* istio api evolution blog post
* changed list elements to use dashes
* whitespace fixes for presubmit
* fixes for whitespace, spelling, and relative links
* reformatted list of k8s objects to inline, using backticks
* removed unnecessary terms
* mTLS -> mutual TLS
* Fixed the linting errors I was able to.
* Add 1.1.13 and 1.2.4 release notes.
And fix some linter errors in oaktowner's blog post.
* Minor fixes
* code review fixes.
* If istio terminates any http since it will autodetect and use http/2 if
supplied.
* Apply suggestions from code review
Applying geeknoid's suggestions
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
* It's queuing not queueing.
* Rename cve announcement path to istio-security path.
* Add note that these are minimal patches that fix only the security bugs.
* Add CVE for regex vulnerabilities in the mixer filter.
* a skeleton version
* add full content
* fix internal links to previous egress examples
* make the structure flat
decrease the indentation level of two subsections
* replace subtitle and description with content relevant for part 3
* add referencing the third part from the first and the second parts
* secure egress traffic control -> secure control of egress traffic
* Update content/blog/2019/egress-traffic-control-in-istio-part-3/index.md
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove "new from
Co-Authored-By: Rigs Caballero <grca@google.com>
* such as Kubernetes Network Policies -> such as using Kubernetes Network Policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* proxies/firewalls -> proxies and firewalls
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence of reminding the requirements
Co-Authored-By: Rigs Caballero <grca@google.com>
* support for -> support of
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove by Istio, support for -> support of
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the two alternative solutions
Co-Authored-By: Rigs Caballero <grca@google.com>
* cannot satisfy -> the requirements they can't satisfy
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove the dot from subtitle
since Hugo complains about it
* add mentioning the alternative solutions before presenting them
* The most natural solution -> Kubernetes provides a native solution
* rewrite the sentence about cluster operators and network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* can be identified -> cluster operators can identify
Co-Authored-By: Rigs Caballero <grca@google.com>
* stress the relation between IP ranges and not being DNS-aware
* the requirement is satisfied -> network policies satisfy the requirement
* rewrite the sentence about K8s network policies and requirements 3 and 4
* remove passive voice in the sentence about the fifth requirement and k8s network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* and to interfere -> and interfere, the node - the said node
Co-Authored-By: Rigs Caballero <grca@google.com>
* Add "lastly", remove passive voice from the k8s network policies and the sixth requirement
Co-Authored-By: Rigs Caballero <grca@google.com>
* add "in summary" to the last sentence about k8s network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* another approach -> the second alternative, add the to Kubernetes network policies, add "Using ... lets you"
Co-Authored-By: Rigs Caballero <grca@google.com>
* are configured -> configure
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove passive voice, use operators as subjects
Co-Authored-By: Rigs Caballero <grca@google.com>
* not known to proxies -> proxies do not know about them
Co-Authored-By: Rigs Caballero <grca@google.com>
* they -> egress proxies, source specified by -> Kubernetes artifacts specifies the source
Co-Authored-By: Rigs Caballero <grca@google.com>
* add "in summary" to the last sentence about egress proxies
Co-Authored-By: Rigs Caballero <grca@google.com>
* but not -> but can't satisfy
Co-Authored-By: Rigs Caballero <grca@google.com>
* connect two sentences about not specifying the requirements and why they do not specify the requirements
Co-Authored-By: Rigs Caballero <grca@google.com>
* fix the subtitle and description that were mistakenly reverted
* use lower case for network policies
* remove redundant white space
* remove a redundant empty line
* remove a leftover and fix lines arrangement
* hop with two proxies, the egress gateway -> hop with one or two proxies in the egress gateway
* pay attention to performance overhead and measure it
* remove "because they are DNS-aware" since they are by definiton DNS-aware
* requirements 3 and 4 -> the third and the fourth requirements
* proxy/firewall -> proxy or firewall
* have to -> must
* for authentication only without encrypting -> for authentication only, without encrypting
* remove comma in "in the egress gateway, should not have a large impact"
* remove "so I hope the overhead of egress traffic control in Istio will be reduced in the future"
since it is implied for the fact that we are working to reduce it
* use colon instead of "namely"
Co-Authored-By: Rigs Caballero <grca@google.com>
* split a long sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* do not -> don't, remove "to" after "or"
Co-Authored-By: Rigs Caballero <grca@google.com>
* tamper-proof -> resilient to tampering
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about Istio's additional features
Co-Authored-By: Rigs Caballero <grca@google.com>
* it allows defining -> define
Co-Authored-By: Rigs Caballero <grca@google.com>
* Is intergrated out of the box -> Out-of-the-box integration
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about writing the adapters to external monitoring once
Co-Authored-By: Rigs Caballero <grca@google.com>
* You can apply -> Use
Co-Authored-By: Rigs Caballero <grca@google.com>
* We call a system that has the advantages above -> We refer to a system with the advantages above as
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the "Let me summarize" sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* put Istio the first in the features table
* rewrite the sentence about the price of egress control
Co-Authored-By: Rigs Caballero <grca@google.com>
* increase of CPU usage by the cluster pods -> increased CPU usage by the cluster's pods
Co-Authored-By: Rigs Caballero <grca@google.com>
* Rewrite the sentence about traffic passing through two proxies
Co-Authored-By: Rigs Caballero <grca@google.com>
* complete the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* In the case of -> if you use
Co-Authored-By: Rigs Caballero <grca@google.com>
* making the count of proxies three -> adding a third proxy.
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the traffic between proxies on the local host
Co-Authored-By: Rigs Caballero <grca@google.com>
* different configurations of Istio -> different Istio configurations set to control
Co-Authored-By: Rigs Caballero <grca@google.com>
* to measure carefully -> to carefully measure, for your applications -> with your applications
Co-Authored-By: Rigs Caballero <grca@google.com>
* measure and decide -> measure before you decide
Co-Authored-By: Rigs Caballero <grca@google.com>
* , and also compare with -> and compare
Co-Authored-By: Rigs Caballero <grca@google.com>
* provide our take -> share my thoughts
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about high latency of access to external services, part 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about high latency of access to external services, part 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about microservice architecture
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the additional hop
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "we are working to reduce performance"
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 3
Co-Authored-By: Rigs Caballero <grca@google.com>
* I also hope -> hopefully, can serve as -> is, for controlling -> to control
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the first Istio use case
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove leftover from the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove the last sentence about the performance overhead
* add links to Istio features
* with Istio sidecar injected -> in the mesh
* then apply the adapters -> apply them
* add a comma
* rewrite the sentence about Istio being already beneficial
Co-Authored-By: Rigs Caballero <grca@google.com>
* replace * bullets by -
* remove double and
* The network policies -> Network policies
* remove "adding a third proxy"
* split a long line
* add a sentence about "Istio is the only solution"
* encourage users to install Istio, check Istio tasks and use discuss.istio.io
* fix a typo
* rewrite Istio is the only solution as bullets
Co-Authored-By: Rigs Caballero <grca@google.com>
* compete the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "if you had not a chance to work with Istio yet"
Co-Authored-By: Rigs Caballero <grca@google.com>
* chec egress traffic control -> check egress traffic control task
Co-Authored-By: Rigs Caballero <grca@google.com>
* Tell us what you think -> we also want to hear from you
Co-Authored-By: Rigs Caballero <grca@google.com>
* specify a traffic source -> specify the traffic source
* egress control task -> egress control tasks
* remove the final dot from the third bullet
* use a relative url for istio.io
* change the published date to today
(cherry picked from commit b1b48a39eb)
* Cross-namespace config
* clarifications
* Fix spelling
* tweaks
* improvements
* more details
* Reference the problem from egress gateway task
* tweak
* review comments and remove broken link
* broken link
(cherry picked from commit 622020ba69)
* add the second part of the series about secure egress traffic control in Istio (#4196)
* requirements for your system -> requirements for a system for egress traffic control
* add links from part 1 to part 2
* add istio-identity to .spelling
* add gateway and tls as keywords
Co-Authored-By: Rigs Caballero <grca@google.com>
* This is -> Welcome to, a new series -> our new series
Co-Authored-By: Rigs Caballero <grca@google.com>
* an egress traffic control system -> a secure control system for egress traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such
Co-Authored-By: Rigs Caballero <grca@google.com>
* Egress traffic control by Istio -> Secure control of egress traffic in Istio
Co-Authored-By: Rigs Caballero <grca@google.com>
* add bullets regarding security measures for Istio control plane
Co-Authored-By: Rigs Caballero <grca@google.com>
* you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* Possible attacks and their prevention -> Preventing possible attacks
Co-Authored-By: Rigs Caballero <grca@google.com>
* e.g. -> like, add a comma, split a sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* the -> said
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove "for TLS traffic"
it is clear that it is TLS Traffic from TLS origination
Co-Authored-By: Rigs Caballero <grca@google.com>
* monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided
* The L3 firewall can have -> you can configure the L3 firewall
Co-Authored-By: Rigs Caballero <grca@google.com>
* from pods only -> only allow. Remove "Note that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* move the diagram right after its introduction
* remove parentheses
Co-Authored-By: Rigs Caballero <grca@google.com>
* emphasize the label (A, B)
Co-Authored-By: Rigs Caballero <grca@google.com>
* policy with regard -> policies as they regard
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about a compromised pod
Co-Authored-By: Rigs Caballero <grca@google.com>
* traffic must be monitored -> traffic is monitored
Co-Authored-By: Rigs Caballero <grca@google.com>
* Note that application A is allowed -> since application A is allowed
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about monitoring access of the compromised version of the application
Co-Authored-By: Rigs Caballero <grca@google.com>
* split the sentence about detecting suspicious traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about thwarting the second goal of the attackers
Co-Authored-By: Rigs Caballero <grca@google.com>
* Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing
Co-Authored-By: Rigs Caballero <grca@google.com>
* Rewrite the sentence "let's see which attacks"
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "I hope that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* in the next blog post -> in the next part
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning wildcard domains
* rewrite the "Secure control of egress traffic in Istio" section
* remove a leftover from suggested changes
* as they regard to egress traffic -> for egress traffic
* convert security policies into bullets
* make the labels (A,B) bold
* remove the sentences about thwarting the second goal
* rewrite the paragraph about which goals of the attackers can be thwarted
* remove a leftover from the previous changes
* such attacks -> the attacks
* rewrite the section about preventing the attacks
* secure egress traffic control -> secure control of egress traffic
* sending HTTP traffic -> sending unencrypted HTTP traffic
* define security policies -> enforce security policies
* change the publish date to July 9
* formatting
Co-Authored-By: Rigs Caballero <grca@google.com>
* Kubernetes Network Policies -> Kubernetes network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration]
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 3
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 4
Co-Authored-By: Rigs Caballero <grca@google.com>
* check -> verify, access the destination, mongo1, access mongo1
Co-Authored-By: Rigs Caballero <grca@google.com>
* You can thwart the third goal -> to stop attackers from
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning anomaly detection
Co-Authored-By: Rigs Caballero <grca@google.com>
* Provide context instead of "after all"
Co-Authored-By: Rigs Caballero <grca@google.com>
* split a long line
Co-Authored-By: Rigs Caballero <grca@google.com>
* connect two sentences
Co-Authored-By: Rigs Caballero <grca@google.com>
* First -> Next
Co-Authored-By: Rigs Caballero <grca@google.com>
* use - instead of * for bulleted lists
* make the first attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the first attacker's goal a bullet
the previous commit was related to the third goal
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the second attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* fix indentation
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the first goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the second goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* rephrase the sentence about applying additional security measures
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove leftover from a previous change
Co-Authored-By: Rigs Caballero <grca@google.com>
* that will enforce -> to enforce
Co-Authored-By: Rigs Caballero <grca@google.com>
* split long lines
* rewrite the part about increasing security of the control plane pods
* fix indentation
* fix indentation and remove a leftover from a previous change
* extend the bold font from a single word to a phrase
* rewrite the prevention of the straightforward access and the attacks
* add conclusion after the attacks part
* control planes pods -> control plane pods
* control plane -> Istio control plane
* is able to access it indistinguishable -> is indistinguishable
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "The choice would mainly depend on"
Co-Authored-By: Rigs Caballero <grca@google.com>
* insure -> ensure
Co-Authored-By: Rigs Caballero <grca@google.com>
* update the publish date to 10-th of July
(cherry picked from commit 24f9ca7046)
Martin Taillefer
Martin Taillefer
mtail
Lshare
Lin Sun
leo
Joshua Blatt
Francois Pesce
ddbxj.li
Rigs Caballero
Istio Automation
Betty Junod
mergify[bot]
Nguyen Hai Truong
Bobby Radford