istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix per-port peer authentication command (#6682) 

* Fix command

* Correct commands for mtls migration tasks

* Lint

* Lint
This commit is contained in:
Diem Vu 2020-03-02 14:43:03 -08:00 committed by GitHub
parent c81e19b745
commit dde9ed9258
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/docs/tasks/security/authentication/authn-policy/index.md
View File

@ -286,7 +286,7 @@ Note that you've already created a namespace-wide policy that enables mutual TLS
`sleep.legacy` to `httpbin.foo` are failing (see above). `sleep.legacy` to `httpbin.foo` are failing (see above).
{{< text bash >}} {{< text bash >}}
$ cat <<EOF | kubectl apply -n bar -f - $ cat <<EOF | kubectl apply -n foo -f -
apiVersion: "security.istio.io/v1beta1" apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication" kind: "PeerAuthentication"
metadata: metadata:

15
content/en/docs/tasks/security/authentication/mtls-migration/index.md
View File

@ -27,7 +27,7 @@ them down once the migration is done.
* Read the [authentication policy task](/docs/tasks/security/authentication/authn-policy) to * Read the [authentication policy task](/docs/tasks/security/authentication/authn-policy) to
learn how to configure authentication policy. learn how to configure authentication policy.
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use the demo configuration profile as described in [installation steps](/docs/setup/getting-started). * Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use the demo configuration profile as described in [installation steps](/docs/setup/getting-started)).
In this task, you can try out the migration process by creating sample workloads and modifying In this task, you can try out the migration process by creating sample workloads and modifying
the policies to enforce STRICT mutual TLS between the workloads. the policies to enforce STRICT mutual TLS between the workloads.
@ -82,7 +82,7 @@ After migrating all clients to Istio and injecting the Envoy sidecar, you can lo
to only accept mutual TLS traffic. to only accept mutual TLS traffic.
{{< text bash >}} {{< text bash >}}
$ kubectl apply -n foo -f - << EOF $ kubectl apply -n foo -f - <<EOF
apiVersion: "security.istio.io/v1beta1" apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication" kind: "PeerAuthentication"
metadata: metadata:
@ -113,7 +113,7 @@ We recommend you use [Istio Authorization](/docs/tasks/security/authorization/au
## Lock down mutual TLS for the entire mesh ## Lock down mutual TLS for the entire mesh
{{< text bash >}} {{< text bash >}}
$ kubectl apply -n istio-system -f - << EOF $ kubectl apply -n istio-system -f - <<EOF
apiVersion: "security.istio.io/v1beta1" apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication" kind: "PeerAuthentication"
metadata: metadata:
@ -133,10 +133,15 @@ $ for from in "foo" "bar" "legacy"; do for to in "foo" "bar"; do kubectl exec $(
## Clean up the example ## Clean up the example
To remove all resources created in this task: 1. To remove all authentication policies
{{< text bash >}}
$ kubectl delete peerauthentication --all-namespaces --all
{{< /text >}}
1. If you are not planning to explore any follow-on tasks, you can remove all test namespaces.
{{< text bash >}} {{< text bash >}}
$ kubectl delete ns foo bar legacy $ kubectl delete ns foo bar legacy
Namespaces foo bar legacy deleted. Namespaces foo bar legacy deleted.
$ kubectl delete peerauthentication --all-namespaces --all
{{< /text >}} {{< /text >}}