
||||
|
||||
|
|
|
|||
|
|
@ -23,4 +23,3 @@ When installing a new Istio control plane revision the previous resource validat
|
|||
unintended effects on the existing, stable revision. Once prepared to migrate over to the new control plane revision,
|
||||
cluster operators should switch the default revision. This can be done through `istioctl tag set default --revision <new revision>`,
|
||||
or if using a Helm-based flow, `helm upgrade istio-base manifests/charts/base -n istio-system --set defaultRevision=<new revision>`.
|
||||
|
||||
|
|
|
|||
|
|
@ -6,4 +6,3 @@ list_by_publishdate: true
|
|||
layout: release-grid
|
||||
decoration: dot
|
||||
---
|
||||
|
||||
|
|
|
|||
|
|
@ -24,4 +24,3 @@ __ISTIO-SECURITY-2019-005__: A DoS vulnerability has been discovered by the Env
|
|||
## Bug fix
|
||||
|
||||
- Fix a bug where `nodeagent` was failing to start when using citadel ([Issue 15876](https://github.com/istio/istio/issues/17108))
|
||||
|
||||
|
|
|
|||
|
|
@ -20,4 +20,3 @@ This release note describes what's different between Istio 1.5.5 and Istio 1.5.4
|
|||
- **ISTIO-SECURITY-2020-006** Excessive CPU usage when processing HTTP/2 SETTINGS frames with too many parameters, potentially leading to a denial of service.
|
||||
|
||||
__[CVE-2020-11080](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080)__: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
|
||||
|
||||
|
|
|
|||
|
|
@ -20,4 +20,3 @@ This release contains bug fixes to improve robustness. This release note describ
|
|||
|
||||
- **Fixed** Pilot agent app probe connection leak.
|
||||
([Issue #27726](https://github.com/istio/istio/issues/27726))
|
||||
|
||||
|
|
|
|||
|
|
@ -18,4 +18,3 @@ This release fixes the security vulnerability described in [our September 29 pos
|
|||
- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
|
||||
In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
|
||||
- __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
|
||||
|
||||
|
|
|
|||
|
|
@ -86,4 +86,3 @@ accurate.
|
|||
|
||||
- **Added** visual indication if an istio.io page has been tested by istio.io automated tests.
|
||||
([Issue #7672](https://github.com/istio/istio.io/issues/7672))
|
||||
|
||||
|
|
|
|||
|
|
@ -10,4 +10,3 @@ According to Istio's [support policy](/docs/releases/supported-releases#supporte
|
|||
At that point we will stop back-porting fixes for security issues and critical bugs to 1.13, so we encourage you to upgrade to the latest version of Istio ({{<istio_release_name>}}). If you don't do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.
|
||||
|
||||
We care about you and your clusters, so please be kind to yourself and upgrade.
|
||||
|
||||
|
|
|
|||
|
|
@ -12,4 +12,3 @@ Istio is [expanding](/blog/2021/extended-support/) the support window of the 1.9
|
|||
At that point we will stop back-porting fixes for security issues and critical bugs to 1.9, so we encourage you to upgrade to the latest version of Istio (1.11.1). If you don’t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.
|
||||
|
||||
We care about you and your clusters, so please be kind to yourself and upgrade.
|
||||
|
||||
|
|
|
|||
|
|
@ -14,4 +14,3 @@ weight: 30
|
|||
|
||||
如果您仅看到与出口代理相关联的跟踪数据,但没有看到与入口代理相关联的,那么它可能仍与 Istio [端口命名规范](/zh/faq/traffic-management/#naming-port-convention)相关。
|
||||
请先了解 [Istio 1.3](/zh/news/releases/1.3.x/announcing-1.3/#intelligent-protocol-detection-experimental) 中自动检测**出口**流量的协议相关部分。
|
||||
|
||||
|
|
|
|||
|
|
@ -35,4 +35,3 @@ weight: 80
|
|||
# 列出所有的 virtual services
|
||||
$ kubectl get virtualservices
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -164,4 +164,3 @@ spec:
|
|||
Admiral 提供了新的全局流量路由和唯一服务命名功能,致力于解决由[具有控制平面副本集的多集群部署](/zh/docs/setup/install/multicluster/gateways/#deploy-the-Istio-control-plane-in-each-cluster)带来的挑战。它消除了集群之间手动配置同步的需求,并为每个集群生成上下文配置。这样或许就可以操作由许多 Kubernetes 集群组成的服务网格了。
|
||||
|
||||
我们认为 Istio/Service Mesh 社区将从这种方法中受益,因此我们开源了 [Admiral](https://github.com/istio-ecosystem/admiral),我们很高兴收到您的反馈和支持!
|
||||
|
||||
|
|
|
|||
|
|
@ -18,4 +18,3 @@ keywords: [community,meetup]
|
|||
| [《服务网络安全-理解`IstioCNI`》张之晗-Tetrate](./IstioMeetupChina-服务网格安全-理解IstioCNI.pdf) |
|
||||
|
||||
感谢来自中国的 Istio 社区成员的工作举办这次活动,感谢来自 Istio 社区的 Maria Cruz 和 Craig Box 的大力支持!
|
||||
|
||||
|
|
|
|||
|
|
@ -257,4 +257,3 @@ $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
|
|||
{{< text bash >}}
|
||||
$ @samples/bookinfo/platform/kube/cleanup.sh@
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -45,4 +45,3 @@ test: no
|
|||
恭喜,您已配置完毕本地计算机!
|
||||
|
||||
接下来[在本地运行微服务](/zh/docs/examples/microservices-istio/single/)。
|
||||
|
||||
|
|
|
|||
|
|
@ -57,4 +57,3 @@ gcr.io/istio-release/pilot:1.12.0 的验证——对这些签名中的每一个
|
|||
|
||||
[{"critical":{"identity":{"docker-reference":"gcr.io/istio-release/pilot"},"image":{"docker-manifest-digest":"sha256:c37fd83f6435ca0966d653dc6ac42c9fe5ac11d0d5d719dfe97de84acbf7a32d"},"type":"cosign container image signature"},"optional":null}]
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -253,5 +253,3 @@ metadata:
|
|||
1. 等待几秒钟,使 `VirtualService` 配置传播到 Envoy sidecar。
|
||||
|
||||
1. 更新 `DestinationRule` 以删除未使用的子集。
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -218,4 +218,3 @@ spec:
|
|||
请注意,上面的示例仅将 Gateway 配置为接受传入的 PROXY 协议 TCP 流量。
|
||||
有关如何配置 Envoy 本身以使用 PROXY 协议与上游服务通信的示例,请参见
|
||||
[Envoy 文档](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency#proxy-protocol)。
|
||||
|
||||
|
|
|
|||
|
|
@ -38,4 +38,3 @@ spec:
|
|||
|
||||
- 如果您有一个服务类型为 ExternalName 并且服务协议为 TCP ,那么将端口重命名为 `<protocol>[-<suffix>]` 或者 `<protocol>` ,其中协议指的是 `https` 或者 `tls` 。想学得更多相关知识,
|
||||
请查看[显式协议选择](/zh/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection)文档。
|
||||
|
||||
|
|
|
|||
|
|
@ -172,4 +172,3 @@ spec:
|
|||
5000)
|
||||
end
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -155,5 +155,3 @@ spec:
|
|||
1. [IstioOperator - 自定义安装](/zh/docs/setup/additional-setup/customize-installation)
|
||||
1. [高级 Helm 技术](https://helm.sh/docs/topics/advanced/)
|
||||
1. [自定义](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -61,4 +61,3 @@ $ istioctl dashboard jaeger
|
|||
{{< /text >}}
|
||||
|
||||
1. 如果您没有计划探索任何接下来的任务,请参考 [Bookinfo 清理](/zh/docs/examples/bookinfo/#cleanup)中的说明,关闭整个应用程序。
|
||||
|
||||
|
|
|
|||
|
|
@ -188,4 +188,3 @@ Istio 公开了所有标准 [Envoy 属性](https://www.envoyproxy.io/docs/envoy/
|
|||
`upstream_peer.labels['app'].value`。
|
||||
|
||||
有关详细信息请参阅[配置参考](/zh/docs/reference/config/proxy_extensions/stats/)。
|
||||
|
||||
|
|
|
|||
|
|
@ -411,4 +411,3 @@ EOF
|
|||
{{< text bash >}}
|
||||
$ kubectl delete authorizationpolicy ingress-policy -n istio-system
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -250,4 +250,3 @@ $ kubectl delete service my-wikipedia
|
|||
{{< text bash >}}
|
||||
$ unset SOURCE_POD SOURCE_POD_WITHOUT_ISTIO
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -228,4 +228,3 @@ $ kubectl delete -f @samples/sleep/sleep.yaml@
|
|||
{{< text bash >}}
|
||||
$ istioctl uninstall --purge -y
|
||||
{{< /text >}}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,4 +20,3 @@ aliases:
|
|||
- **修复** 修复了在 `VirtualService` 上设置 `retryRemoteLocalities` 时会产生 Envoy 拒绝的配置的问题。 ([Issue #33737](https://github.com/istio/istio/issues/33737))
|
||||
|
||||
- **改进** 改进了在对 `meshConfig.defaultConfig.proxyMetadata` 字段重写时执行深度合并,而不是替换所有值。
|
||||
|
||||
|
|
|
|||
|
|
@ -34,4 +34,3 @@ aliases:
|
|||
|
||||
- **Fixed** 修复了 `DestinationRule` 更新不会触发 `AUTO_PASSTHROUGH` 网关上侦听器更新的问题。
|
||||
([Issue #34944](https://github.com/istio/istio/issues/34944))
|
||||
|
||||
|
|
|
|||
|
|
@ -23,4 +23,3 @@ aliases:
|
|||
|
||||
- **修复** 修复了 webhook 分析中的一个问题,该问题会使 helm 调节器警告 webhook 的重复的问题。
|
||||
([Issue #36114](https://github.com/istio/istio/issues/36114))
|
||||
|
||||
|
|
|
|||
|
|
@ -16,4 +16,3 @@ release: 1.12.9
|
|||
- **修复** 修复了构建路由的顺序,即一条总括性的路由不再与在它之后宣布的其他路由形成短路。([Issue #39188](https://github.com/istio/istio/issues/39188))
|
||||
|
||||
- **修复** 修复了在更新多集群秘钥时,会更新所有注册表并停止所有的控制器。但是由控制器启动的通知器并没有停止,它们将继续在后台运行的错误。([Issue #39366](https://github.com/istio/istio/issues/39366))
|
||||
|
||||
|
|
|
|||
|
|
@ -23,4 +23,3 @@ weight: 20
|
|||
一旦准备好迁移到新的控制平面版本,集群 Operators 就应该切换默认版本。
|
||||
这可以通过 `istioctl tag set default --revision <new revision>` 来实现,
|
||||
或者如果使用基于 Helm 的流程,则可以使用 `helm upgrade istio-base manifests/charts/base -n istio-system --set defaultRevision=<new revision>` 来完成。
|
||||
|
||||
|
|
|
|||
|
|
@ -6,4 +6,3 @@ list_by_publishdate: true
|
|||
layout: release-grid
|
||||
decoration: dot
|
||||
---
|
||||
|
||||
|
|
|
|||
|
|
@ -18,4 +18,3 @@ aliases:
|
|||
- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
|
||||
在某些情况下,当存在多个头(Header)时,Envoy 只考虑第一个值。另外,Envoy 不会替换所有已存在的非内联头。
|
||||
- __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
|
||||
|
||||
|
|
|
|||
|
|
@ -81,4 +81,3 @@ weight: 10
|
|||
|
||||
- **新增** 如果一个 istio.io 页面已经被 istio.io 自动测试所测试,还会出现提示。
|
||||
([Issue #7672](https://github.com/istio/istio.io/issues/7672))
|
||||
|
||||
|
|
|
|||
|
|
@ -8,4 +8,3 @@ publishdate: 2022-01-07
|
|||
正如[先前所宣布](/zh/news/support/announcing-1.10-eol/),对 Istio 1.10 的支持正式结束。
|
||||
|
||||
此时,我们将不再将安全问题和严重错误的修复移植到 1.10,因此如果您还没有升级的话,我们衷心建议您升级到最新版本的 Istio ({{<istio_release_name>}})。
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue