* build an archive of v1.11 in master
* update data/versions.yml and archive index page
* advance master to release-1.13
* ANother script update
* go get remaing istio repos to satisfy linter
* Temporarily fix link broken by istio/api #2148
* Temporarily disable istioctl analyze test.
* add authz limitation
* Apply suggestions from code review
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* Update to latest istio/istio commit for istio.io tests
* Update to latest istio commit
* Additional istioctl analyze output
* Fix istioctl-analyze test
* Fix gateway doc
* Fix setting of INGRESS_HOST and more cleanup
* Fixes for unbound INGRESS_HOST
* lint fix
Co-authored-by: John Howard <howardjohn@google.com>
* Improve DestinationRule Security Best Practices
* Add instructions for improving security using subjectAltNames which is
not checked by default.
* Add instructions to turn on VERIFY_CERTIFICATE_AT_CLIENT to decrease
friction of checking certificates against a CA.
* Escalate certificate validation that is not being done to a warning to
increase visibility.
* Add Clarification to certificate validation.
* Add explanation of using system to enable OS CA certificate usage.
* Clarify subjectAltName usage and why it is important
* Fix linter error
* Clarify CA cert used and user need for an sni value
* build an archive of v1.10 in master
* update data/versions.yml and archive index page
* advance master to release-1.12
* Update istio test reference to pick up 1.12 in istioctl messages
* Fix lint and IMAGE_VERSION
* MOre changes for lint
* Use correct IMAGE_VERSION
* Skip virtual machines test - Release Blocker issue created
* add best practice to restart proxies after applying network policy
* Update content/en/docs/ops/best-practices/security/index.md
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: craigbox <craigbox@google.com>
* Document rewriting of TCP based probes (see istio 33734)
https://github.com/istio/istio/pull/33734
Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
* run make gen
* make it obvious that the same rewrite action is done on both HTTP and TCP probes
Co-authored-by: craigbox <craigbox@google.com>
* fix typo
* apply more review comments
Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: Johannes Dillmann <j.dillmann@sap.com>
Now that the Kiali addon has been upgraded to v1.36, there is no longer the monitoring dashboard CRD that we have to worry about. This is what caused that timing error (the CRD would fail to be established in time before the dashboards themselves started to get created).
Since this timing error won't happen, we can remove this warning in the docs.
* add normalization guideline in security best practice
* Apply suggestions from code review
Co-authored-by: Justin Pettit <jdpettit@google.com>
* add link
* Apply suggestions from code review
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Justin Pettit <jdpettit@google.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* add mitigation for unsupported normalization in security best practice
* address comments
* address comments
* Apply suggestions from code review
Co-authored-by: Justin Pettit <jdpettit@google.com>
* Apply suggestions from code review
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* address comments
Co-authored-by: Justin Pettit <jdpettit@google.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* Flag experimental pages with dagger
* Use dagger symbol in title
* Dagger in navigation titles for experimental status
* Experimental asterisk note
* Asterisk with space
* Spacing between title and asterisk
* Flag experimental and alpha status
* add direct pod IP troubleshooting guide for multicluster
* wording
* fix text blocks
* you instead of we
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* close text block
* spelling
* lint
* wording
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* update the auto mtls troubleshooting guide.
* address first round cmd, eds, grep.
* update the limitation on peer authn wording.
* lint fix.
* address comments for EDS, clarification.
* upload content
* update to be brief.
* Update content/en/docs/ops/common-problems/security-issues/index.md
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* build an archive of v1.9 in master
* update data/versions.yml and archive index page
* advance master to release-1.11
* Update the istio test reference to master
* Remove failing deny test
* Remove another test
* Remove a third test
* Add envoy test
* Add exception for SC2154 to support snippet variables following other tests
* Add proxyconfig
* Add exception for SC2154 to support snippet variables following other tests
* Add comments
* Add logging
* Limit the IFS
* Add envoy test
* Add exception for SC2154 to support snippet variables following other tests
* Add proxyconfig
* Add exception for SC2154 to support snippet variables following other tests
* Add comments
* Add logging
* Limit the IFS
* Add manual cleanup
* Manually create cluster
When trying to run the code I found that it failed, debugging I found the issue to a bad revision being found (`null`), fixing this gets the revision and fixes the process. I still notice that grafana dashboard 7642 still has issues compared to the other dashboards. I don't know why yet. Might look into that next but for now this fixes all the others.
Pengyuan Bian
John Howard
Eric Van Norman
Daniel Gospodinow
Yangmin Zhu
Andrii
Kenan O'Neal
Istio Automation
Philipp Stehle
jacob-delgado
John Mazzitelli
Costin Manolache
ChristinaMak
Cynthia Lopes do Sacramento
Shamsher Ansari
Steven Landow
Jianfei Hu
Suchith J N
Jake Sanders
craigbox
Brian Avery
Jonathan Campos