* Information about holdApplicationUntilProxyStarts
This is a very extended topic about networking issues with pods with the istio-proxy sidecar container and is not spread or well documented.
Many people using solutions as "curl -fsI http://localhost:15021/healthz/ready", or post start hooks, even changing logics in scripts etc.
Adding this in this related documentation can help people find this feature easily.
* Fix letfover d
Remove leftover d in added
* Apply suggestions from craigbox
Co-authored-by: craigbox <craigbox@google.com>
* Update index.md
Remove trailing space in line 245.
Co-authored-by: Adrian Rico <aseguirico@gmail.com>
Co-authored-by: craigbox <craigbox@google.com>
* Added a small section on common errors while accessing headless services
* Fixed lint errors
* Removed unnecessary config details
* Few corrections and restructuring
* Updated commands for easier copying
* build an archive of v1.11 in master
* update data/versions.yml and archive index page
* advance master to release-1.13
* ANother script update
* go get remaing istio repos to satisfy linter
* Temporarily fix link broken by istio/api #2148
* Temporarily disable istioctl analyze test.
* add authz limitation
* Apply suggestions from code review
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* Update to latest istio/istio commit for istio.io tests
* Update to latest istio commit
* Additional istioctl analyze output
* Fix istioctl-analyze test
* Fix gateway doc
* Fix setting of INGRESS_HOST and more cleanup
* Fixes for unbound INGRESS_HOST
* lint fix
Co-authored-by: John Howard <howardjohn@google.com>
* Improve DestinationRule Security Best Practices
* Add instructions for improving security using subjectAltNames which is
not checked by default.
* Add instructions to turn on VERIFY_CERTIFICATE_AT_CLIENT to decrease
friction of checking certificates against a CA.
* Escalate certificate validation that is not being done to a warning to
increase visibility.
* Add Clarification to certificate validation.
* Add explanation of using system to enable OS CA certificate usage.
* Clarify subjectAltName usage and why it is important
* Fix linter error
* Clarify CA cert used and user need for an sni value
* build an archive of v1.10 in master
* update data/versions.yml and archive index page
* advance master to release-1.12
* Update istio test reference to pick up 1.12 in istioctl messages
* Fix lint and IMAGE_VERSION
* MOre changes for lint
* Use correct IMAGE_VERSION
* Skip virtual machines test - Release Blocker issue created
* add best practice to restart proxies after applying network policy
* Update content/en/docs/ops/best-practices/security/index.md
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: craigbox <craigbox@google.com>
* Document rewriting of TCP based probes (see istio 33734)
https://github.com/istio/istio/pull/33734
Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
* run make gen
* make it obvious that the same rewrite action is done on both HTTP and TCP probes
Co-authored-by: craigbox <craigbox@google.com>
* fix typo
* apply more review comments
Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: Johannes Dillmann <j.dillmann@sap.com>
Now that the Kiali addon has been upgraded to v1.36, there is no longer the monitoring dashboard CRD that we have to worry about. This is what caused that timing error (the CRD would fail to be established in time before the dashboards themselves started to get created).
Since this timing error won't happen, we can remove this warning in the docs.
* add normalization guideline in security best practice
* Apply suggestions from code review
Co-authored-by: Justin Pettit <jdpettit@google.com>
* add link
* Apply suggestions from code review
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Justin Pettit <jdpettit@google.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* add mitigation for unsupported normalization in security best practice
* address comments
* address comments
* Apply suggestions from code review
Co-authored-by: Justin Pettit <jdpettit@google.com>
* Apply suggestions from code review
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* address comments
Co-authored-by: Justin Pettit <jdpettit@google.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* Flag experimental pages with dagger
* Use dagger symbol in title
* Dagger in navigation titles for experimental status
* Experimental asterisk note
* Asterisk with space
* Spacing between title and asterisk
* Flag experimental and alpha status
* add direct pod IP troubleshooting guide for multicluster
* wording
* fix text blocks
* you instead of we
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* close text block
* spelling
* lint
* wording
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* update the auto mtls troubleshooting guide.
* address first round cmd, eds, grep.
* update the limitation on peer authn wording.
* lint fix.
* address comments for EDS, clarification.
* upload content
* update to be brief.
* Update content/en/docs/ops/common-problems/security-issues/index.md
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* build an archive of v1.9 in master
* update data/versions.yml and archive index page
* advance master to release-1.11
* Update the istio test reference to master
* Remove failing deny test
* Remove another test
* Remove a third test
Istio Automation
sha-rath
Steven Landow
Pengyuan Bian
John Howard
Eric Van Norman
Daniel Gospodinow
Yangmin Zhu
Andrii
Kenan O'Neal
Philipp Stehle
jacob-delgado
John Mazzitelli
Costin Manolache
ChristinaMak
Cynthia Lopes do Sacramento
Shamsher Ansari
Jianfei Hu
Suchith J N
Jake Sanders
craigbox