From fe33c33740b612f15e5c3d0c1d9e48ba63bfb88b Mon Sep 17 00:00:00 2001 From: Nik Skoufis Date: Wed, 26 Jun 2019 23:39:47 +1000 Subject: [PATCH] Clarify sds install profile (#4489) * Clarify auth variant This makes it clear that sds-auth is already the 'auth' variant. It also tries to be more specific about what it does, rather than just saying 'auth by default' * Add incompatibility between SDS and control plane auth * Remove unneeded aside * Clarify status of control plane security with SDS No technical issues apparently, just timeline. Also moved to before the table for clarity. * Simplify additional security feature table This improves the clarity of this table by: * Removing default and minimal , since -auth doesn't add any security features * Labeling the first column as security feature * Changing the names of the profiles to reflect the final profile name including the -auth, instead of without --- .../additional-setup/config-profiles/index.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/content/docs/setup/kubernetes/additional-setup/config-profiles/index.md b/content/docs/setup/kubernetes/additional-setup/config-profiles/index.md index 2f01bf5c02..c829b981a6 100644 --- a/content/docs/setup/kubernetes/additional-setup/config-profiles/index.md +++ b/content/docs/setup/kubernetes/additional-setup/config-profiles/index.md @@ -26,8 +26,8 @@ your specific needs. The following built-in configuration profiles are currently 1. **minimal**: the minimal set of components necessary to use Istio's [traffic management](/docs/tasks/traffic-management/) features. -1. **sds**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds). - This profile comes only with authentication enabled. +1. **sds-auth**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds). + This profile comes with additional authentication features enabled by default. The components marked as **X** are installed within each profile: @@ -53,11 +53,15 @@ The components marked as **X** are installed within each profile: Some profiles have an authentication variant, with `-auth` appended to the name, which adds the following security features to the profile: -| | default | demo | minimal | sds | -| --- | --- | --- | --- | --- | -| Control Plane Security | | X | | | -| Strict Mutual TLS | | X | | X | -| SDS | | | | X | +{{< tip >}} +Control plane security with SDS is planned for an upcoming release. +{{< /tip >}} + +| Security feature | demo-auth | sds-auth | +| --- | --- | --- | +| Control Plane Security | X | | +| Strict Mutual TLS | X | X | +| SDS | | X | To further customize Istio and install addons, you can add one or more `--set =` options in the `helm template` or `helm install` command that you use when installing Istio. The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported installation key and value pairs.