istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use Istio Operator to control the policy of accessing external services (#7786) 

set spec.meshConfig.outboundTrafficPolicy.mode to ALLOW_ANY or REGISTRY_ONLY

the previous approach does not work
This commit is contained in:
Vadim Eisenberg 2020-07-24 22:31:05 +03:00 committed by GitHub
parent 8e91ba9cf8
commit 8e51aad4fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
content/en/docs/tasks/traffic-management/egress/egress-control/index.md
View File

@ -63,25 +63,25 @@ service entry defined within the mesh.
without controlling access to external services. without controlling access to external services.
You can then decide to [configure access to external services](#controlled-access-to-external-services) later. You can then decide to [configure access to external services](#controlled-access-to-external-services) later.
1. To see this approach in action you need to ensure that your Istio installation is configured 1. To see this approach in action you need to ensure that your Istio installation is configured
with the `meshConfig.outboundTrafficPolicy.mode` option set to `ALLOW_ANY`. Unless you explicitly with the `meshConfig.outboundTrafficPolicy.mode` option set to `ALLOW_ANY`. Unless you explicitly
set it to `REGISTRY_ONLY` mode when you installed Istio, it is probably enabled by default. set it to `REGISTRY_ONLY` mode when you installed Istio, it is probably enabled by default.
Run the following command to confirm it is configured correctly: Run the following command to verify that `meshConfig.outboundTrafficPolicy.mode` option is set to `ALLOW_ANY`
or is omitted:
{{< text bash >}} {{< text bash >}}
$ kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: ALLOW_ANY" | uniq $ kubectl get istiooperator installed-state -n istio-system -o jsonpath={.spec.meshConfig.outboundTrafficPolicy.mode}
mode: ALLOW_ANY ALLOW_ANY
{{< /text >}} {{< /text >}}
The string `mode: ALLOW_ANY` should appear in the output if it is enabled. You should either see `ALLOW_ANY` or empty output.
{{< tip >}} {{< tip >}}
If you have explicitly configured `REGISTRY_ONLY` mode, you can run the following command to change it: If you have explicitly configured `REGISTRY_ONLY` mode, you can run the following command to change it:
{{< text bash >}} {{< text bash >}}
$ kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: REGISTRY_ONLY/mode: ALLOW_ANY/g' | kubectl replace -n istio-system -f - $ kubectl patch istiooperator installed-state -n istio-system --type='json' -p='[{"op": "replace", "path": "/spec/meshConfig/outboundTrafficPolicy/mode", "value": "ALLOW_ANY"}]'
configmap "istio" replaced
{{< /text >}} {{< /text >}}
{{< /tip >}} {{< /tip >}}
@ -123,8 +123,7 @@ any other unintentional accesses.
1. Run the following command to change the `meshConfig.outboundTrafficPolicy.mode` option to `REGISTRY_ONLY`: 1. Run the following command to change the `meshConfig.outboundTrafficPolicy.mode` option to `REGISTRY_ONLY`:
{{< text bash >}} {{< text bash >}}
$ kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f - $ kubectl patch istiooperator installed-state -n istio-system --type='json' -p='[{"op": "replace", "path": "/spec/meshConfig/outboundTrafficPolicy/mode", "value": "REGISTRY_ONLY"}]'
configmap "istio" replaced
{{< /text >}} {{< /text >}}
1. Make a couple of requests to external HTTPS services from `SOURCE_POD` to verify that they are now blocked: 1. Make a couple of requests to external HTTPS services from `SOURCE_POD` to verify that they are now blocked: