mirror of https://github.com/istio/istio.io.git
5 Commits
| Author | SHA1 | Message | Date |
|---|---|---|---|
Martin Taillefer
|
10ac66359e | Fix capitalization of blog titles. (#5590) | |
|
Martin Taillefer
|
bbd4452d89 |
Remove links to istio-ecosystem. (#5223)
* Remove links to istio-ecosystem. * Apply suggestions from code review Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> |
|
|
Martin Taillefer
|
612d10c921
|
Automatically a warning to older blog posts about them being potentially out of date. (#5134) | |
Rigs Caballero
|
4492b89b4f | Ensure consistent use of 'multicluster'. (#5108) | |
Vadim Eisenberg
|
dbb23e1fdb |
Blog post about using Istio multi-mesh for isolation and boundary protection (#4776)
* initial version * add structure and certificate generation * remove redundant article * create the reviews service and later delete it required for pods to start * kubernetes -> kubectl * complete creating the egress gateway section * add deployment of an ingress gateway * use LoadBalancer type for the private ingress gateway * expand the cleanup section * add "Expose reviews v2" section * use hostnames in CN so it can be verified by curl * use a single slash in HTTPRewrite uri field * fix the virtual service and the curl call * add a troubleshooting section * use port 80 in the egress gateway's deployment * implement the consume section for reviews v2 * expand the troubleshooting section * split a virtual service, use port 443 * unite two virtual services for reviews * add namespace to the gateway reference * complete the cleaning instructions * fix prefix match and rewrite in consuming reviews v2 * rename the gateway, destination rule, rewrite authority in ingress cluster2 * split the virtual service in cluster1 into two parts * set access log format to print both the path and the rewritten path * extend the cleanup section * add load balancing between the local and remote versions of reviews * remove usi * change consume/expose details to ratings * add diagrams * canary release the remote version * fix the subtitle and the publish date * add subset v1 to the routing to the local version * use local name (reviews) for a virtual service in the default namespace * add the 'Deploy reviews v2 locally and retire reviews v1' section * a Gateway -> an ingress Gateway * virtualservice myreviews-bookinfo-v2 -> virtualservice privately-exposed-services * add the "Expose ratings and reviews v3" section * add printing response code to curl commands * add a step to delete the consumption of the remote service from `cluster2` * add a section "Consume ratings and reviews v3" * add a section about Istio RBAC * rewrite certificate creation - add spiffe SAN * add a section about RBAC on ingress gateway * remove redundant quote * add extended key usage and critical to subjectAltName * add generation of certificate and key for cluster3 * rewrite ingress RBAC in cluster2 to use EnvoyFilter for RBAC Istio RBAC currently does not support getting principal for MUTUAL TLS, only for ISTIO_MUTUAL * fix MeshFederation5, the local version of reviews must be v2 * fix a typo * add the "Cancel exposure of ratings" section * add checking Istio configuration artifacts * rewrite the introduction, add requirements and the proposed implementation section * to base implementation -> to base the implementation * split a long line * web page -> webpage * fix indentation * of deploying -> after deploying * add an explanation about openssl * extend the explanation about `cluster3` * add an explanation about deploying gateways * create the certificates -> create the certificates and keys * remove "the" from "to generate the certificates and the keys" * minor changes in gateway deployment * mount volumes from secrets -> mount secrets as data volumes * add explanation about private gateways * cluster1 and cluster2 -> both clusters * add an explanation about exposure/consumption * add an explanation about c1,c2,c3.example.com hostnames * real URL -> existing hostname * port 80 -> port 443 (the egress gateway) * remove the non-mTLS options * VirtualService -> virtual service * fix indentation * remove back ticks from reviews v1 and v2 * in remote cluster -> is in remote cluster * add explanation about expose-nothing behavior by default * add a separating empty line * port 80 -> port 443 * VirtualService -> virtual service, part 2 * your Kubernetes cluster -> your second cluster * add "in case you have a load balancer" * add "in case you have a load balancer... otherwise..." * fix the pod of reviews-v2 in the first cluster mention the new pod * web page -> webpage * cluster1 -> the first cluster * make multiple tests a sublist * rewrite the sentence "Let's change the RBAC policy" remove let's remote passive voice * rewrite the series of the tests to check RBAC * issues requests -> sends requests * Let's consider -> consider * split a long line * add "locally" to has access to ratings * the ratings -> ratings * use first/second cluster instead of cluster1/cluster2 in headings * add a subsection to remove certificate and key files * extend the sentence about role binding * extend the sentence about enabling Istio RBAC on bookinfo * rewrite the sentence about accessing the webpage of the bookinfo app * add an explanation about the EnvoyFilter * other 50% -> the other 50% * 50% of time -> 50% of the time * at cluster -> in cluster * rewrite the sentence about cleaning Istio RBAC * add summary * in the subtitle: traffic control -> strict access control * for the many different reasons -> for different reasons * special certificates -> dedicated certificates, add dots * add a sentence about defense in depth and PCI compliance * fix typos * through their gateways -> through corresponding gateways * _v1_ -> `v1` * ad-hoc -> ad hoc * put EnvoyFilter and the name of the Envoy's filter in backticks * instructions for NodePort Ingress -> instructions for using node port for ingress * add "hoc" to .spelling, for "ad hoc" expression * fix a link * remove unneeded single bullet * fix a link for Defense-in-depth * rewrite the list of reasons for split applications between multiple clusters * add a clause about boundary protection * expand on non-uniform naming * rewrite the bullet about boundary protection * expand on the lack of common trust * fix division into paragraphs in the introduction * different as -> different than * in different namespaces in a cluster -> in the clusters * to the ratings -> to the ratings service * rewrite the explanation about DNS and routing * add a comma after "destined to ratings" * split a long line * replace PCI DSS with boundary protection * remove an unneeded empty line * split long lines in the summary * simplify the sentence in the summary about explicit exposure of the clusters * put "paired" in italics * split a long line * change the publish date to 12-th of August * split a long line * add the "Isolation of system components and boundary protection" subsection * rephrase a sentence to remove passive voice * add cyber and subnetworks to .spelling used by NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations: This type of enhanced protection limits the potential harm from cyber attacks... ... routers, gateways, and firewalls separating system components into physically separate networks or subnetworks * rephrase and reformat the section about boundary protection and isolation * rewrite the section about isolation and boundary protection * Kubernetes community -> the Kubernetes community Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * three patterns -> three documented patterns Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * three patterns differ -> the differences between the patterns Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * add "where none of the multi cluster patterns apply" to "there are cases when you want to" Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * didn't establish -> have not established Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * rewrite the sentence about the best solution and the goal Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Payment Card Industry Data Security Standard -> the .. Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * move "in my opinion" to the beginning of the sentence Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * move "in my opinion" to the beginning of the sentence, part 2 Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Add "the" to PCI DSS Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * add "approach" after "the proposed mesh federation" Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * add "the" before NIST Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * uniform identical naming -> uniform naming * common indentity and common trust -> common identity and trust * mesh-federation -> isolated-clusters * rewrite the blog post, removing mesh federation and multicluster mesh mentioning * add the "Testing the certificates in the chain of calls" section * Revert "add the "Testing the certificates in the chain of calls" section" This reverts commit |