* istio api evolution blog post
* changed list elements to use dashes
* whitespace fixes for presubmit
* fixes for whitespace, spelling, and relative links
* reformatted list of k8s objects to inline, using backticks
* removed unnecessary terms
* mTLS -> mutual TLS
* Fixed the linting errors I was able to.
* Add 1.1.13 and 1.2.4 release notes.
And fix some linter errors in oaktowner's blog post.
* Minor fixes
* code review fixes.
* If istio terminates any http since it will autodetect and use http/2 if
supplied.
* Apply suggestions from code review
Applying geeknoid's suggestions
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
* It's queuing not queueing.
* Rename cve announcement path to istio-security path.
* Add note that these are minimal patches that fix only the security bugs.
* Add CVE for regex vulnerabilities in the mixer filter.
* a skeleton version
* add full content
* fix internal links to previous egress examples
* make the structure flat
decrease the indentation level of two subsections
* replace subtitle and description with content relevant for part 3
* add referencing the third part from the first and the second parts
* secure egress traffic control -> secure control of egress traffic
* Update content/blog/2019/egress-traffic-control-in-istio-part-3/index.md
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove "new from
Co-Authored-By: Rigs Caballero <grca@google.com>
* such as Kubernetes Network Policies -> such as using Kubernetes Network Policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* proxies/firewalls -> proxies and firewalls
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence of reminding the requirements
Co-Authored-By: Rigs Caballero <grca@google.com>
* support for -> support of
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove by Istio, support for -> support of
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the two alternative solutions
Co-Authored-By: Rigs Caballero <grca@google.com>
* cannot satisfy -> the requirements they can't satisfy
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove the dot from subtitle
since Hugo complains about it
* add mentioning the alternative solutions before presenting them
* The most natural solution -> Kubernetes provides a native solution
* rewrite the sentence about cluster operators and network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* can be identified -> cluster operators can identify
Co-Authored-By: Rigs Caballero <grca@google.com>
* stress the relation between IP ranges and not being DNS-aware
* the requirement is satisfied -> network policies satisfy the requirement
* rewrite the sentence about K8s network policies and requirements 3 and 4
* remove passive voice in the sentence about the fifth requirement and k8s network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* and to interfere -> and interfere, the node - the said node
Co-Authored-By: Rigs Caballero <grca@google.com>
* Add "lastly", remove passive voice from the k8s network policies and the sixth requirement
Co-Authored-By: Rigs Caballero <grca@google.com>
* add "in summary" to the last sentence about k8s network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* another approach -> the second alternative, add the to Kubernetes network policies, add "Using ... lets you"
Co-Authored-By: Rigs Caballero <grca@google.com>
* are configured -> configure
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove passive voice, use operators as subjects
Co-Authored-By: Rigs Caballero <grca@google.com>
* not known to proxies -> proxies do not know about them
Co-Authored-By: Rigs Caballero <grca@google.com>
* they -> egress proxies, source specified by -> Kubernetes artifacts specifies the source
Co-Authored-By: Rigs Caballero <grca@google.com>
* add "in summary" to the last sentence about egress proxies
Co-Authored-By: Rigs Caballero <grca@google.com>
* but not -> but can't satisfy
Co-Authored-By: Rigs Caballero <grca@google.com>
* connect two sentences about not specifying the requirements and why they do not specify the requirements
Co-Authored-By: Rigs Caballero <grca@google.com>
* fix the subtitle and description that were mistakenly reverted
* use lower case for network policies
* remove redundant white space
* remove a redundant empty line
* remove a leftover and fix lines arrangement
* hop with two proxies, the egress gateway -> hop with one or two proxies in the egress gateway
* pay attention to performance overhead and measure it
* remove "because they are DNS-aware" since they are by definiton DNS-aware
* requirements 3 and 4 -> the third and the fourth requirements
* proxy/firewall -> proxy or firewall
* have to -> must
* for authentication only without encrypting -> for authentication only, without encrypting
* remove comma in "in the egress gateway, should not have a large impact"
* remove "so I hope the overhead of egress traffic control in Istio will be reduced in the future"
since it is implied for the fact that we are working to reduce it
* use colon instead of "namely"
Co-Authored-By: Rigs Caballero <grca@google.com>
* split a long sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* do not -> don't, remove "to" after "or"
Co-Authored-By: Rigs Caballero <grca@google.com>
* tamper-proof -> resilient to tampering
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about Istio's additional features
Co-Authored-By: Rigs Caballero <grca@google.com>
* it allows defining -> define
Co-Authored-By: Rigs Caballero <grca@google.com>
* Is intergrated out of the box -> Out-of-the-box integration
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about writing the adapters to external monitoring once
Co-Authored-By: Rigs Caballero <grca@google.com>
* You can apply -> Use
Co-Authored-By: Rigs Caballero <grca@google.com>
* We call a system that has the advantages above -> We refer to a system with the advantages above as
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the "Let me summarize" sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* put Istio the first in the features table
* rewrite the sentence about the price of egress control
Co-Authored-By: Rigs Caballero <grca@google.com>
* increase of CPU usage by the cluster pods -> increased CPU usage by the cluster's pods
Co-Authored-By: Rigs Caballero <grca@google.com>
* Rewrite the sentence about traffic passing through two proxies
Co-Authored-By: Rigs Caballero <grca@google.com>
* complete the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* In the case of -> if you use
Co-Authored-By: Rigs Caballero <grca@google.com>
* making the count of proxies three -> adding a third proxy.
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the traffic between proxies on the local host
Co-Authored-By: Rigs Caballero <grca@google.com>
* different configurations of Istio -> different Istio configurations set to control
Co-Authored-By: Rigs Caballero <grca@google.com>
* to measure carefully -> to carefully measure, for your applications -> with your applications
Co-Authored-By: Rigs Caballero <grca@google.com>
* measure and decide -> measure before you decide
Co-Authored-By: Rigs Caballero <grca@google.com>
* , and also compare with -> and compare
Co-Authored-By: Rigs Caballero <grca@google.com>
* provide our take -> share my thoughts
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about high latency of access to external services, part 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about high latency of access to external services, part 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about microservice architecture
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the additional hop
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "we are working to reduce performance"
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about possible optimizations, part 3
Co-Authored-By: Rigs Caballero <grca@google.com>
* I also hope -> hopefully, can serve as -> is, for controlling -> to control
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about the first Istio use case
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove leftover from the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove the last sentence about the performance overhead
* add links to Istio features
* with Istio sidecar injected -> in the mesh
* then apply the adapters -> apply them
* add a comma
* rewrite the sentence about Istio being already beneficial
Co-Authored-By: Rigs Caballero <grca@google.com>
* replace * bullets by -
* remove double and
* The network policies -> Network policies
* remove "adding a third proxy"
* split a long line
* add a sentence about "Istio is the only solution"
* encourage users to install Istio, check Istio tasks and use discuss.istio.io
* fix a typo
* rewrite Istio is the only solution as bullets
Co-Authored-By: Rigs Caballero <grca@google.com>
* compete the previous commit
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "if you had not a chance to work with Istio yet"
Co-Authored-By: Rigs Caballero <grca@google.com>
* chec egress traffic control -> check egress traffic control task
Co-Authored-By: Rigs Caballero <grca@google.com>
* Tell us what you think -> we also want to hear from you
Co-Authored-By: Rigs Caballero <grca@google.com>
* specify a traffic source -> specify the traffic source
* egress control task -> egress control tasks
* remove the final dot from the third bullet
* use a relative url for istio.io
* change the published date to today
(cherry picked from commit b1b48a39eb)
* Cross-namespace config
* clarifications
* Fix spelling
* tweaks
* improvements
* more details
* Reference the problem from egress gateway task
* tweak
* review comments and remove broken link
* broken link
(cherry picked from commit 622020ba69)
* add the second part of the series about secure egress traffic control in Istio (#4196)
* requirements for your system -> requirements for a system for egress traffic control
* add links from part 1 to part 2
* add istio-identity to .spelling
* add gateway and tls as keywords
Co-Authored-By: Rigs Caballero <grca@google.com>
* This is -> Welcome to, a new series -> our new series
Co-Authored-By: Rigs Caballero <grca@google.com>
* an egress traffic control system -> a secure control system for egress traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such
Co-Authored-By: Rigs Caballero <grca@google.com>
* Egress traffic control by Istio -> Secure control of egress traffic in Istio
Co-Authored-By: Rigs Caballero <grca@google.com>
* add bullets regarding security measures for Istio control plane
Co-Authored-By: Rigs Caballero <grca@google.com>
* you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* Possible attacks and their prevention -> Preventing possible attacks
Co-Authored-By: Rigs Caballero <grca@google.com>
* e.g. -> like, add a comma, split a sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* the -> said
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove "for TLS traffic"
it is clear that it is TLS Traffic from TLS origination
Co-Authored-By: Rigs Caballero <grca@google.com>
* monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided
* The L3 firewall can have -> you can configure the L3 firewall
Co-Authored-By: Rigs Caballero <grca@google.com>
* from pods only -> only allow. Remove "Note that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* move the diagram right after its introduction
* remove parentheses
Co-Authored-By: Rigs Caballero <grca@google.com>
* emphasize the label (A, B)
Co-Authored-By: Rigs Caballero <grca@google.com>
* policy with regard -> policies as they regard
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about a compromised pod
Co-Authored-By: Rigs Caballero <grca@google.com>
* traffic must be monitored -> traffic is monitored
Co-Authored-By: Rigs Caballero <grca@google.com>
* Note that application A is allowed -> since application A is allowed
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about monitoring access of the compromised version of the application
Co-Authored-By: Rigs Caballero <grca@google.com>
* split the sentence about detecting suspicious traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about thwarting the second goal of the attackers
Co-Authored-By: Rigs Caballero <grca@google.com>
* Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing
Co-Authored-By: Rigs Caballero <grca@google.com>
* Rewrite the sentence "let's see which attacks"
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "I hope that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* in the next blog post -> in the next part
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning wildcard domains
* rewrite the "Secure control of egress traffic in Istio" section
* remove a leftover from suggested changes
* as they regard to egress traffic -> for egress traffic
* convert security policies into bullets
* make the labels (A,B) bold
* remove the sentences about thwarting the second goal
* rewrite the paragraph about which goals of the attackers can be thwarted
* remove a leftover from the previous changes
* such attacks -> the attacks
* rewrite the section about preventing the attacks
* secure egress traffic control -> secure control of egress traffic
* sending HTTP traffic -> sending unencrypted HTTP traffic
* define security policies -> enforce security policies
* change the publish date to July 9
* formatting
Co-Authored-By: Rigs Caballero <grca@google.com>
* Kubernetes Network Policies -> Kubernetes network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration]
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 3
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 4
Co-Authored-By: Rigs Caballero <grca@google.com>
* check -> verify, access the destination, mongo1, access mongo1
Co-Authored-By: Rigs Caballero <grca@google.com>
* You can thwart the third goal -> to stop attackers from
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning anomaly detection
Co-Authored-By: Rigs Caballero <grca@google.com>
* Provide context instead of "after all"
Co-Authored-By: Rigs Caballero <grca@google.com>
* split a long line
Co-Authored-By: Rigs Caballero <grca@google.com>
* connect two sentences
Co-Authored-By: Rigs Caballero <grca@google.com>
* First -> Next
Co-Authored-By: Rigs Caballero <grca@google.com>
* use - instead of * for bulleted lists
* make the first attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the first attacker's goal a bullet
the previous commit was related to the third goal
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the second attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* fix indentation
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the first goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the second goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* rephrase the sentence about applying additional security measures
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove leftover from a previous change
Co-Authored-By: Rigs Caballero <grca@google.com>
* that will enforce -> to enforce
Co-Authored-By: Rigs Caballero <grca@google.com>
* split long lines
* rewrite the part about increasing security of the control plane pods
* fix indentation
* fix indentation and remove a leftover from a previous change
* extend the bold font from a single word to a phrase
* rewrite the prevention of the straightforward access and the attacks
* add conclusion after the attacks part
* control planes pods -> control plane pods
* control plane -> Istio control plane
* is able to access it indistinguishable -> is indistinguishable
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "The choice would mainly depend on"
Co-Authored-By: Rigs Caballero <grca@google.com>
* insure -> ensure
Co-Authored-By: Rigs Caballero <grca@google.com>
* update the publish date to 10-th of July
(cherry picked from commit 24f9ca7046)
* adds blog post
* Linter revisions
* Fix links
* Remove link to github file line number
* Provides clarity on Mixer v2
* list authors alphabetically
* Resolve comments
* Typo fix
* Apply suggestions from code review
Co-Authored-By: Rigs Caballero <grca@google.com>
* Linter update
* linter fix
* Update all github permalinks
* Add RBAC link
* list latencies in increasing order
* update name listing
* remove Note next to warning icon
* Clarify no mixer settings
* update summary punctuation
(cherry picked from commit 5cb1d42de3)
* Show the URL for the Mixer self-monitoring endpoint
So that the user does not have to guess.
* Update content/docs/ops/telemetry/missing-metrics/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
(cherry picked from commit 98f93f40ae)
the old jsonpath selector doesn't work because it produce the pod name value to be incorrect
update it to the right jsonpath selector that produces the right pod name
* Add clarity to transport auth section, inc new mode param
Arguably the wording here before was incorrect, because the mtls
parameter does have an argument, the mode parameter. This documents
STRICT and PERMISSIVE modes, as well as discussing the equivalence
between STRICT mode and omission of the mode key. It also adds clarity
as to what happens when the section is omitted.
* Fix typos
* Reword omission of tls mode for clarity
* Link to reference docs with equivalence tip
* Remove speculative paragraph
* Link directly to mtls modes reference
* Unbreak line to fix html
* Remove list inside tip
This seems to cause issues with html generation from Hugo
(cherry picked from commit 942c6e9d86)
* Add clarification on behaviour in absence of policy
* Content fixes for clarity
* Remove example manifest in favor of explanation
The example manifest was confusing because it wasn't technically valid
if applied to a cluster. This removes it in favor of just spelling out
that both origin and transport auth are disabled.
(cherry picked from commit bb8af722b2)
Martin Taillefer
Martin Taillefer
mtail
leo
Joshua Blatt
Francois Pesce
Rigs Caballero
Istio Automation
Betty Junod
mergify[bot]
Lin Sun
Nguyen Hai Truong
Bobby Radford
Osama Nabil