From fbd2b162fb8292052904d3a89eb99daef2bfe524 Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Mon, 11 Mar 2019 11:35:52 -0700 Subject: [PATCH] Prune a few things that shouldn't have been in the dictionary. (#3622) --- .spelling | 10 ++-------- content/docs/concepts/security/index.md | 2 +- content/docs/examples/multicluster/gateways/index.md | 2 +- .../additional-setup/sidecar-injection/index.md | 2 +- .../setup/kubernetes/install/kubernetes/index.md | 4 ++-- .../tasks/policy-enforcement/rate-limiting/index.md | 6 +++--- content/docs/tasks/security/plugin-ca-cert/index.md | 4 ++-- content/help/ops/setup/injection/index.md | 2 +- .../reference/commands/sidecar-injector/index.md | 6 +++--- .../additional-setup/sidecar-injection/index.md | 2 +- .../setup/kubernetes/install/kubernetes/index.md | 12 ++++++------ .../tasks/policy-enforcement/rate-limiting/index.md | 10 +++++----- 12 files changed, 28 insertions(+), 34 deletions(-) diff --git a/.spelling b/.spelling index 9871425612..d15dec68c0 100644 --- a/.spelling +++ b/.spelling @@ -81,7 +81,6 @@ base64 BigQuery bitpipe BluePerf -BluePerf boilerplates Bookinfo boolean @@ -206,7 +205,6 @@ HTTP2 http2 httpbin httpbin.org -httpReqTimeout https hyperkube Hystrix @@ -276,9 +274,7 @@ macOS Mandar Manolache memcached -memcached memcached-2's -memquota MeshPolicy Mesos mesos-dns @@ -293,14 +289,11 @@ misconfigured misordered MongoDB mongodb -MSG_PEEK Multicloud multicloud Multicluster multicluster -mutatingwebhookconfiguration mutual-tls -mTLS myapp MySQL mysql @@ -425,7 +418,8 @@ SLOs Snell-Feikema SNI SolarWinds -spiffe +SPIFFE +SPIFFE-compliant SREs Stackdriver Statsd diff --git a/content/docs/concepts/security/index.md b/content/docs/concepts/security/index.md index e84e0b7771..993f3a6d79 100644 --- a/content/docs/concepts/security/index.md +++ b/content/docs/concepts/security/index.md @@ -92,7 +92,7 @@ across heterogeneous environments. Istio and SPIFFE share the same identity document: [SVID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md) (SPIFFE Verifiable Identity Document). For example, in Kubernetes, the X.509 certificate has the URI field in the format of -"spiffe://\/ns/\/sa/\". +`spiffe://\/ns/\/sa/\`. This enables Istio services to establish and accept connections with other SPIFFE-compliant systems. Istio security and [SPIRE](https://spiffe.io/spire/), which is the implementation of SPIFFE, differ in the PKI implementation details. diff --git a/content/docs/examples/multicluster/gateways/index.md b/content/docs/examples/multicluster/gateways/index.md index 6ad59388d1..57c2a767ee 100644 --- a/content/docs/examples/multicluster/gateways/index.md +++ b/content/docs/examples/multicluster/gateways/index.md @@ -117,7 +117,7 @@ running in a second cluster. The configurations above will result in all traffic in `cluster1` for `httpbin.bar.global` on *any port* to be routed to the endpoint - `:15443` over an mTLS connection. + `:15443` over a mutual TLS connection. The gateway for port 15443 is a special SNI-aware Envoy preconfigured and installed as part of the multicluster Istio installation step diff --git a/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md b/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md index b2faddbc8a..ac463c053c 100644 --- a/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md +++ b/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md @@ -169,7 +169,7 @@ with `kubectl edit mutatingwebhookconfiguration istio-sidecar-injector`. {{< warning >}} -The sidecar injector pod(s) should be restarted after modifying the mutatingwebhookconfiguration. +The sidecar injector pod(s) should be restarted after modifying the `mutatingwebhookconfiguration`. {{< /warning >}} The `istio-sidecar-injector` ConfigMap in the `istio-system` namespace has the default diff --git a/content/docs/setup/kubernetes/install/kubernetes/index.md b/content/docs/setup/kubernetes/install/kubernetes/index.md index 3e7e00c863..4e24fabcc3 100644 --- a/content/docs/setup/kubernetes/install/kubernetes/index.md +++ b/content/docs/setup/kubernetes/install/kubernetes/index.md @@ -55,7 +55,7 @@ This permits customization of Istio to operator specific requirements. {{< tabset cookie-name="profile" >}} {{% tab name="permissive mTLS" cookie-value="permissive" %}} -When using the mTLS permissive mode, all services accept both plain text and +When using the permissive mutual TLS mode, all services accept both plain text and mutual TLS traffic. Clients send plain text traffic unless configured for [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic). Visit our [mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode) @@ -188,7 +188,7 @@ The uninstall deletes the RBAC permissions, the `istio-system` namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically. -* Uninstall the `demo profile` corresponding to the mTLS mode you enabled: +* Uninstall the `demo profile` corresponding to the mutual TLS mode you enabled: {{< tabset cookie-name="profile" >}} diff --git a/content/docs/tasks/policy-enforcement/rate-limiting/index.md b/content/docs/tasks/policy-enforcement/rate-limiting/index.md index 233963c192..e6d9211628 100644 --- a/content/docs/tasks/policy-enforcement/rate-limiting/index.md +++ b/content/docs/tasks/policy-enforcement/rate-limiting/index.md @@ -52,10 +52,10 @@ so the configuration to enable rate limiting on both adapters is the same. * `QuotaSpecBinding` conditionally associates `QuotaSpec` with one or more services. * Mixer Side * `quota instance` defines how quota is dimensioned by Mixer. - * `memquota adapter` defines memquota adapter configuration. - * `quota rule` defines when quota instance is dispatched to the memquota adapter. + * `memquota adapter` defines `memquota` adapter configuration. + * `quota rule` defines when quota instance is dispatched to the `memquota` adapter. - Run the following command to enable rate limits using memquota: + Run the following command to enable rate limits using `memquota`: {{< text bash >}} $ kubectl apply -f @samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml@ diff --git a/content/docs/tasks/security/plugin-ca-cert/index.md b/content/docs/tasks/security/plugin-ca-cert/index.md index b6be29619b..ad14329f91 100644 --- a/content/docs/tasks/security/plugin-ca-cert/index.md +++ b/content/docs/tasks/security/plugin-ca-cert/index.md @@ -16,14 +16,14 @@ operator-specified root certificate. This task demonstrates an example to plug c * Set up Istio by following the instructions in the [quick start](/docs/setup/kubernetes/install/kubernetes/) with global mutual TLS enabled: - Follow the [installation instructions](/docs/setup/kubernetes/install/kubernetes/#installation-steps) install Istio with the **strict mTLS mode** enabled. + Follow the [installation instructions](/docs/setup/kubernetes/install/kubernetes/#installation-steps) install Istio with the **strict mutual TLS mode** enabled. _**OR**_ Using [Helm](/docs/setup/kubernetes/install/helm/) with mutual TLS enabled. {{< tip >}} -Starting with Istio 0.7, you can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/) +You can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/) {{< /tip >}} ## Plugging in the existing certificate and key diff --git a/content/help/ops/setup/injection/index.md b/content/help/ops/setup/injection/index.md index d8a9d91667..c84454d8ad 100644 --- a/content/help/ops/setup/injection/index.md +++ b/content/help/ops/setup/injection/index.md @@ -167,7 +167,7 @@ Warning FailedCreate 3m (x17 over 8m) replicaset-controller Error creating: `x509: certificate signed by unknown authority` errors are typically caused by an empty `caBundle` in the webhook configuration. -Verify the `caBundle` in the mutatingwebhookconfiguration matches the +Verify the `caBundle` in the `mutatingwebhookconfiguration` matches the root certificate mounted in the `istio-sidecar-injector` pod. {{< text bash >}} diff --git a/content_zh/docs/reference/commands/sidecar-injector/index.md b/content_zh/docs/reference/commands/sidecar-injector/index.md index 866fbd61a9..87fd7a0ad8 100644 --- a/content_zh/docs/reference/commands/sidecar-injector/index.md +++ b/content_zh/docs/reference/commands/sidecar-injector/index.md @@ -32,7 +32,7 @@ $ sidecar-injector [选项] | `--port ` | Webhook 端口(默认为 `443`) | | `--tlsCertFile ` | HTTPS x509 证书文件(默认为 `/etc/istio/certs/cert-chain.pem`) | | `--tlsKeyFile ` | 和 `--tlsCertFile` 匹配的 x509 私钥文件(默认为 `/etc/istio/certs/key.pem`) | -| `--webhookConfigName ` | Kubernetes mutatingwebhookconfiguration 资源名(默认为 `istio-sidecar-injector`) | +| `--webhookConfigName ` | Kubernetes `mutatingwebhookconfiguration` 资源名(默认为 `istio-sidecar-injector`) | | `--webhookName ` | webhook 配置中 webhook 项名(默认为 `sidecar-injector.istio.io`) | ## sidecar-injector probe @@ -65,7 +65,7 @@ $ sidecar-injector probe [选项] | `--probe-path ` | 检查可用性的文件路径(默认为 `''`) | | `--tlsCertFile ` | HTTPS x509 证书文件(默认为 `/etc/istio/certs/cert-chain.pem`) | | `--tlsKeyFile ` | 和 `--tlsCertFile` 匹配的 x509 私钥文件(默认为 `/etc/istio/certs/key.pem`) | -| `--webhookConfigName ` | Kubernetes mutatingwebhookconfiguration 资源名(默认为 `istio-sidecar-injector`) | +| `--webhookConfigName ` | Kubernetes `mutatingwebhookconfiguration` 资源名(默认为 `istio-sidecar-injector`) | | `--webhookName ` | webhook 配置中 webhook 项名(默认为 `sidecar-injector.istio.io`) | ## sidecar-injector version @@ -97,5 +97,5 @@ $ sidecar-injector version [选项] | `--short` | `-s` | 显示版本信息的短格式 | | `--tlsCertFile ` | | HTTPS x509 证书文件(默认为 `/etc/istio/certs/cert-chain.pem`) | | `--tlsKeyFile ` | | 和 `--tlsCertFile` 匹配的 x509 私钥文件(默认为 `/etc/istio/certs/key.pem`) | -| `--webhookConfigName ` | | Kubernetes mutatingwebhookconfiguration 资源名(默认为 `istio-sidecar-injector`) | +| `--webhookConfigName ` | | Kubernetes `mutatingwebhookconfiguration` 资源名(默认为 `istio-sidecar-injector`) | | `--webhookName ` | | webhook 配置中,webhook 项的名字(默认为 `sidecar-injector.istio.io`) | diff --git a/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md b/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md index 35c2bf0a47..d83445d6ab 100644 --- a/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md +++ b/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md @@ -142,7 +142,7 @@ sleep-776b7bcdcd-gmvnr 1/1 Running 0 2s 被 Kubernetes 调用 Webhook 时,[admissionregistration.k8s.io/v1beta1#MutatingWebhookConfiguration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#mutatingwebhookconfiguration-v1beta1-admissionregistration-k8s-io) 会进行配置。Istio 提供的缺省配置,会在带有 `istio-injection=enabled` 标签的命名空间中选择 Pod。使用 `kubectl edit mutatingwebhookconfiguration istio-sidecar-injector` 命令可以编辑目标命名空间的范围。 {{< warning >}} -修改 mutatingwebhookconfiguration 之后,应该重新启动已经被注入 Sidecar 的 Pod。 +修改 `mutatingwebhookconfiguration` 之后,应该重新启动已经被注入 Sidecar 的 Pod。 {{< /warning >}} `istio-system` 命名空间中的 ConfigMap `istio-sidecar-injector` 中包含了缺省的注入策略以及 Sidecar 的注入模板。 diff --git a/content_zh/docs/setup/kubernetes/install/kubernetes/index.md b/content_zh/docs/setup/kubernetes/install/kubernetes/index.md index 4a8cbe1c46..57fcf75b7f 100644 --- a/content_zh/docs/setup/kubernetes/install/kubernetes/index.md +++ b/content_zh/docs/setup/kubernetes/install/kubernetes/index.md @@ -44,9 +44,9 @@ keywords: [kubernetes] {{< tabset cookie-name="profile" >}} -{{% tab name="宽容模式的 mTLS" cookie-value="permissive" %}} +{{% tab name="宽容模式的 mutual TLS" cookie-value="permissive" %}} -如果使用 mTLS 的宽容模式,所有的服务会同时允许明文和双向 TLS 的流量。在没有明确[配置客户端进行双向 TLS 通信](/zh/docs/tasks/security/mtls-migration/#配置客户端进行双向-tls-通信)的情况下,客户端会发送明文流量。可以进一步阅读了解[双向 TLS 中的宽容模式](/docs/concepts/security/#permissive-mode)的相关内容。 +如果使用 mutual TLS 的宽容模式,所有的服务会同时允许明文和双向 TLS 的流量。在没有明确[配置客户端进行双向 TLS 通信](/zh/docs/tasks/security/mtls-migration/#配置客户端进行双向-tls-通信)的情况下,客户端会发送明文流量。可以进一步阅读了解[双向 TLS 中的宽容模式](/docs/concepts/security/#permissive-mode)的相关内容。 这种方式的适用场景: @@ -64,7 +64,7 @@ $ kubectl apply -f install/kubernetes/istio-demo.yaml {{% /tab %}} -{{% tab name="严格模式的 mTLS" cookie-value="strict" %}} +{{% tab name="严格模式的 mutual TLS" cookie-value="strict" %}} 这种方案会在所有的客户端和服务器之间使用 [双向 TLS](/zh/docs/concepts/security/#双向-tls-认证)。 @@ -146,11 +146,11 @@ $ istioctl kube-inject -f .yaml | kubectl apply -f - 删除 RBAC 权限、`istio-system` 命名空间及其所有资源。因为有些资源会被级联删除,因此会出现一些无法找到资源的提示,可以忽略。 -* 根据启用的 mTLS 模式进行删除: +* 根据启用的 mutual TLS 模式进行删除: {{< tabset cookie-name="profile" >}} -{{% tab name="宽容模式的 mTLS" cookie-value="permissive" %}} +{{% tab name="宽容模式的 mutual TLS" cookie-value="permissive" %}} {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo.yaml @@ -158,7 +158,7 @@ $ kubectl delete -f install/kubernetes/istio-demo.yaml {{% /tab %}} -{{% tab name="严格模式的 mTLS" cookie-value="strict" %}} +{{% tab name="严格模式的 mutual TLS" cookie-value="strict" %}} {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml diff --git a/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md b/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md index b40d5c7fdf..06777f2f43 100644 --- a/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md +++ b/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md @@ -31,7 +31,7 @@ keywords: [policies,quotas] 在此任务中,您将 Istio 配置为根据 IP 地址将流量限制到访问 `productpage` 的用户。您将使用 `X-Forwarded-For` 请求 http header 作为客户端 IP 地址。您还将使用免除登录用户的条件速率限制。 -为方便起见,您可以配置 [memquota](/zh/docs/reference/config/policy-and-telemetry/adapters/memquota/) 适配器启用速率限制。但是,在生产系统上,你需要 [`Redis`](http://redis.io/) ,然后配置 [`redisquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/redisquota/) 适配器。 `memquota` 和 `redisquota` 适配器都支持 [quota template](/zh/docs/reference/config/policy-and-telemetry/templates/quota/),因此,在两个适配器上启用速率限制的配置是相同的。 +为方便起见,您可以配置 [`memquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/memquota/) 适配器启用速率限制。但是,在生产系统上,你需要 [`Redis`](http://redis.io/) ,然后配置 [`redisquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/redisquota/) 适配器。 `memquota` 和 `redisquota` 适配器都支持 [quota template](/zh/docs/reference/config/policy-and-telemetry/templates/quota/),因此,在两个适配器上启用速率限制的配置是相同的。 1. 速率限制配置分为两部分。 * 客户端 @@ -39,10 +39,10 @@ keywords: [policies,quotas] * `QuotaSpecBinding` 有条件地将 `QuotaSpec` 与一个或多个服务相关联。 * Mixer 端 * `quota instance` 定义了 Mixer 如何确定配额的大小。 - * `memquota adapter` 定义了 memquota 适配器配置。 - * `quota rule` 定义何时将配额实例分派给 memquota 适配器。 + * `memquota adapter` 定义了 `memquota` 适配器配置。 + * `quota rule` 定义何时将配额实例分派给 `memquota` 适配器。 - 运行以下命令以使用 memquota 启用速率限制: + 运行以下命令以使用 `memquota` 启用速率限制: {{< text bash >}} $ kubectl apply -f @samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml@ @@ -338,7 +338,7 @@ spec: `memquota` 适配器使用一个为亚秒级分辨率的滑动窗口来实现速率限制。 -适配器配置中的 `maxAmount` 设置了关联到 Quota 实例中的所有计数器的缺省限制。如果所有 `overrides` 条目都无法匹配到一个请求,就只能使用 `maxAmount` 限制了。Memquota 会选择适合请求的第一条 `override`。`override` 条目无需定义所有 quota dimension, 例如例子中的 `0.2 qps` 条目在 4 条 quota dimensions 中只选用了三条。 +适配器配置中的 `maxAmount` 设置了关联到 Quota 实例中的所有计数器的缺省限制。如果所有 `overrides` 条目都无法匹配到一个请求,就只能使用 `maxAmount` 限制了。`memquota` 会选择适合请求的第一条 `override`。`override` 条目无需定义所有 quota dimension, 例如例子中的 `0.2 qps` 条目在 4 条 quota dimensions 中只选用了三条。 如果要把上面的策略应用到某个命名空间而非整个 Istio 网格,可以把所有 `istio-system` 替换成为给定的命名空间。