* Document preference to using an NLB with gateways
Gateways multicluster runs best with NLBs. Share this arcane bit of
information in the documentation.
* Address linting
* Address reviewer comments.
* Address reviewer comments
* add the second part of the series about secure egress traffic control in Istio (#4196)
* requirements for your system -> requirements for a system for egress traffic control
* add links from part 1 to part 2
* add istio-identity to .spelling
* add gateway and tls as keywords
Co-Authored-By: Rigs Caballero <grca@google.com>
* This is -> Welcome to, a new series -> our new series
Co-Authored-By: Rigs Caballero <grca@google.com>
* an egress traffic control system -> a secure control system for egress traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such
Co-Authored-By: Rigs Caballero <grca@google.com>
* Egress traffic control by Istio -> Secure control of egress traffic in Istio
Co-Authored-By: Rigs Caballero <grca@google.com>
* add bullets regarding security measures for Istio control plane
Co-Authored-By: Rigs Caballero <grca@google.com>
* you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* Possible attacks and their prevention -> Preventing possible attacks
Co-Authored-By: Rigs Caballero <grca@google.com>
* e.g. -> like, add a comma, split a sentence
Co-Authored-By: Rigs Caballero <grca@google.com>
* the -> said
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove "for TLS traffic"
it is clear that it is TLS Traffic from TLS origination
Co-Authored-By: Rigs Caballero <grca@google.com>
* monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided
* The L3 firewall can have -> you can configure the L3 firewall
Co-Authored-By: Rigs Caballero <grca@google.com>
* from pods only -> only allow. Remove "Note that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* move the diagram right after its introduction
* remove parentheses
Co-Authored-By: Rigs Caballero <grca@google.com>
* emphasize the label (A, B)
Co-Authored-By: Rigs Caballero <grca@google.com>
* policy with regard -> policies as they regard
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about a compromised pod
Co-Authored-By: Rigs Caballero <grca@google.com>
* traffic must be monitored -> traffic is monitored
Co-Authored-By: Rigs Caballero <grca@google.com>
* Note that application A is allowed -> since application A is allowed
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about monitoring access of the compromised version of the application
Co-Authored-By: Rigs Caballero <grca@google.com>
* split the sentence about detecting suspicious traffic
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence about thwarting the second goal of the attackers
Co-Authored-By: Rigs Caballero <grca@google.com>
* Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing
Co-Authored-By: Rigs Caballero <grca@google.com>
* Rewrite the sentence "let's see which attacks"
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "I hope that"
Co-Authored-By: Rigs Caballero <grca@google.com>
* in the next blog post -> in the next part
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning wildcard domains
* rewrite the "Secure control of egress traffic in Istio" section
* remove a leftover from suggested changes
* as they regard to egress traffic -> for egress traffic
* convert security policies into bullets
* make the labels (A,B) bold
* remove the sentences about thwarting the second goal
* rewrite the paragraph about which goals of the attackers can be thwarted
* remove a leftover from the previous changes
* such attacks -> the attacks
* rewrite the section about preventing the attacks
* secure egress traffic control -> secure control of egress traffic
* sending HTTP traffic -> sending unencrypted HTTP traffic
* define security policies -> enforce security policies
* change the publish date to July 9
* formatting
Co-Authored-By: Rigs Caballero <grca@google.com>
* Kubernetes Network Policies -> Kubernetes network policies
Co-Authored-By: Rigs Caballero <grca@google.com>
* [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration]
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 1
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 2
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 3
Co-Authored-By: Rigs Caballero <grca@google.com>
* use proper capitalization and punctuation for bullet 4
Co-Authored-By: Rigs Caballero <grca@google.com>
* check -> verify, access the destination, mongo1, access mongo1
Co-Authored-By: Rigs Caballero <grca@google.com>
* You can thwart the third goal -> to stop attackers from
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove mentioning anomaly detection
Co-Authored-By: Rigs Caballero <grca@google.com>
* Provide context instead of "after all"
Co-Authored-By: Rigs Caballero <grca@google.com>
* split a long line
Co-Authored-By: Rigs Caballero <grca@google.com>
* connect two sentences
Co-Authored-By: Rigs Caballero <grca@google.com>
* First -> Next
Co-Authored-By: Rigs Caballero <grca@google.com>
* use - instead of * for bulleted lists
* make the first attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the first attacker's goal a bullet
the previous commit was related to the third goal
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the second attacker's goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* fix indentation
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the first goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* make the reference to prevention of the second goal a bullet
Co-Authored-By: Rigs Caballero <grca@google.com>
* rephrase the sentence about applying additional security measures
Co-Authored-By: Rigs Caballero <grca@google.com>
* remove leftover from a previous change
Co-Authored-By: Rigs Caballero <grca@google.com>
* that will enforce -> to enforce
Co-Authored-By: Rigs Caballero <grca@google.com>
* split long lines
* rewrite the part about increasing security of the control plane pods
* fix indentation
* fix indentation and remove a leftover from a previous change
* extend the bold font from a single word to a phrase
* rewrite the prevention of the straightforward access and the attacks
* add conclusion after the attacks part
* control planes pods -> control plane pods
* control plane -> Istio control plane
* is able to access it indistinguishable -> is indistinguishable
Co-Authored-By: Rigs Caballero <grca@google.com>
* rewrite the sentence "The choice would mainly depend on"
Co-Authored-By: Rigs Caballero <grca@google.com>
* insure -> ensure
Co-Authored-By: Rigs Caballero <grca@google.com>
* update the publish date to 10-th of July
* adds blog post
* Linter revisions
* Fix links
* Remove link to github file line number
* Provides clarity on Mixer v2
* list authors alphabetically
* Resolve comments
* Typo fix
* Apply suggestions from code review
Co-Authored-By: Rigs Caballero <grca@google.com>
* Linter update
* linter fix
* Update all github permalinks
* Add RBAC link
* list latencies in increasing order
* update name listing
* remove Note next to warning icon
* Clarify no mixer settings
* update summary punctuation
* Show the URL for the Mixer self-monitoring endpoint
So that the user does not have to guess.
* Update content/docs/ops/telemetry/missing-metrics/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
the old jsonpath selector doesn't work because it produce the pod name value to be incorrect
update it to the right jsonpath selector that produces the right pod name
(cherry picked from commit 0ad4e0a687)
* Add clarification on behaviour in absence of policy
* Content fixes for clarity
* Remove example manifest in favor of explanation
The example manifest was confusing because it wasn't technically valid
if applied to a cluster. This removes it in favor of just spelling out
that both origin and transport auth are disabled.
* Add clarity to transport auth section, inc new mode param
Arguably the wording here before was incorrect, because the mtls
parameter does have an argument, the mode parameter. This documents
STRICT and PERMISSIVE modes, as well as discussing the equivalence
between STRICT mode and omission of the mode key. It also adds clarity
as to what happens when the section is omitted.
* Fix typos
* Reword omission of tls mode for clarity
* Link to reference docs with equivalence tip
* Remove speculative paragraph
* Link directly to mtls modes reference
* Unbreak line to fix html
* Remove list inside tip
This seems to cause issues with html generation from Hugo
* Updated with instructions for LightStep Tracing vs. LightStep [x]pm (#4203)
* Remove [x]PM unless necessary (#4405)
These instructions are now for both LightStep [x]PM and LightStep Tracing.
* Clarify auth variant
This makes it clear that sds-auth is already the 'auth' variant. It
also tries to be more specific about what it does, rather than just
saying 'auth by default'
* Add incompatibility between SDS and control plane auth
* Remove unneeded aside
* Clarify status of control plane security with SDS
No technical issues apparently, just timeline. Also moved to before the
table for clarity.
* Simplify additional security feature table
This improves the clarity of this table by:
* Removing default and minimal , since -auth doesn't add any security
features
* Labeling the first column as security feature
* Changing the names of the profiles to reflect the final profile name
including the -auth, instead of without
* Patch the ingress-gateway deployment instead of recreating it
Patching it by just adding what is missing - a volume - is better in the
sense that it doesn't matter how the user created it - the template used,
the options used when creating it, etc.
* Apply suggestions from code review
Co-Authored-By: Rigs Caballero <grca@google.com>
* Replace oc with kubectl
* Remove a trailing space
* fix(telemetry docs): replace p&t concept doc with observability doc
* Fixed broken links
* Fixed one internal and one external link
* Added links and fixed two typos
* Title and links changes
* Added Policies conceptual section
* Fixed broken links in commands reference and traffic mnanagement
Martin Taillefer
mergify[bot]
Steven Dake
Frank Budinsky
Vadim Eisenberg
WangChangyu
Adam Miller
Jian Zeng
Megan O'Keefe
Jonh Wendell
mtail
Joshua Blatt
Nik Skoufis
Ta-Ching Chen
Steven Dake
Joshua Blatt
Francois Pesce
Manish CHUGTU
Ed Snible
Robin Whitmore
Romain Lenglet
Tao Li
Lin Sun
John Howard