mirror of https://github.com/istio/istio.io.git
Add authz-tcp user guide test. (#7176)
Force merge because of netlify flake
This commit is contained in:
parent
affe99f97a
commit
e77f3e8e2d
|
@ -5,6 +5,7 @@ weight: 20
|
||||||
keywords: [security,access-control,rbac,tcp,authorization]
|
keywords: [security,access-control,rbac,tcp,authorization]
|
||||||
aliases:
|
aliases:
|
||||||
- /docs/tasks/security/authz-tcp/
|
- /docs/tasks/security/authz-tcp/
|
||||||
|
test: true
|
||||||
---
|
---
|
||||||
|
|
||||||
This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh.
|
This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh.
|
||||||
|
@ -35,13 +36,13 @@ Deploy the example namespace and workloads using the following command:
|
||||||
using the following command:
|
using the following command:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9000
|
hello port 9000
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9001
|
hello port 9001
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
@ -52,8 +53,8 @@ defined in the Kubernetes service object of `tcp-echo`.
|
||||||
Get the pod IP address and send the request with the following command:
|
Get the pod IP address and send the request with the following command:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
|
$ TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9002
|
hello port 9002
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
@ -89,7 +90,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
|
||||||
1. Verify that requests to port 9000 are allowed using the following command:
|
1. Verify that requests to port 9000 are allowed using the following command:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9000
|
hello port 9000
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
@ -97,7 +98,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
|
||||||
1. Verify that requests to port 9001 are allowed using the following command:
|
1. Verify that requests to port 9001 are allowed using the following command:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9001
|
hello port 9001
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
@ -107,7 +108,7 @@ policy which also applies to the pass through filter chain, even if the port is
|
||||||
explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output:
|
explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
connection rejected
|
connection rejected
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
|
@ -139,7 +140,7 @@ The final result is that the request is rejected, because it does not match any
|
||||||
Run the following command and verify the output:
|
Run the following command and verify the output:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
connection rejected
|
connection rejected
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
|
@ -147,7 +148,7 @@ Run the following command and verify the output:
|
||||||
ALLOW rules. Run the following command and verify the output:
|
ALLOW rules. Run the following command and verify the output:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
connection rejected
|
connection rejected
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
|
@ -179,7 +180,7 @@ which causes Istio to ignore the entire rule. The final result is that only the
|
||||||
field is used by Istio and the requests are denied because they match with the `ports`:
|
field is used by Istio and the requests are denied because they match with the `ports`:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
connection rejected
|
connection rejected
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
|
@ -187,7 +188,7 @@ field is used by Istio and the requests are denied because they match with the `
|
||||||
the `ports` in the DENY policy:
|
the `ports` in the DENY policy:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
hello port 9001
|
hello port 9001
|
||||||
connection succeeded
|
connection succeeded
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
|
@ -0,0 +1,177 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# shellcheck disable=SC2034,SC2153,SC2155
|
||||||
|
|
||||||
|
# Copyright Istio Authors. All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
####################################################################################################
|
||||||
|
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
|
||||||
|
# docs/tasks/security/authorization/authz-tcp/index.md
|
||||||
|
####################################################################################################
|
||||||
|
|
||||||
|
snip_before_you_begin_1() {
|
||||||
|
kubectl create ns foo
|
||||||
|
kubectl apply -f <(istioctl kube-inject -f samples/tcp-echo/tcp-echo.yaml) -n foo
|
||||||
|
kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
|
||||||
|
}
|
||||||
|
|
||||||
|
snip_before_you_begin_2() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
|
||||||
|
hello port 9000
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_before_you_begin_3() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP
|
||||||
|
hello port 9001
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_before_you_begin_4() {
|
||||||
|
TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_before_you_begin_4_out <<\ENDSNIP
|
||||||
|
hello port 9002
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_1() {
|
||||||
|
kubectl apply -f - <<EOF
|
||||||
|
apiVersion: security.istio.io/v1beta1
|
||||||
|
kind: AuthorizationPolicy
|
||||||
|
metadata:
|
||||||
|
name: tcp-policy
|
||||||
|
namespace: foo
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: tcp-echo
|
||||||
|
action: ALLOW
|
||||||
|
rules:
|
||||||
|
- to:
|
||||||
|
- operation:
|
||||||
|
ports: ["9000", "9001"]
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_2() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_2_out <<\ENDSNIP
|
||||||
|
hello port 9000
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_3() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_3_out <<\ENDSNIP
|
||||||
|
hello port 9001
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_4() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_4_out <<\ENDSNIP
|
||||||
|
connection rejected
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_5() {
|
||||||
|
kubectl apply -f - <<EOF
|
||||||
|
apiVersion: security.istio.io/v1beta1
|
||||||
|
kind: AuthorizationPolicy
|
||||||
|
metadata:
|
||||||
|
name: tcp-policy
|
||||||
|
namespace: foo
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: tcp-echo
|
||||||
|
action: ALLOW
|
||||||
|
rules:
|
||||||
|
- to:
|
||||||
|
- operation:
|
||||||
|
methods: ["GET"]
|
||||||
|
ports: ["9000"]
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_6() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_6_out <<\ENDSNIP
|
||||||
|
connection rejected
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_7() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_7_out <<\ENDSNIP
|
||||||
|
connection rejected
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_8() {
|
||||||
|
kubectl apply -f - <<EOF
|
||||||
|
apiVersion: security.istio.io/v1beta1
|
||||||
|
kind: AuthorizationPolicy
|
||||||
|
metadata:
|
||||||
|
name: tcp-policy
|
||||||
|
namespace: foo
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: tcp-echo
|
||||||
|
action: DENY
|
||||||
|
rules:
|
||||||
|
- to:
|
||||||
|
- operation:
|
||||||
|
methods: ["GET"]
|
||||||
|
ports: ["9000"]
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_9() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_9_out <<\ENDSNIP
|
||||||
|
connection rejected
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_10() {
|
||||||
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
|
||||||
|
}
|
||||||
|
|
||||||
|
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_10_out <<\ENDSNIP
|
||||||
|
hello port 9001
|
||||||
|
connection succeeded
|
||||||
|
ENDSNIP
|
||||||
|
|
||||||
|
snip_clean_up_1() {
|
||||||
|
kubectl delete namespace foo
|
||||||
|
}
|
17
go.sum
17
go.sum
|
@ -1098,6 +1098,23 @@ istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef h1:jVlVwrFW1LIm9XyPnvt
|
||||||
istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs=
|
istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs=
|
||||||
istio.io/istio v0.0.0-20200426091446-f7c106d20f70 h1:vrX1MRemIyXXowr7I9ljgKQfYVUwr9/HZMZkODDwElo=
|
istio.io/istio v0.0.0-20200426091446-f7c106d20f70 h1:vrX1MRemIyXXowr7I9ljgKQfYVUwr9/HZMZkODDwElo=
|
||||||
istio.io/istio v0.0.0-20200426091446-f7c106d20f70/go.mod h1:6lzLEVtt9HdwJ2I65BXidYfVFnCy+nUdPn7EFVss94g=
|
istio.io/istio v0.0.0-20200426091446-f7c106d20f70/go.mod h1:6lzLEVtt9HdwJ2I65BXidYfVFnCy+nUdPn7EFVss94g=
|
||||||
|
istio.io/istio v0.0.0-20200211190130-fb23733979fe h1:GwjDnzgsOBM6y8fKuuoGYKyOhYOtwTA7ZbXloScPaKA=
|
||||||
|
istio.io/istio v0.0.0-20200211190130-fb23733979fe/go.mod h1:wKE9Xss4ktHDdf3U+IzDRoQjhJJyhnObuCxTyNxm1Xk=
|
||||||
|
istio.io/istio v0.0.0-20200219230945-34ee61d95048 h1:3tv6JUn3gVcF/XdRb0tKCL84mGTxou6NxhvH7BQ83KA=
|
||||||
|
istio.io/istio v0.0.0-20200219230945-34ee61d95048/go.mod h1:+l6TTXlWyn+jycoK5K1T3YO379mEZgd9307u0R8N+Nc=
|
||||||
|
istio.io/istio v0.0.0-20200304151407-a11761a19432 h1:uCuVbV8QSt50YugqJWhat82Bx6jUXUQEme1Xy+QfVDw=
|
||||||
|
istio.io/istio v0.0.0-20200304151407-a11761a19432/go.mod h1:x0U/KPVWuw52Yo91asmKduaZwAP6jJ8xQkyxBKnsVcM=
|
||||||
|
istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f h1:S2hGCPQXyazSxhr++JJhjcs35E46wRnojIPVmJI/89U=
|
||||||
|
istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f/go.mod h1:x/D9l78LqWTJZoXdroQ2bHAHKtBvJJkTVXUJfGdl2Xw=
|
||||||
|
istio.io/istio v0.0.0-20200328131501-9875a1e76d32 h1:GTLGb3lRaHxBHeH6DRBmDbhb+jjzsqb/RmdUW6wxenw=
|
||||||
|
istio.io/istio v0.0.0-20200328131501-9875a1e76d32/go.mod h1:fbwgWDgaH9l/skqVwZGDF3lKVdgPtGK94AJvieGErMI=
|
||||||
|
istio.io/istio v0.0.0-20200414023437-1d3b136325a5 h1:HmvGD1G71F97wwvzZGkcjk8C13IqddC91Et7mcoy36s=
|
||||||
|
istio.io/istio v0.0.0-20200414023437-1d3b136325a5/go.mod h1:d+q9YJfgZ+rooB9fE+ETY8GdRmNf6OaY5VP7J22MpYc=
|
||||||
|
istio.io/istio v0.0.0-20200427205204-768f5033f84f h1:fD3LKAsUKN6z0P2s6mq2MEqnkU63/MSbhmRAsdTMPmk=
|
||||||
|
istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb h1:ZEOEfPpz4ooW3lhX5qi+XA6dTO1Mb72EFaRniUb6Mvc=
|
||||||
|
istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
|
||||||
|
istio.io/pkg v0.0.0-20200227125209-63966175aa01 h1:aiO57C3tGvBUWKMu1WrM5lUn3cC7ZIgR8YOUXaVPeoQ=
|
||||||
|
istio.io/pkg v0.0.0-20200227125209-63966175aa01/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
|
||||||
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104 h1:8xwo9P7aXQrQnzE0km5A8iYElUY067ZUlwJZMnsRtCI=
|
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104 h1:8xwo9P7aXQrQnzE0km5A8iYElUY067ZUlwJZMnsRtCI=
|
||||||
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
|
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
|
||||||
k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48=
|
k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48=
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
// Copyright Istio Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package authztcp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"istio.io/istio/pkg/test/framework"
|
||||||
|
|
||||||
|
"istio.io/istio.io/pkg/test/istioio"
|
||||||
|
)
|
||||||
|
|
||||||
|
//https://istio.io/docs/tasks/security/authorization/authz-tcp/
|
||||||
|
//https://github.com/istio/istio.io/blob/release-1.5/content/en/docs/tasks/security/authorization/authz-tcp/index.md
|
||||||
|
func TestAuthzTCP(t *testing.T) {
|
||||||
|
framework.
|
||||||
|
NewTest(t).
|
||||||
|
Run(istioio.NewBuilder("tasks__security___authz_tcp").
|
||||||
|
Add(istioio.Script{
|
||||||
|
Input: istioio.Inline{
|
||||||
|
FileName: "create_ns_foo_with_tcpecho_sleep.sh",
|
||||||
|
Value: `
|
||||||
|
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
|
||||||
|
snip_before_you_begin_1`,
|
||||||
|
},
|
||||||
|
}).
|
||||||
|
Add(istioio.MultiPodWait("foo")).
|
||||||
|
Add(istioio.Script{
|
||||||
|
Input: istioio.Path("scripts/authz_tcp.txt"),
|
||||||
|
}).
|
||||||
|
|
||||||
|
// Cleanup.
|
||||||
|
Defer(istioio.Script{
|
||||||
|
Input: istioio.Inline{
|
||||||
|
FileName: "cleanup.sh",
|
||||||
|
Value: `
|
||||||
|
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
|
||||||
|
snip_clean_up_1`,
|
||||||
|
},
|
||||||
|
}).
|
||||||
|
Build())
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
// Copyright Istio Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package authztcp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"istio.io/istio/pkg/test/framework"
|
||||||
|
"istio.io/istio/pkg/test/framework/components/istio"
|
||||||
|
"istio.io/istio/pkg/test/framework/resource/environment"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
ist istio.Instance
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestMain(m *testing.M) {
|
||||||
|
framework.NewSuite("authz_tcp", m).
|
||||||
|
SetupOnEnv(environment.Kube, istio.Setup(&ist, nil)).
|
||||||
|
RequireEnvironment(environment.Kube).
|
||||||
|
Run()
|
||||||
|
}
|
|
@ -0,0 +1,67 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Copyright Istio Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
|
||||||
|
|
||||||
|
export TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
|
||||||
|
|
||||||
|
# When strict-mode mTLS is enabled, only ports defined as a service are
|
||||||
|
# protected by mTLS. As part of this test, we connect to port 9002, which was
|
||||||
|
# not configured as a service, so the connection fails and breaks the test.
|
||||||
|
#
|
||||||
|
# To make this test reliable, we remove any peer authentication that may have
|
||||||
|
# stuck around from a previous test.
|
||||||
|
kubectl delete peerauthentication --all-namespaces --all
|
||||||
|
|
||||||
|
out=$(snip_before_you_begin_2 2>&1)
|
||||||
|
_verify_same "$out" "$snip_before_you_begin_2_out" "snip_before_you_begin_2"
|
||||||
|
|
||||||
|
out=$(snip_before_you_begin_3 2>&1)
|
||||||
|
_verify_same "$out" "$snip_before_you_begin_3_out" "snip_before_you_begin_3"
|
||||||
|
|
||||||
|
out=$(snip_before_you_begin_4 2>&1)
|
||||||
|
_verify_same "$out" "$snip_before_you_begin_4_out" "snip_before_you_begin_4"
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_1
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_2 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_2_out" "snip_configure_access_control_for_a_tcp_workload_2"
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_3 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_3_out" "snip_configure_access_control_for_a_tcp_workload_3"
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_4 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_4_out" "snip_configure_access_control_for_a_tcp_workload_4"
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_5
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_6 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_6_out" "snip_configure_access_control_for_a_tcp_workload_6"
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_7 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_7_out" "snip_configure_access_control_for_a_tcp_workload_7"
|
||||||
|
|
||||||
|
snip_configure_access_control_for_a_tcp_workload_8
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_9 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_9_out" "snip_configure_access_control_for_a_tcp_workload_9"
|
||||||
|
|
||||||
|
out=$(snip_configure_access_control_for_a_tcp_workload_10 2>&1)
|
||||||
|
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_10_out" "snip_configure_access_control_for_a_tcp_workload_10"
|
Loading…
Reference in New Issue