istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rewrite the note about ingress gateway secret access (#2892) 

* rewrite the note about ingress gateway secret access

* rewrite the sentence about deploying the ingress gateway in a separate namespace
This commit is contained in:
Vadim Eisenberg 2018-11-19 19:03:03 +02:00 committed by istio-bot
parent ab45df0472
commit ced6ee13d1
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/docs/tasks/traffic-management/secure-ingress/index.md
View File

@ -79,10 +79,9 @@ with a certificate and a private key. Then you create a `Gateway` definition tha
secret "istio-ingressgateway-certs" created
{{< /text >}}
Note that by default all the service accounts in the `istio-system` namespace can access this secret, so the private
key can be leaked. You can change the
[Role-Based Access Control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) rules to protect
it.
Note that by default all the pods in the `istio-system` namespace can mount this secret and access the
private key. You may want to deploy the ingress gateway in a separate namespace and create the secret there, so that
only the ingress gateway pod will be able to mount it.
1. Define a `Gateway` with a `server` section for port 443.