istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reference docs. (#5526)

This commit is contained in:
Martin Taillefer 2019-11-08 15:53:54 -08:00 committed by GitHub
parent 2b21256025
commit 5effeb4c3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 308 additions and 595 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

213
content/en/docs/reference/commands/istioctl/index.html
View File

@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
title: istioctl
description: Istio control interface.
generator: pkg-collateral-docs
number_of_entries: 76
number_of_entries: 75
max_toc_level: 2
remove_toc_prefix: 'istioctl '
---
@ -47,46 +47,6 @@ debug and diagnose their Istio mesh.
</tr>
</tbody>
</table>
<h2 id="istioctl-auth">istioctl auth</h2>
<p>(auth is experimental. Use `istioctl experimental auth`)</p>
<pre class="language-bash"><code>istioctl auth [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
</tbody>
</table>
<h2 id="istioctl-authn">istioctl authn</h2>
<p>
A group of commands used to interact with Istio authentication policies.
@ -185,6 +145,46 @@ service &#34;bar&#34; :
istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
</code></pre>
<h2 id="istioctl-authz">istioctl authz</h2>
<p>(authz is experimental. Use `istioctl experimental authz`)</p>
<pre class="language-bash"><code>istioctl authz [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
</tbody>
</table>
<h2 id="istioctl-convert-ingress">istioctl convert-ingress</h2>
<p>Converts Ingresses into VirtualService configuration on a best effort basis. The output should be considered a starting point for your Istio configuration and probably require some minor modification. Warnings will be generated where configs cannot be converted perfectly. The input must be a Kubernetes Ingress. The conversion of v1alpha1 Istio rules has been removed from istioctl.</p>
<pre class="language-bash"><code>istioctl convert-ingress [flags]
@ -878,6 +878,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<td>&#39;true&#39; to enable service discovery, &#39;false&#39; to disable it. Defaults to true if --use-kube is set, false otherwise. Analyzers requiring resources made available by enabling service discovery will be skipped. (default ``)</td>
</tr>
<tr>
<td><code>--failure-threshold &lt;Level&gt;</code></td>
<td></td>
<td>The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warn Error] (default `Warn`)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
@ -898,6 +903,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--output-threshold &lt;Level&gt;</code></td>
<td></td>
<td>The severity level of analysis at which to display messages. Valid values: [Info Warn Error] (default `Info`)</td>
</tr>
<tr>
<td><code>--use-kube</code></td>
<td><code>-k</code></td>
<td>Use live Kubernetes cluster for analysis </td>
@ -927,11 +937,10 @@ istioctl experimental analyze -d true a.yaml b.yaml services.yaml
istioctl experimental analyze -k -d false
</code></pre>
<h2 id="istioctl-experimental-auth">istioctl experimental auth</h2>
<p>Commands to inspect and interact with the authentication (TLS, JWT) and authorization (RBAC) policies in the mesh
check - check the TLS/JWT/RBAC settings based on the Envoy config
<h2 id="istioctl-experimental-authz">istioctl experimental authz</h2>
<p>Commands to inspect and interact with the authorization policies
check - check Envoy config dump for authorization configuration
convert - convert v1alpha1 RBAC policies to v1beta1 authorization policies
validate - check for potential incorrect usage in authorization policy files.
</p>
<table class="command-flags">
<thead>
@ -969,29 +978,23 @@ istioctl experimental analyze -k -d false
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-auth Examples">Examples</h3>
<pre class="language-bash"><code> # Check the TLS/JWT/RBAC settings for pod httpbin-88ddbcfdd-nt5jb:
istioctl experimental auth check httpbin-88ddbcfdd-nt5jb
<h3 id="istioctl-experimental-authz Examples">Examples</h3>
<pre class="language-bash"><code> # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
istioctl x authz check httpbin-88ddbcfdd-nt5jb
# Convert the v1alpha1 RBAC policies currently applied in the cluster to v1beta1 authorization policies:
istioctl experimental auth convert &gt; v1beta1-authz.yaml
# Convert the v1alpha1 RBAC policies in the current cluster to v1beta1 authorization policies:
istioctl x authz convert &gt; v1beta1-authz.yaml
</code></pre>
<h2 id="istioctl-experimental-auth-check">istioctl experimental auth check</h2>
<p>Check analyzes the TLS/JWT/RBAC settings directly based on the Envoy config. The Envoy config could
be provided either by pod name or from a config dump file (the whole output of http://localhost:15000/config_dump
of an Envoy instance).</p>
<p>Currently only the listeners with node IP and clusters on outbound direction are analyzed:
- listeners with node IP generally tell how should other pods talk to the Envoy instance which include
the server side TLS/JWT/RBAC settings.</p>
<p>- clusters on outbound direction generally tell how should the Envoy instance talk to other pods which
include the client side TLS settings.</p>
<p>To check the TLS setting, you could run &#39;check&#39; on both of the client and server pods and compare
the cluster results of the client pod and the listener results of the server pod.</p>
<p>To check the JWT/RBAC setting, you could run &#39;check&#39; only on your server pods and check the listener results.</p>
<h2 id="istioctl-experimental-authz-check">istioctl experimental authz check</h2>
<p>Check reads the Envoy config dump and checks the filter configuration
related to authorization. For example, it shows whether or not the Envoy is configured
with authorization and the rules used in the authorization.</p>
<p>The Envoy config dump could be provided either by pod name or from a config dump file
(the whole output of http://localhost:15000/config_dump of an Envoy instance).</p>
<p>THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
</p>
<pre class="language-bash"><code>istioctl experimental auth check &lt;pod-name&gt;[.&lt;pod-namespace&gt;] [flags]
<pre class="language-bash"><code>istioctl experimental authz check &lt;pod-name&gt;[.&lt;pod-namespace&gt;] [flags]
</code></pre>
<table class="command-flags">
<thead>
@ -1015,7 +1018,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--file &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Check the TLS/JWT/RBAC setting from the config dump file (default ``)</td>
<td>Check the Envoy config dump from a file (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
@ -1039,17 +1042,17 @@ the cluster results of the client pod and the listener results of the server pod
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-auth-check Examples">Examples</h3>
<pre class="language-bash"><code> # Check the TLS/JWT/RBAC policy status for pod httpbin-88ddbcfdd-nt5jb in namespace foo:
istioctl experimental auth check httpbin-88ddbcfdd-nt5jb.foo
<h3 id="istioctl-experimental-authz-check Examples">Examples</h3>
<pre class="language-bash"><code> # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
istioctl x authz check httpbin-88ddbcfdd-nt5jb
# Check the TLS/JWT/RBAC policy status from a config dump file:
istioctl experimental auth check -f httpbin_config_dump.txt
# Check Envoy authorization configuration from a config dump file:
istioctl x authz check -f httpbin_config_dump.json
</code></pre>
<h2 id="istioctl-experimental-auth-convert">istioctl experimental auth convert</h2>
<p>Convert converts Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
API server to get all the information needed to complete the conversion, including the currently applied v1alpha1
RBAC policies, the Istio config-map for root namespace configuration and the k8s Service translating the
<h2 id="istioctl-experimental-authz-convert">istioctl experimental authz convert</h2>
<p>Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
API server to get all the information needed to complete the conversion, including the v1alpha1 RBAC policies in the current
cluster, the Istio config-map for root namespace configuration and the k8s Service translating the
service name to workload selector.</p>
<p>The tool can also be used in offline mode without talking to the Kubernetes API server. In this mode,
all needed information is provided through the command line.</p>
@ -1061,7 +1064,7 @@ to workload selector).</p>
<p>Please always review the converted policies before applying them.</p>
<p>THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
</p>
<pre class="language-bash"><code>istioctl experimental auth convert [flags]
<pre class="language-bash"><code>istioctl experimental authz convert [flags]
</code></pre>
<table class="command-flags">
<thead>
@ -1119,66 +1122,14 @@ to workload selector).</p>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-auth-convert Examples">Examples</h3>
<pre class="language-bash"><code> # Convert the v1alpha1 RBAC policy currently applied in the cluster:
istioctl experimental auth convert &gt; v1beta1-authz.yaml
<h3 id="istioctl-experimental-authz-convert Examples">Examples</h3>
<pre class="language-bash"><code> # Convert the v1alpha1 RBAC policy in the current cluster:
istioctl x authz convert &gt; v1beta1-authz.yaml
# Convert the v1alpha1 RBAC policy provided through command line:
istioctl experimental auth convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
--service services.yaml --meshConfigFile meshConfig.yaml &gt; v1beta1-authz.yaml
</code></pre>
<h2 id="istioctl-experimental-auth-validate">istioctl experimental auth validate</h2>
<p>This command goes through all authorization policy files and finds potential issues such as:
* ServiceRoleBinding refers to a non existing ServiceRole.
* ServiceRole not used.
It does not require access to the cluster as the validation is against local files.
</p>
<pre class="language-bash"><code>istioctl experimental auth validate &lt;policy-file1,policy-file2,...&gt; [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--file &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Authorization policy file (default `[]`)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-auth-validate Examples">Examples</h3>
<pre class="language-bash"><code>istioctl experimental auth validate -f policy1.yaml,policy2.yaml
</code></pre>
<h2 id="istioctl-experimental-convert-ingress">istioctl experimental convert-ingress</h2>
<p>(convert-ingress has graduated. Use `istioctl convert-ingress`)</p>
@ -1276,7 +1227,7 @@ to workload selector).</p>
<tr>
<td><code>--service-account &lt;string&gt;</code></td>
<td></td>
<td>create a secret with this service account&#39;s credentials. (default `istio-pilot-service-account`)</td>
<td>create a secret with this service account&#39;s credentials. (default `istio-reader-service-account`)</td>
</tr>
</tbody>
</table>

30
content/en/docs/reference/config/annotations/index.html
View File

@ -29,6 +29,36 @@ Istio supports to control its behavior.
<tr>
<td><code>install.operator.istio.io/chart-owner</code></td>
<td>[Any]</td>
<td>Represents the name of the chart used to create this resource.</td>
</tr>
<tr>
<td><code>install.operator.istio.io/owner-generation</code></td>
<td>[Any]</td>
<td>Represents the generation to which the resource was last reconciled.</td>
</tr>
<tr>
<td><code>install.operator.istio.io/version</code></td>
<td>[Any]</td>
<td>Represents the Istio version associated with the resource</td>
</tr>
<tr>
<td><code>kubernetes.io/ingress.class</code></td>

129
content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
View File

@ -6,7 +6,7 @@ description: Configuration for Istio control plane installation through the Oper
location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 56
number_of_entries: 59
---
<p>IstioControlPlane is a schema for both defining and customizing Istio control plane installations.
Running the operator with an empty user defined InstallSpec results in an control plane with default values, using the
@ -271,7 +271,7 @@ No
<td><code>enabled</code></td>
<td><code><a href="#TypeBoolValueForPB">TypeBoolValueForPB</a></code></td>
<td>
<p>Selects whether gateway feature is installed. Must be set for any sub-component to be installed.</p>
<p>Selects whether CNI feature is installed. Must be set for any sub-component to be installed.</p>
</td>
<td>
@ -485,6 +485,122 @@ No
</tbody>
</table>
</section>
<h2 id="CoreDNSComponentSpec">CoreDNSComponentSpec</h2>
<section>
<p>Configuration options for CoreDNS component.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="CoreDNSComponentSpec-enabled">
<td><code>enabled</code></td>
<td><code><a href="#TypeBoolValueForPB">TypeBoolValueForPB</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="CoreDNSComponentSpec-namespace">
<td><code>namespace</code></td>
<td><code>string</code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="CoreDNSComponentSpec-k8s">
<td><code>k8s</code></td>
<td><code><a href="#KubernetesResourcesSpec">KubernetesResourcesSpec</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="CoreDNSFeatureSpec">CoreDNSFeatureSpec</h2>
<section>
<p>Configuration options for CoreDNS feature.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="CoreDNSFeatureSpec-enabled">
<td><code>enabled</code></td>
<td><code><a href="#TypeBoolValueForPB">TypeBoolValueForPB</a></code></td>
<td>
<p>Selects whether CoreDNS feature is installed. Must be set for any sub-component to be installed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="CoreDNSFeatureSpec-components">
<td><code>components</code></td>
<td><code><a href="#CoreDNSFeatureSpec-Components">Components</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="CoreDNSFeatureSpec-Components">CoreDNSFeatureSpec.Components</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="CoreDNSFeatureSpec-Components-namespace">
<td><code>namespace</code></td>
<td><code>string</code></td>
<td>
<p>Namespace that CoreDNS components are installed into.</p>
</td>
<td>
No
</td>
</tr>
<tr id="CoreDNSFeatureSpec-Components-coreDNS">
<td><code>coreDNS</code></td>
<td><code><a href="#CoreDNSComponentSpec">CoreDNSComponentSpec</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="DeploymentStrategy">DeploymentStrategy</h2>
<section>
<p>Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.</p>
@ -1145,6 +1261,15 @@ No
No
</td>
</tr>
<tr id="IstioControlPlaneSpec-coreDNS">
<td><code>coreDNS</code></td>
<td><code><a href="#CoreDNSFeatureSpec">CoreDNSFeatureSpec</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="IstioControlPlaneSpec-values">
<td><code>values</code></td>
<td><code><a href="#TypeMapStringInterface">TypeMapStringInterface</a></code></td>

271
content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
View File

@ -1,271 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
source_repo: https://github.com/istio/istio
title: SignalFx
description: Adapter that sends metrics to SignalFx.
location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/signalfx.html
layout: protoc-gen-docs
generator: protoc-gen-docs
supported_templates: metric,tracespan
number_of_entries: 3
---
<p>The <code>signalfx</code> adapter collects Istio metrics and trace spans and sends them
to <a href="https://signalfx.com">SignalFx</a>.</p>
<p>This adapter supports the <a href="/docs/reference/config/policy-and-telemetry/templates/metric/">metric template</a>
and the <a href="/docs/reference/config/policy-and-telemetry/templates/tracespan/">tracespan template</a>.</p>
<p>If sending trace spans, this adapter can make use of certain conventions in
the tracespan format that is configured to send to this adapter. Here is an
example tracespan spec that will work well:</p>
<pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: signalfx
spec:
compiledTemplate: tracespan
params:
traceId: request.headers[&quot;x-b3-traceid&quot;] | &quot;&quot;
spanId: request.headers[&quot;x-b3-spanid&quot;] | &quot;&quot;
parentSpanId: request.headers[&quot;x-b3-parentspanid&quot;] | &quot;&quot;
# If the path contains query parameters, they will be split off and put into
# tags such that the span name sent to SignalFx will consist only of the path
# itself.
spanName: request.path | &quot;/&quot;
startTime: request.time
endTime: response.time
# If this is &gt;=500, the span will get an 'error' tag
httpStatusCode: response.code | 0
clientSpan: context.reporter.kind == &quot;outbound&quot;
# Span tags below that do not have comments are useful but optional and will
# be passed to SignalFx unmodified. The tags that have comments are interpreted
# in a special manner, but are still optional.
spanTags:
# This is used to determine whether the span pertains to the client or
# server side of the request.
context.reporter.local: context.reporter.local
# This gets put into the remoteEndpoint.ipv4 field
destination.ip: destination.ip | ip(&quot;0.0.0.0&quot;)
# This gets flattened out to individual tags of the form
# 'destination.labels.&lt;key&gt;: &lt;value&gt;'.
destination.labels: destination.labels
# This gets put into the remoteEndpoint.name field
destination.name: destination.name | &quot;unknown&quot;
destination.namespace: destination.namespace | &quot;unknown&quot;
request.host: request.host | &quot;&quot;
request.method: request.method | &quot;&quot;
request.path: request.path | &quot;&quot;
request.size: request.size | 0
request.useragent: request.useragent | &quot;&quot;
response.size: response.size | 0
# This gets put into the localEndpoint.name field
source.name: source.name | &quot;unknown&quot;
# This gets put into the localEndpoint.ipv4 field
source.ip: source.ip | ip(&quot;0.0.0.0&quot;)
source.namespace: source.namespace | &quot;unknown&quot;
# This gets flattened out to individual tags of the form
# 'source.labels.&lt;key&gt;: &lt;value&gt;'.
source.labels: source.labels
source.version: source.labels[&quot;version&quot;] | &quot;unknown&quot;
</code></pre>
<h2 id="Params">Params</h2>
<section>
<p>Configuration format for the <code>signalfx</code> adapter.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Params-metrics">
<td><code>metrics</code></td>
<td><code><a href="#Params-MetricConfig">MetricConfig[]</a></code></td>
<td>
<p>Required. The set of metrics to send to SignalFx. If an Istio metric is
configured to be sent to this adapter, it must have a corresponding
description here.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-ingest_url">
<td><code>ingestUrl</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The URL of the SignalFx ingest server to use. Will default to
the global ingest server if not specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-access_token">
<td><code>accessToken</code></td>
<td><code>string</code></td>
<td>
<p>Required. The access token for the SignalFx organization that should
receive the metrics.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-datapoint_interval">
<td><code>datapointInterval</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Optional. Specifies how frequently to send metrics to SignalFx. Metrics
reported to this adapter are collected and reported as a timeseries.
This will be rounded to the nearest second and rounded values less than
one second are not valid. Defaults to 10 seconds if not specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-enable_metrics">
<td><code>enableMetrics</code></td>
<td><code>bool</code></td>
<td>
<p>Optional. If set to false, metrics won&rsquo;t be sent (but trace spans will
be sent, unless otherwise disabled).</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-enable_tracing">
<td><code>enableTracing</code></td>
<td><code>bool</code></td>
<td>
<p>Optional. If set to false, trace spans won&rsquo;t be sent (but metrics will
be sent, unless otherwise disabled).</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-tracing_buffer_size">
<td><code>tracingBufferSize</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. The number of trace spans that the adapter will buffer before
dropping them. This defaults to 1000 spans but can be configured higher
if needed. An error message will be logged if spans are dropped.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-tracing_sample_probability">
<td><code>tracingSampleProbability</code></td>
<td><code>double</code></td>
<td>
<p>Optional. The uniform probability ([0.0, 1.0]) that a given span gets
sampled if its parent was not already sampled. Child spans will always
be sampled if their parent is. If not provided, defaults to sending all
spans.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Params-MetricConfig">Params.MetricConfig</h2>
<section>
<p>Describes what metrics should be sent to SignalFx and in what form.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Params-MetricConfig-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>Required. The name of the metric as it is sent to the adapter. In
Kubernetes this is of the form <code>&lt;name&gt;.metric.&lt;namespace&gt;</code> where
<code>&lt;name&gt;</code> is the name field of the metric resource, and <code>&lt;namespace&gt;</code>
is the namespace of the metric resource.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Params-MetricConfig-type">
<td><code>type</code></td>
<td><code><a href="#Params-MetricConfig-Type">Type</a></code></td>
<td>
<p>The metric type of the metric</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Params-MetricConfig-Type">Params.MetricConfig.Type</h2>
<section>
<p>Describes what kind of metric this is.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Params-MetricConfig-Type-NONE">
<td><code>NONE</code></td>
<td>
<p>None is the default and is invalid</p>
</td>
</tr>
<tr id="Params-MetricConfig-Type-COUNTER">
<td><code>COUNTER</code></td>
<td>
<p>Values with the same set of dimensions will be added together
as a continuously incrementing value.</p>
</td>
</tr>
<tr id="Params-MetricConfig-Type-HISTOGRAM">
<td><code>HISTOGRAM</code></td>
<td>
<p>A histogram distribution. This will result in several metrics
emitted for each unique set of dimensions.</p>
</td>
</tr>
</tbody>
</table>
</section>

2
content/en/news/2018/announcing-1.0/index.md
View File

@ -99,7 +99,7 @@ in addition to the server-side telemetry.
#### Adapters
- **SignalFX**. There is a new [`signalfx`](/docs/reference/config/policy-and-telemetry/adapters/signalfx/) adapter.
- **SignalFX**. There is a new `signalfx` adapter.
- **Stackdriver**. The [`stackdriver`](/docs/reference/config/policy-and-telemetry/adapters/stackdriver/) adapter has been substantially enhanced in this
release to add new features and improve performance.

2
content/zh/news/2018/announcing-1.0/index.md
View File

@ -99,7 +99,7 @@ in addition to the server-side telemetry.
#### Adapters
- **SignalFX**. There is a new [`signalfx`](/docs/reference/config/policy-and-telemetry/adapters/signalfx/) adapter.
- **SignalFX**. There is a new `signalfx` adapter.
- **Stackdriver**. The [`stackdriver`](/docs/reference/config/policy-and-telemetry/adapters/stackdriver/) adapter has been substantially enhanced in this
release to add new features and improve performance.

35
data/analysis.yaml
View File

@ -113,3 +113,38 @@ messages:
type: string
- name: host
type: string
- name: "ConflictingSidecarWorkloadSelectors"
code: IST0110
level: Error
description: "A Sidecar resource selects the same workloads as another Sidecar resource"
template: "The Sidecars %v in namespace %q select the same workload pod %q, which can lead to undefined behavior."
args:
- name: conflitingSidecars
type: "[]string"
- name: namespace
type: string
- name: workloadPod
type: string
- name: "MultipleSidecarsWithoutWorkloadSelectors"
code: IST0111
level: Error
description: "More than one sidecar resource in a namespace has no workload selector"
template: "The Sidecars %v in namespace %q have no workload selector, which can lead to undefined behavior."
args:
- name: conflitingSidecars
type: "[]string"
- name: namespace
type: string
- name: "VirtualServiceDestinationPortSelectorRequired"
code: IST0112
level: Error
description: "A VirtualService routes to a service with more than one port exposed, but does not specify which to use."
template: "This VirtualService routes to a service %q that exposes multiple ports %v. Specifying a port in the destination is required to disambiguate."
args:
- name: destHost
type: string
- name: destPorts
type: "[]int"

22
examples/examples__bookinfo.snippets.txt
View File

@ -14,11 +14,11 @@ $endsnippet
$snippet verify_service.sh_output.txt syntax="text"
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.101.120.116 <none> 9080/TCP 1s
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 8m48s
productpage ClusterIP 10.109.229.155 <none> 9080/TCP 0s
ratings ClusterIP 10.105.61.20 <none> 9080/TCP 1s
reviews ClusterIP 10.104.30.214 <none> 9080/TCP 0s
details ClusterIP 10.104.210.169 <none> 9080/TCP 1s
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 9m27s
productpage ClusterIP 10.104.178.50 <none> 9080/TCP 0s
ratings ClusterIP 10.97.49.198 <none> 9080/TCP 0s
reviews ClusterIP 10.103.202.170 <none> 9080/TCP 0s
$endsnippet
@ -28,12 +28,12 @@ $endsnippet
$snippet verify_pods.sh_output.txt syntax="text"
NAME READY STATUS RESTARTS AGE
details-v1-74f858558f-sp2zc 2/2 Running 0 39s
productpage-v1-76589d9fdc-krrxc 2/2 Running 0 38s
ratings-v1-7855f5bcb9-c6vjp 2/2 Running 0 39s
reviews-v1-64bc5454b9-qsfww 2/2 Running 0 39s
reviews-v2-76c64d4bdf-95h6m 2/2 Running 0 39s
reviews-v3-5545c7c78f-9ptfw 2/2 Running 0 39s
details-v1-74f858558f-fxjvw 2/2 Running 0 41s
productpage-v1-76589d9fdc-bmbrs 2/2 Running 0 41s
ratings-v1-7855f5bcb9-tc8d7 2/2 Running 0 40s
reviews-v1-64bc5454b9-mbrgq 2/2 Running 0 40s
reviews-v2-76c64d4bdf-5rrkj 2/2 Running 0 41s
reviews-v3-5545c7c78f-fwjs6 2/2 Running 0 41s
$endsnippet

157
examples/tasks__security__authorization_for_http_services.snippets.txt
View File

@ -1,157 +0,0 @@
# Created by TestAuthorizationForHTTPServices. DO NOT EDIT THIS FILE MANUALLY!
$snippet enabling_istio_authorization.sh syntax="bash"
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
$endsnippet
$snippet enforcing_namespace_level_access_control_apply.sh syntax="bash"
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
$endsnippet
$snippet enforcing_namespace_level_access_control_apply.sh_output.txt syntax="text"
servicerole.rbac.istio.io/service-viewer created
servicerolebinding.rbac.istio.io/bind-service-viewer created
$endsnippet
$snippet enforcing_namespace_level_access_control_delete.sh syntax="bash"
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
$endsnippet
$snippet enforcing_service_level_access_control_step1_apply.sh syntax="bash"
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
$endsnippet
$snippet enforcing_service_level_access_control_step2_apply.sh syntax="bash"
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
$endsnippet
$snippet enforcing_service_level_access_control_step3_apply.sh syntax="bash"
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
$endsnippet
$snippet remove_istio_authorization_policy.sh syntax="bash"
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
$endsnippet
$snippet remove_istio_authorization_policy_alternative.sh syntax="bash"
$ kubectl delete servicerole --all
$ kubectl delete servicerolebinding --all
$endsnippet
$snippet disabling_istio_authorization.sh syntax="bash"
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
$endsnippet
$snippet enforcing_namespace_level_access_control_service-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: service-viewer
namespace: default
spec:
rules:
- services: ["*"]
methods: ["GET"]
constraints:
- key: "destination.labels[app]"
values: ["productpage", "details", "reviews", "ratings"]
$endsnippet
$snippet enforcing_namespace_level_access_control_bind-service-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-service-viewer
namespace: default
spec:
subjects:
- properties:
source.namespace: "istio-system"
- properties:
source.namespace: "default"
roleRef:
kind: ServiceRole
name: "service-viewer"
$endsnippet
$snippet enforcing_service_level_access_control_step1_productpage-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: productpage-viewer
namespace: default
spec:
rules:
- services: ["productpage.default.svc.cluster.local"]
methods: ["GET"]
$endsnippet
$snippet enforcing_service_level_access_control_step1_bind-productpage-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-productpage-viewer
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "productpage-viewer"
$endsnippet
$snippet enforcing_service_level_access_control_step2_details-reviews-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: details-reviews-viewer
namespace: default
spec:
rules:
- services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
methods: ["GET"]
$endsnippet
$snippet enforcing_service_level_access_control_step2_bind-details-reviews.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
$endsnippet
$snippet enforcing_service_level_access_control_step3_ratings-viewer.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: ratings-viewer
namespace: default
spec:
rules:
- services: ["ratings.default.svc.cluster.local"]
methods: ["GET"]
$endsnippet
$snippet enforcing_service_level_access_control_step3_bind-ratings.yaml syntax="yaml"
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-ratings
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-reviews"
roleRef:
kind: ServiceRole
name: "ratings-viewer"
$endsnippet

2
examples/tasks__security__mututal_tls_migration.snippets.txt
View File

@ -21,7 +21,7 @@ $endsnippet
$snippet verify_initial_policies.sh syntax="bash" outputis="text"
$ kubectl get policies.authentication.istio.io --all-namespaces
NAMESPACE NAME AGE
istio-system grafana-ports-mtls-disabled 3m22s
istio-system grafana-ports-mtls-disabled 89s
$endsnippet
$snippet configure_mtls_destinationrule.sh syntax="bash"

40
examples/tasks__traffic_management__mirroring.snippets.txt
View File

@ -138,20 +138,20 @@ $endsnippet
$snippet check_logs_v1_1.sh syntax="bash" outputis="text"
$ export V1_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})
$ kubectl -n istio-io-mirror logs ${V1_POD} -c httpbin
[2019-11-05 18:48:27 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-05 18:48:27 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-05 18:48:27 +0000] [1] [INFO] Using worker: sync
[2019-11-05 18:48:27 +0000] [8] [INFO] Booting worker with pid: 8
127.0.0.1 - - [05/Nov/2019:18:48:45 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
127.0.0.1 - - [08/Nov/2019:20:42:31 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
$endsnippet
$snippet check_logs_v2_1.sh syntax="bash" outputis="text"
$ export V2_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})
$ kubectl -n istio-io-mirror logs ${V2_POD} -c httpbin
[2019-11-05 18:48:28 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-05 18:48:28 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-05 18:48:28 +0000] [1] [INFO] Using worker: sync
[2019-11-05 18:48:28 +0000] [9] [INFO] Booting worker with pid: 9
[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
$endsnippet
$snippet mirror_vs.sh syntax="bash"
@ -184,22 +184,22 @@ $endsnippet
$snippet check_logs_v1_2.sh syntax="bash" outputis="text"
$ export V1_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})
$ kubectl -n istio-io-mirror logs ${V1_POD} -c httpbin
[2019-11-05 18:48:27 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-05 18:48:27 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-05 18:48:27 +0000] [1] [INFO] Using worker: sync
[2019-11-05 18:48:27 +0000] [8] [INFO] Booting worker with pid: 8
127.0.0.1 - - [05/Nov/2019:18:48:45 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
127.0.0.1 - - [05/Nov/2019:18:48:56 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
127.0.0.1 - - [08/Nov/2019:20:42:31 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
127.0.0.1 - - [08/Nov/2019:20:42:42 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
$endsnippet
$snippet check_logs_v2_2.sh syntax="bash" outputis="text"
$ export V2_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})
$ kubectl -n istio-io-mirror logs ${V2_POD} -c httpbin
[2019-11-05 18:48:28 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-05 18:48:28 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-05 18:48:28 +0000] [1] [INFO] Using worker: sync
[2019-11-05 18:48:28 +0000] [9] [INFO] Booting worker with pid: 9
127.0.0.1 - - [05/Nov/2019:18:48:56 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
127.0.0.1 - - [08/Nov/2019:20:42:42 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
$endsnippet
$snippet remove_rules.sh syntax="bash"