istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.8/docs/tasks/security/authn-policy/index.html

8122 lines
133 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en" itemscope itemtype="https://schema.org/WebPage">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="theme-color" content="#466BB0"/>
<meta name="title" content="Basic Authentication Policy">
<meta name="description" content="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.">
<meta name="og:title" content="Basic Authentication Policy">
<meta name="og:description" content="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.">
<meta name="og:url" content="/v0.8/docs/tasks/security/authn-policy/">
<meta name="og.site_name" content="Istio">
<title>Istioldie 0.8 / Basic Authentication Policy</title>
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98480406-2', 'auto');
ga('send', 'pageview');
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script>
var branchName = "release-0.8";
</script>
<link rel="alternate" type="application/rss+xml" title="Istio Blog" href="/v0.8/feed.xml">
<link rel="shortcut icon" href="/v0.8/favicons/favicon.ico" >
<link rel="apple-touch-icon" href="/v0.8/favicons/apple-touch-icon-180x180.png" sizes="180x180">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-16x16.png" sizes="16x16">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-36x36.png" sizes="36x36">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-48x48.png" sizes="48x48">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-72x72.png" sizes="72x72">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-96x196.png" sizes="96x196">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-144x144.png" sizes="144x144">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-192x192.png" sizes="192x192">
<link rel="manifest" href="/v0.8/manifest.json">
<meta name="apple-mobile-web-app-title" content="Istio">
<meta name="application-name" content="Istio">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css">
<link rel="stylesheet" href="/v0.8/css/light_theme_archive.css" title="light">
<link rel="alternate stylesheet" href="/v0.8/css/dark_theme_archive.css" title="dark">
<script src="/v0.8/js/styleSwitcher.min.js"></script>
</head>
<body class="language-unknown">
<header>
<nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between">
<a class="navbar-brand" href="/v0.8/">
<span class="logo"><svg viewBox="0 0 300 300">
<circle cx="150" cy="150" r="150" stroke-width="2" />
<polygon points="65,240 225,240 125,270"/>
<polygon points="65,230 125,220 125,110"/>
<polygon points="135,220 225,230 135,30"/>
</svg>
</span>
<span class="brand-name">Istioldie 0.8</span>
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse justify-content-end" id="navbarCollapse">
<ul id="navbar-links" class="navbar-nav active">
<li class="nav-item">
<a class="nav-link active" href="/v0.8/docs/">Docs</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/blog/2018/egress-monitoring-access-control/">Blog</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/help/">Help</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/community/">Community</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/about/">About</a>
</li>
<li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap">
<a href="" class="nav-link" data-toggle="dropdown" aria-label="Tools" aria-haspopup="true" aria-expanded="false">
<i style="width: 1em" class='fa fa-lg fa-cog'></i>
</a>
<div class="dropdown-menu dropdown-menu-right" aria-labelledby="gearDropdown">
<a class="dropdown-item" id="light-theme-item" href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class="dropdown-item" id="dark-theme-item" href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a>
<div class="dropdown-divider"></div>
<h6 class="dropdown-header">Other versions of this site</h6>
<a href="https://istio.io" class="dropdown-item">Current Release</a>
<a href="https://preliminary.istio.io" class="dropdown-item">Next Release</a>
<a href="https://archive.istio.io" class="dropdown-item">Older Releases</a>
</div>
</li>
<li class="nav-item">
<a id="search_show" class="nav-link" href="" aria-label="Search"><i style="width: 1em" class="fa fa-lg fa-search"></i></a>
</li>
</ul>
<form name="cse" id="search_form" class="form-inline mr-sm-2" role="search">
<input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" />
<input type="hidden" name="ie" value="utf-8" />
<input type="hidden" name="hl" value="en" />
<input type="hidden" id="search_page_url" value="/v0.8/search.html" />
<input id="search_textbox" class="form-control" name="q" type="text" aria-label="Search this site"/>
<button id="search_close" type="reset" aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button>
</form>
</div>
</nav>
</header>
<div class="container-fluid">
<div class="row row-offcanvas">
<div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas">
<nav class="sidebar d-print-none">
<div class="spacer"></div>
<div class="directory" role="tablist">
<div class="card">
<div class="card-header" role="tab" id="header7">
<a data-toggle="collapse" href="#collapse7" title="Concepts help you learn about the different parts of the Istio system and the abstractions it uses." role="button" aria-controls="collapse7">
<div>
Concepts
</div>
</a>
</div>
<div id="collapse7" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header7">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="A broad overview of the Istio system." href="/v0.8/docs/concepts/what-is-istio/">What is Istio? </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual introduction to Istio, including the problems it solves and its high-level architecture." href="/v0.8/docs/concepts/what-is-istio/overview/">Overview</a>
</li>
<li>
<a title="Describes the core principles that Istio&#39;s design adheres to." href="/v0.8/docs/concepts/what-is-istio/goals/">Design Goals</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes the various Istio features focused on traffic routing and control." href="/v0.8/docs/concepts/traffic-management/">Traffic Management </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual overview of traffic management in Istio and the features it enables." href="/v0.8/docs/concepts/traffic-management/overview/">Overview</a>
</li>
<li>
<a title="Introduces Pilot, the component responsible for managing a distributed deployment of Envoy proxies in the service mesh." href="/v0.8/docs/concepts/traffic-management/pilot/">Pilot</a>
</li>
<li>
<a title="Describes how requests are routed between services in an Istio service mesh." href="/v0.8/docs/concepts/traffic-management/request-routing/">Request Routing</a>
</li>
<li>
<a title="Describes how traffic is load balanced across instances of a service in the mesh." href="/v0.8/docs/concepts/traffic-management/load-balancing/">Discovery &amp; Load Balancing</a>
</li>
<li>
<a title="An overview of failure recovery capabilities in Envoy that can be leveraged by unmodified applications to improve robustness and prevent cascading failures." href="/v0.8/docs/concepts/traffic-management/handling-failures/">Handling Failures</a>
</li>
<li>
<a title="Introduces the idea of systematic fault injection that can be used to uncover conflicting failure recovery policies across services." href="/v0.8/docs/concepts/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Provides a high-level overview of the configuration model used by Istio to configure traffic management rules in the service mesh." href="/v0.8/docs/concepts/traffic-management/rules-configuration/">Rules Configuration</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes Istio&#39;s authorization and authentication functionality." href="/v0.8/docs/concepts/security/">Security </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes Istio&#39;s authentication policy" href="/v0.8/docs/concepts/security/authn-policy/">Authentication Policy</a>
</li>
<li>
<a title="Describes Istio&#39;s mutual TLS authentication architecture which provides a strong service identity and secure communication channels between services." href="/v0.8/docs/concepts/security/mutual-tls/">Mutual TLS Authentication</a>
</li>
<li>
<a title="Describes Istio RBAC which provides access control for services in Istio Mesh." href="/v0.8/docs/concepts/security/rbac/">Istio Role-Based Access Control (RBAC)</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Introduces the policy control snd telemetry collection mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the design of the policy and telemetry mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/overview/">Overview</a>
</li>
<li>
<a title="An overview of the key concepts used to configure Istio&#39;s policy enforcement and telemetry collection features." href="/v0.8/docs/concepts/policies-and-telemetry/config/">Configuration</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header22">
<a data-toggle="collapse" href="#collapse22" title="Setup contains instructions for installing the Istio control plane in various environments (e.g., Kubernetes, Consul, etc.), as well as instructions for installing the sidecar in the application deployment." role="button" aria-controls="collapse22">
<div>
Setup
</div>
</a>
</div>
<div id="collapse22" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header22">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane on Kubernetes and adding VMs into the mesh." href="/v0.8/docs/setup/kubernetes/">Kubernetes </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick start instructions to setup the Istio service mesh in a Kubernetes cluster." href="/v0.8/docs/setup/kubernetes/quick-start/">Quick Start</a>
</li>
<li>
<a title="Quick Start instructions to setup the Istio service using Google Kubernetes Engine (GKE)" href="/v0.8/docs/setup/kubernetes/quick-start-gke-dm/">Quick Start with Google Kubernetes Engine</a>
</li>
<li>
<a title="Install Istio with the included Helm chart." href="/v0.8/docs/setup/kubernetes/helm-install/">Installation with Helm</a>
</li>
<li>
<a title="Install Istio with the included Ansible playbook." href="/v0.8/docs/setup/kubernetes/ansible-install/">Installation with Ansible</a>
</li>
<li>
<a title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href="/v0.8/docs/setup/kubernetes/sidecar-injection/">Installing the Istio Sidecar</a>
</li>
<li>
<a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href="/v0.8/docs/setup/kubernetes/mesh-expansion/">Mesh Expansion</a>
</li>
<li>
<a title="Install Istio with multicluster support." href="/v0.8/docs/setup/kubernetes/multicluster-install/">Istio Multicluster</a>
</li>
<li>
<a title="This guide demonstrates how to upgrade the Istio control plane and data plane independently." href="/v0.8/docs/setup/kubernetes/upgrading-istio/">Upgrading Istio</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/">Nomad &amp; Consul </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/consul/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/install/">Installation</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Eureka based environment." href="/v0.8/docs/setup/eureka/">Eureka </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/eureka/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in an Eureka based environment." href="/v0.8/docs/setup/eureka/install/">Installation</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header37">
<a data-toggle="collapse" href="#collapse37" title="Tasks show you how to do a single specific targeted activity with the Istio system." role="button" aria-controls="collapse37">
<div>
Tasks
</div>
</a>
</div>
<div id="collapse37" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header37">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes tasks that demonstrate traffic routing features of Istio service mesh." href="/v0.8/docs/tasks/traffic-management/">Traffic Management </a>
</label>
<ul class="tree collapse">
<li>
<a title="This task shows you how to configure dynamic request routing based on weights and HTTP headers." href="/v0.8/docs/tasks/traffic-management/request-routing/">Configuring Request Routing</a>
</li>
<li>
<a title="This task shows how to inject delays and test the resiliency of your application." href="/v0.8/docs/tasks/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Shows you how to migrate traffic from an old to new version of a service." href="/v0.8/docs/tasks/traffic-management/traffic-shifting/">Traffic Shifting</a>
</li>
<li>
<a title="This task shows you how to setup request timeouts in Envoy using Istio." href="/v0.8/docs/tasks/traffic-management/request-timeouts/">Setting Request Timeouts</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh." href="/v0.8/docs/tasks/traffic-management/ingress/">Control Ingress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS." href="/v0.8/docs/tasks/traffic-management/secure-ingress/">Securing Gateways with HTTPS</a>
</li>
<li>
<a title="Describes how to configure Istio to route traffic from services in the mesh to external services." href="/v0.8/docs/tasks/traffic-management/egress/">Control Egress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to perform TLS origination for traffic to external services" href="/v0.8/docs/tasks/traffic-management/egress-tls-origination/">TLS Origination for Egress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway service" href="/v0.8/docs/tasks/traffic-management/egress-gateway/">Configure an Egress Gateway</a>
</li>
<li>
<a title="This task demonstrates the circuit-breaking capability for resilient applications" href="/v0.8/docs/tasks/traffic-management/circuit-breaking/">Circuit Breaking</a>
</li>
<li>
<a title="This task demonstrates the traffic shadowing/mirroring capabilities of Istio" href="/v0.8/docs/tasks/traffic-management/mirroring/">Mirroring</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-down'></i>
<a title="Demonstrates how to secure the mesh." href="/v0.8/docs/tasks/security/">Security </a>
</label>
<ul class="tree">
<li>
<span class="current" title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.">Basic Authentication Policy</span>
</li>
<li>
<a title="Shows you how to verify and test Istio&#39;s automatic mutual TLS authentication." href="/v0.8/docs/tasks/security/mutual-tls/">Testing Mutual TLS</a>
</li>
<li>
<a title="Shows how to control access to a service using the Kubernetes labels." href="/v0.8/docs/tasks/security/basic-access-control/">Basic Access Control</a>
</li>
<li>
<a title="Shows how to securely control access to a service using service accounts." href="/v0.8/docs/tasks/security/secure-access-control/">Secure Access Control</a>
</li>
<li>
<a title="Shows how to set up role-based access control for services in Istio mesh." href="/v0.8/docs/tasks/security/role-based-access-control/">Role-Based Access Control</a>
</li>
<li>
<a title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href="/v0.8/docs/tasks/security/plugin-ca-cert/">Plugging in external CA key and certificate</a>
</li>
<li>
<a title="Shows how to enable Citadel health checking with Kubernetes." href="/v0.8/docs/tasks/security/health-check/">Citadel health checking</a>
</li>
<li>
<a title="Shows how to enable mutual TLS on HTTPS services." href="/v0.8/docs/tasks/security/https-overlay/">Mutual TLS over HTTPS</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates policy enforcement features." href="/v0.8/docs/tasks/policy-enforcement/">Policies </a>
</label>
<ul class="tree collapse">
<li>
<a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href="/v0.8/docs/tasks/policy-enforcement/rate-limiting/">Enabling Rate Limits</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates how to collect telemetry information from the mesh." href="/v0.8/docs/tasks/telemetry/">Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger" href="/v0.8/docs/tasks/telemetry/distributed-tracing/">Distributed Tracing</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics and logs." href="/v0.8/docs/tasks/telemetry/metrics-logs/">Collecting Metrics and Logs</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics for TCP services." href="/v0.8/docs/tasks/telemetry/tcp-metrics/">Collecting Metrics for TCP services</a>
</li>
<li>
<a title="This task shows you how to query for Istio Metrics using Prometheus." href="/v0.8/docs/tasks/telemetry/querying-metrics/">Querying Metrics from Prometheus</a>
</li>
<li>
<a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href="/v0.8/docs/tasks/telemetry/using-istio-dashboard/">Visualizing Metrics with Grafana</a>
</li>
<li>
<a title="This task shows you how to generate a graph of services within an Istio mesh." href="/v0.8/docs/tasks/telemetry/servicegraph/">Generating a Service Graph</a>
</li>
<li>
<a title="This task shows you how to configure Istio to log to a Fluentd daemon" href="/v0.8/docs/tasks/telemetry/fluentd/">Logging with Fluentd</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header48">
<a data-toggle="collapse" href="#collapse48" title="Guides include a variety of fully working example uses for Istio that you can experiment with." role="button" aria-controls="collapse48">
<div>
Guides
</div>
</a>
</div>
<div id="collapse48" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header48">
<div class="card-body">
<ul class="tree">
<li>
<a title="This guide deploys a sample application composed of four separate microservices which will be used to demonstrate various features of the Istio service mesh." href="/v0.8/docs/guides/bookinfo/">Bookinfo Sample Application</a>
</li>
<li>
<a title="This guide demonstrates how to use various traffic management capabilities of an Istio service mesh." href="/v0.8/docs/guides/intelligent-routing/">Intelligent Routing</a>
</li>
<li>
<a title="This sample demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href="/v0.8/docs/guides/telemetry/">In-Depth Telemetry</a>
</li>
<li>
<a title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href="/v0.8/docs/guides/endpoints/">Install Istio for Google Cloud Endpoints Services</a>
</li>
<li>
<a title="This sample deploys the Bookinfo services across Kubernetes and a set of virtual machines, and illustrates how to use the Istio service mesh to control this infrastructure as a single mesh." href="/v0.8/docs/guides/integrating-vms/">Integrating Virtual Machines</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header77">
<a data-toggle="collapse" href="#collapse77" title="Introduces Performance and Scalability methodology, results and best practices for Istio components." role="button" aria-controls="collapse77">
<div>
Performance and Scalability
</div>
</a>
</div>
<div id="collapse77" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header77">
<div class="card-body">
<ul class="tree">
<li>
<a title="Provides a conceptual introduction to Istio&#39;s Performance and Scalability" href="/v0.8/docs/performance-and-scalability/overview/">Overview</a>
</li>
<li>
<a title="Performance measurement through code level micro-benchmarks." href="/v0.8/docs/performance-and-scalability/microbenchmarks/">Micro Benchmarks</a>
</li>
<li>
<a title="The different scenarios we are tracking for performance and scalability." href="/v0.8/docs/performance-and-scalability/scenarios/">Testing scenarios</a>
</li>
<li>
<a title="Fortio is our simple synthetic http and grpc benchmarking tool." href="/v0.8/docs/performance-and-scalability/synthetic-benchmarks/">Synthetic End to End benchmarks</a>
</li>
<li>
<a title="Performance measurement through realistic micro service application tests." href="/v0.8/docs/performance-and-scalability/realistic-app-benchmark/">Realistic Application Benchmark</a>
</li>
<li>
<a title="How we ensure performance is tracked and improves or does not regress across releases." href="/v0.8/docs/performance-and-scalability/performance-testing-automation/">Automation</a>
</li>
<li>
<a title="Setup of Istio components to scale horizontally. High availability. Sizing guide." href="/v0.8/docs/performance-and-scalability/scalability/">Scalability and Sizing Guide</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header85">
<a data-toggle="collapse" href="#collapse85" title="The Reference section contains detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role="button" aria-controls="collapse85">
<div>
Reference
</div>
</a>
</div>
<div id="collapse85" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header85">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Detailed information on configuration options." href="/v0.8/docs/reference/config/">Configuration </a>
</label>
<ul class="tree collapse">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes how to configure Istio&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the base attribute vocabulary used for policy and control." href="/v0.8/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">Attribute Vocabulary</a>
</li>
<li>
<a title="Mixer config expression language reference." href="/v0.8/docs/reference/config/policy-and-telemetry/expression-language/">Expression Language</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/">Adapters </a>
</label>
<ul class="tree collapse">
<li>
<a title="Adapter for circonus.com&#39;s monitoring solution." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/circonus/">Circonus</a>
</li>
<li>
<a title="Adapter for cloudwatch metrics." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/">CloudWatch</a>
</li>
<li>
<a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/datadog/">Datadog</a>
</li>
<li>
<a title="Adapter that always returns a precondition denial." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/denier/">Denier</a>
</li>
<li>
<a title="Adapter that delivers logs to a fluentd daemon." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/fluentd/">Fluentd</a>
</li>
<li>
<a title="Adapter that extracts information from a Kubernetes environment." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/">Kubernetes Env</a>
</li>
<li>
<a title="Adapter that performs whitelist or blacklist checks" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/list/">List</a>
</li>
<li>
<a title="Adapter for a simple in-memory quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/memquota/">Memory quota</a>
</li>
<li>
<a title="Adapter that implements an Open Policy Agent engine" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/opa/">OPA</a>
</li>
<li>
<a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/prometheus/">Prometheus</a>
</li>
<li>
<a title="Adapter that exposes Istio&#39;s Role-Based Access Control model." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/rbac/">RBAC</a>
</li>
<li>
<a title="Adapter for a Redis-based quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/redisquota/">Redis Quota</a>
</li>
<li>
<a title="Adapter that delivers logs and metrics to Google Service Control" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/servicecontrol/">Service Control</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/solarwinds/">SolarWinds</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Stackdriver" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">Stackdriver</a>
</li>
<li>
<a title="Adapter to deliver metrics to a StatsD backend" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/statsd/">StatsD</a>
</li>
<li>
<a title="Adapter for outputting logs and metrics locally." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stdio/">Stdio</a>
</li>
</ul>
</li>
<li>
<a title="Default Metrics exported from Istio through Mixer." href="/v0.8/docs/reference/config/policy-and-telemetry/metrics/">Default Metrics</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer templates are used to send data to individual adapters." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/">Templates </a>
</label>
<ul class="tree collapse">
<li>
<a title="A template that represents a single API key." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/apikey/">API Key</a>
</li>
<li>
<a title="A template used to represent an access control query." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/authorization/">Authorization</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/checknothing/">Check Nothing</a>
</li>
<li>
<a title="A template that is used to control the production of Kubernetes-specific attributes." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/kubernetes/">Kubernetes</a>
</li>
<li>
<a title="A template designed to let you perform list checking operations." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/listentry/">List Entry</a>
</li>
<li>
<a title="A template that represents a single runtime log entry." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/logentry/">Log Entry</a>
</li>
<li>
<a title="A template that represents a single runtime metric." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/metric/">Metric</a>
</li>
<li>
<a title="A template that represents a quota allocation request" href="/v0.8/docs/reference/config/policy-and-telemetry/templates/quota/">Quota</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/reportnothing/">Report Nothing</a>
</li>
<li>
<a title="A template used by the Google Service Control adapter." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/servicecontrolreport/">Service Control Report</a>
</li>
</ul>
</li>
<li>
<a title="Describes the rules used to configure Mixer&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/">Rules</a>
</li>
</ul>
</li>
<li>
<a title="Configuration for Role Based Access Control" href="/v0.8/docs/reference/config/istio.rbac.v1alpha1/">RBAC</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.routing.v1alpha1/">Route Rules v1alpha1 (deprecated)</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.networking.v1alpha3/">Route Rules v1alpha3</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes usage and options of the Istio commands and utilities." href="/v0.8/docs/reference/commands/">Commands </a>
</label>
<ul class="tree collapse">
<li>
<a title="Istio Certificate Authority (CA)" href="/v0.8/docs/reference/commands/istio_ca/">istio_ca</a>
</li>
<li>
<a title="Istio control interface" href="/v0.8/docs/reference/commands/istioctl/">istioctl</a>
</li>
<li>
<a title="Utility to trigger direct calls to Mixer&amp;#39;s API." href="/v0.8/docs/reference/commands/mixc/">mixc</a>
</li>
<li>
<a title="Mixer is Istio&amp;#39;s abstraction on top of infrastructure backends." href="/v0.8/docs/reference/commands/mixs/">mixs</a>
</li>
<li>
<a title="Istio security per-node agent" href="/v0.8/docs/reference/commands/node_agent/">node_agent</a>
</li>
<li>
<a title="Istio Pilot agent" href="/v0.8/docs/reference/commands/pilot-agent/">pilot-agent</a>
</li>
<li>
<a title="Istio Pilot" href="/v0.8/docs/reference/commands/pilot-discovery/">pilot-discovery</a>
</li>
<li>
<a title="Kubernetes webhook for automatic Istio sidecar injection" href="/v0.8/docs/reference/commands/sidecar-injector/">sidecar-injector</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="col-12 col-md-9 col-xl-8">
<p class="d-md-none">
<label class="sidebar-toggler" data-toggle="offcanvas">
<i class="fa fa-sign-out-alt"></i>
</label>
</p>
<main aria-labelledby="title">
<h1 id="title">Basic Authentication Policy</h1>
<nav class="toc-inlined d-xl-none d-print-none" >
<div class="directory" role="directory">
<nav id="InlinedTableOfContents">
<ul>
<li><a href="#before-you-begin">Before you begin</a></li>
<li><a href="#enable-mutual-tls-for-all-services-in-a-namespace">Enable mutual TLS for all services in a namespace</a></li>
<li><a href="#enable-mutual-tls-for-single-service-httpbinbar">Enable mutual TLS for single service httpbin.bar</a></li>
<li><a href="#having-both-namespace-level-and-service-level-policies">Having both namespace-level and service-level policies</a></li>
<li><a href="#setup-end-user-authentication">Setup end-user authentication</a></li>
<li><a href="#cleanup">Cleanup</a></li>
<li><a href="#whats-next">What's next</a></li>
</ul>
</nav>
</div>
</nav>
<p>Through this task, you will learn how to:</p>
<ul>
<li>
<p>Use authentication policy to setup mutual TLS.</p>
</li>
<li>
<p>Use authentication policy to do end-user authentication.</p>
</li>
</ul>
<h2 id="before-you-begin">Before you begin</h2>
<ul>
<li>
<p>Understand Istio <a href="/v0.8/docs/concepts/security/authn-policy/">authentication policy</a> and related <a href="/v0.8/docs/concepts/security/mutual-tls/">mutual TLS authentication</a> concepts.</p>
</li>
<li>
<p>Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use <code>install/kubernetes/istio-demo.yaml</code> as described in <a href="/v0.8/docs/setup/kubernetes/quick-start/#installation-steps">installation steps</a>, or set <code>global.mtls.enabled</code> to false using <a href="/v0.8/docs/setup/kubernetes/helm-install/">Helm</a>).</p>
</li>
<li>
<p>For demo, create two namespaces <code>foo</code> and <code>bar</code>, and deploy <a href="https://github.com/istio/istio/blob/release-0.8/samples/httpbin">httpbin</a> and <a href="https://github.com/istio/istio/tree/master/samples/sleep">sleep</a> with sidecar on both of them. Also, run another sleep app without sidecar (to keep it separate, run it in <code>legacy</code> namespace)</p>
<pre><code class="language-command" data-lang="command">$ kubectl create ns foo
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
$ kubectl create ns bar
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n bar
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n bar
$ kubectl create ns legacy
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n legacy
</code></pre></li>
<li>
<p>Verifying setup by sending an http request (using curl command) from any sleep pod (among those in namespace <code>foo</code>, <code>bar</code> or <code>legacy</code>) to either <code>httpbin.foo</code> or <code>httpbin.bar</code>. All requests should success with HTTP code 200.</p>
<p>For example, here is a command to check <code>sleep.bar</code> to <code>httpbin.foo</code> reachability:</p>
<pre><code class="language-command" data-lang="command">$ kubectl exec $(kubectl get pod -l app=sleep -n bar -o jsonpath={.items..metadata.name}) -c sleep -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &quot;%{http_code}\n&quot;
200
</code></pre><p>Conveniently, this one-liner command iterates through all combinations:</p>
<pre><code class="language-command" data-lang="command">$ for from in &quot;foo&quot; &quot;bar&quot; &quot;legacy&quot;; do for to in &quot;foo&quot; &quot;bar&quot;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/ip -s -o /dev/null -w &quot;sleep.${from} to httpbin.${to}: %{http_code}\n&quot;; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.legacy to httpbin.foo: 200
sleep.legacy to httpbin.bar: 200
</code></pre></li>
<li>
<p>Also verify that there are no authentication policy in the system</p>
<pre><code class="language-command" data-lang="command">$ kubectl get policies.authentication.istio.io --all-namespaces
No resources found.
</code></pre></li>
</ul>
<h2 id="enable-mutual-tls-for-all-services-in-a-namespace">Enable mutual TLS for all services in a namespace</h2>
<p>Run this command to set namespace-level policy for namespace <code>foo</code>.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -f -
</span><span style="color:#e6db74">apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
</span><span style="color:#e6db74">kind: &#34;Policy&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-1&#34;
</span><span style="color:#e6db74"> namespace: &#34;foo&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> peers:
</span><span style="color:#e6db74"> - mtls:
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>And verify the policy was added:</p>
<pre><code class="language-command" data-lang="command">$ kubectl get policies.authentication.istio.io -n foo
NAME AGE
example-1 1m
</code></pre><p>Add this destination rule to configure client side to use mutual TLS:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -f -
</span><span style="color:#e6db74">apiVersion: &#34;networking.istio.io/v1alpha3&#34;
</span><span style="color:#e6db74">kind: &#34;DestinationRule&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-1&#34;
</span><span style="color:#e6db74"> namespace: &#34;foo&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> host: &#34;*.foo.svc.cluster.local&#34;
</span><span style="color:#e6db74"> trafficPolicy:
</span><span style="color:#e6db74"> tls:
</span><span style="color:#e6db74"> mode: ISTIO_MUTUAL
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><blockquote>
<p>Note:</p>
</blockquote>
<ul>
<li>This rule is based on the assumption that there is no other destination rule in the system. If it's not the case, you need to modify traffic policy in existing rules accordingly.</li>
<li><code>*.foo.svc.cluster.local</code> matches all services in namespace <code>foo</code>.</li>
<li>With <code>ISTIO_MUTUAL</code> TLS mode, Istio will set the path for key and certificates (e.g <code>clientCertificate</code>, <code>privateKey</code> and <code>caCertificates</code>) according to its internal implementation.</li>
</ul>
<p>Run the same testing command as above. You should see requests from <code>sleep.legacy</code> to <code>httpbin.foo</code> start to fail, as the result of enabling mutual TLS for <code>httpbin.foo</code> but <code>sleep.legacy</code> doesn't have a sidecar to support it. On the other hand, for clients with sidecar (<code>sleep.foo</code> and <code>sleep.bar</code>), Istio automatically configures them to using mutual TLS where talking to <code>http.foo</code>, so they continue to work. Also, requests to <code>httpbin.bar</code> are not affected as the policy is only effective on the <code>foo</code> namespace.</p>
<pre><code class="language-command" data-lang="command">$ for from in &quot;foo&quot; &quot;bar&quot; &quot;legacy&quot;; do for to in &quot;foo&quot; &quot;bar&quot;; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/ip -s -o /dev/null -w &quot;sleep.${from} to httpbin.${to}: %{http_code}\n&quot;; done; done
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 200
</code></pre><blockquote>
<p>If destination rule above is not created, all requests to <code>httpbin.foo</code> will fail as client side are not configured correctly to switch to use mutual TLS.</p>
</blockquote>
<h2 id="enable-mutual-tls-for-single-service-httpbinbar">Enable mutual TLS for single service <code>httpbin.bar</code></h2>
<p>Run this command to set another policy only for <code>httpbin.bar</code> service. Note in this example, we do <strong>not</strong> specify namespace in metadata but put it in the command line (<code>-n bar</code>). They should work the same.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -n bar -f -
</span><span style="color:#e6db74">apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
</span><span style="color:#e6db74">kind: &#34;Policy&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-2&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> targets:
</span><span style="color:#e6db74"> - name: httpbin
</span><span style="color:#e6db74"> peers:
</span><span style="color:#e6db74"> - mtls:
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>And a destination rule:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -n bar -f -
</span><span style="color:#e6db74">apiVersion: &#34;networking.istio.io/v1alpha3&#34;
</span><span style="color:#e6db74">kind: &#34;DestinationRule&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-2&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> host: &#34;httpbin.bar.svc.cluster.local&#34;
</span><span style="color:#e6db74"> trafficPolicy:
</span><span style="color:#e6db74"> tls:
</span><span style="color:#e6db74"> mode: ISTIO_MUTUAL
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>Again, run the probing command. As expected, request from <code>sleep.legacy</code> to <code>httpbin.bar</code> starts failing with the same reasons.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-plain" data-lang="plain">...
sleep.legacy to httpbin.bar: 000
command terminated with exit code 56
</code></pre></div><p>If we have more services in namespace <code>bar</code>, we should see traffic to them won't be affected. Instead of adding more services to demonstrate this behavior, we edit the policy slightly:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl replace -n bar -f -
</span><span style="color:#e6db74">apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
</span><span style="color:#e6db74">kind: &#34;Policy&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-2&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> targets:
</span><span style="color:#e6db74"> - name: httpbin
</span><span style="color:#e6db74"> ports:
</span><span style="color:#e6db74"> - number: 1234
</span><span style="color:#e6db74"> peers:
</span><span style="color:#e6db74"> - mtls:
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>And a corresponding change to the destination rule:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl replace -n bar -f -
</span><span style="color:#e6db74">apiVersion: &#34;networking.istio.io/v1alpha3&#34;
</span><span style="color:#e6db74">kind: &#34;DestinationRule&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-2&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> host: httpbin.bar.svc.cluster.local
</span><span style="color:#e6db74"> trafficPolicy:
</span><span style="color:#e6db74"> tls:
</span><span style="color:#e6db74"> mode: DISABLE
</span><span style="color:#e6db74"> portLevelSettings:
</span><span style="color:#e6db74"> - port:
</span><span style="color:#e6db74"> number: 1234
</span><span style="color:#e6db74"> tls:
</span><span style="color:#e6db74"> mode: ISTIO_MUTUAL
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>This new policy will apply only to the <code>httpbin</code> service on port <code>1234</code>. As a result, mutual TLS is disabled (again) on port <code>8000</code> and requests from <code>sleep.legacy</code> will resume working.</p>
<pre><code class="language-command" data-lang="command">$ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.bar:8000/ip -s -o /dev/null -w &quot;%{http_code}\n&quot;
200
</code></pre><h2 id="having-both-namespace-level-and-service-level-policies">Having both namespace-level and service-level policies</h2>
<p>Assuming we already added the namespace-level policy that enables mutual TLS for all services in namespace <code>foo</code> and observe that request from <code>sleep.legacy</code> to <code>httpbin.foo</code> are failing (see above). Now add another policy that disables mutual TLS (peers section is empty) specifically for the <code>httpbin</code> service:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -n foo -f -
</span><span style="color:#e6db74">apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
</span><span style="color:#e6db74">kind: &#34;Policy&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-3&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> targets:
</span><span style="color:#e6db74"> - name: httpbin
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>and destination rule:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -n foo -f -
</span><span style="color:#e6db74">apiVersion: &#34;networking.istio.io/v1alpha3&#34;
</span><span style="color:#e6db74">kind: &#34;DestinationRule&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-3&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> host: httpbin.foo.svc.cluster.local
</span><span style="color:#e6db74"> trafficPolicy:
</span><span style="color:#e6db74"> tls:
</span><span style="color:#e6db74"> mode: DISABLE
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>Re-run the request from <code>sleep.legacy</code>, we should see a success return code again (200), confirming service-level policy overrules the namespace-level policy.</p>
<pre><code class="language-command" data-lang="command">$ kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w &quot;%{http_code}\n&quot;
200
</code></pre><h2 id="setup-end-user-authentication">Setup end-user authentication</h2>
<p>You will need a valid JWT (corresponding to the JWKS endpoint you want to use for the demo). Please follow the instructions <a href="https://github.com/istio/istio/blob/release-0.8/security/tools/jwt">here</a> to create one. You can also use your own JWT/JWKS endpoint for the demo. Once you have that, export to some environment variables.</p>
<pre><code class="language-command" data-lang="command">$ export SVC_ACCOUNT=&quot;example@my-project.iam.gserviceaccount.com&quot;
$ export JWKS=https://www.googleapis.com/service_accounts/v1/jwk/${SVC_ACCOUNT}
$ export TOKEN=&lt;YOUR-TOKEN&gt;
</code></pre><p>Also, for convenience, expose <code>httpbin.foo</code> via ingress (for more details, see <a href="/v0.8/docs/tasks/traffic-management/ingress/">ingress task</a>).</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | kubectl apply -f -
</span><span style="color:#e6db74">apiVersion: extensions/v1beta1
</span><span style="color:#e6db74">kind: Ingress
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: httpbin-ingress
</span><span style="color:#e6db74"> namespace: foo
</span><span style="color:#e6db74"> annotations:
</span><span style="color:#e6db74"> kubernetes.io/ingress.class: istio
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> rules:
</span><span style="color:#e6db74"> - http:
</span><span style="color:#e6db74"> paths:
</span><span style="color:#e6db74"> - path: /headers
</span><span style="color:#e6db74"> backend:
</span><span style="color:#e6db74"> serviceName: httpbin
</span><span style="color:#e6db74"> servicePort: 8000
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>Get ingress IP</p>
<pre><code class="language-command" data-lang="command">export INGRESS_HOST=$(kubectl get ing -n foo -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')
</code></pre><p>And run a test query</p>
<pre><code class="language-command" data-lang="command">$ curl $INGRESS_HOST/headers -s -o /dev/null -w &quot;%{http_code}\n&quot;
200
</code></pre><p>Now, let's add a policy that requires end-user JWT for <code>httpbin.foo</code>. The next command assumes policy with name &ldquo;httpbin&rdquo; already exists (which should be if you follow previous sections). You can run <code>kubectl get policies.authentication.istio.io -n foo</code> to confirm, and use <code>istio create</code> (instead of <code>istio replace</code>) if resource is not found. Also note in this policy, peer authentication (mutual TLS) is also set, though it can be removed without affecting origin authentication settings.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl replace -n foo -f -
</span><span style="color:#e6db74">apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
</span><span style="color:#e6db74">kind: &#34;Policy&#34;
</span><span style="color:#e6db74">metadata:
</span><span style="color:#e6db74"> name: &#34;example-3&#34;
</span><span style="color:#e6db74">spec:
</span><span style="color:#e6db74"> targets:
</span><span style="color:#e6db74"> - name: httpbin
</span><span style="color:#e6db74"> peers:
</span><span style="color:#e6db74"> - mtls:
</span><span style="color:#e6db74"> origins:
</span><span style="color:#e6db74"> - jwt:
</span><span style="color:#e6db74"> issuer: $SVC_ACCOUNT
</span><span style="color:#e6db74"> jwksUri: $JWKS
</span><span style="color:#e6db74"> principalBinding: USE_ORIGIN
</span><span style="color:#e6db74">EOF</span>
</code></pre></div><p>The same curl command from before will return with 401 error code, as a result of server is expecting JWT but none was provided:</p>
<pre><code class="language-command" data-lang="command">$ curl $INGRESS_HOST/headers -s -o /dev/null -w &quot;%{http_code}\n&quot;
401
</code></pre><p>Attaching the valid token generated above returns success:</p>
<pre><code class="language-command" data-lang="command">$ curl --header &quot;Authorization: Bearer $TOKEN&quot; $INGRESS_HOST/headers -s -o /dev/null -w &quot;%{http_code}\n&quot;
200
</code></pre><p>You may want to try to modify token or policy (e.g change issuer, audiences, expiry date etc) to observe other aspects of JWT validation.</p>
<h2 id="cleanup">Cleanup</h2>
<p>Remove all resources.</p>
<pre><code class="language-command" data-lang="command">$ kubectl delete ns foo bar legacy
</code></pre><h2 id="whats-next">What's next</h2>
<ul>
<li>Learn more about verifying mutual TLS setup <a href="/v0.8/docs/tasks/security/mutual-tls/">testing Istio mutual TLS authentication</a></li>
</ul>
</main>
<div class="container-fluid d-print-none">
<br/><hr/><br/>
<div class="row">
<div class="col-6">
</div>
<div class="col-6" style="text-align: right">
<a title="Shows you how to verify and test Istio&#39;s automatic mutual TLS authentication." href="/v0.8/docs/tasks/security/mutual-tls/">Testing Mutual TLS <i class="fa fa-arrow-right"></i></a>
</div>
</div>
</div>
<div class="d-none d-print-block" aria-hidden="true">
<h2>Links</h2>
<ol id="endnotes"></ol>
</div>
</div>
<div class="col-12 col-md-2 d-none d-xl-block d-print-none">
<nav class="toc">
<div class="spacer"></div>
<div id="toc" class="directory" role="directory">
<nav id="TableOfContents">
<ul>
<li><a href="#before-you-begin">Before you begin</a></li>
<li><a href="#enable-mutual-tls-for-all-services-in-a-namespace">Enable mutual TLS for all services in a namespace</a></li>
<li><a href="#enable-mutual-tls-for-single-service-httpbinbar">Enable mutual TLS for single service httpbin.bar</a></li>
<li><a href="#having-both-namespace-level-and-service-level-policies">Having both namespace-level and service-level policies</a></li>
<li><a href="#setup-end-user-authentication">Setup end-user authentication</a></li>
<li><a href="#cleanup">Cleanup</a></li>
<li><a href="#whats-next">What's next</a></li>
</ul>
</nav>
</div>
</nav>
</div>
</div>
</div>
<footer class="d-print-none container-fluid">
<div class="row">
<div class="col-6 col-lg-4" role="navigation">
<div class="container-fluid">
<div class="row">
<div class="icon">
<span>istio-users@</span>
<a title="Join the istio-users@ mailing list to participate in discussions and get help troubleshooting problems"
href="https://groups.google.com/forum/#!forum/istio-users" aria-label="istio-users mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>twitter</span>
<a title="Follow us on Twitter to get the latest news"
href="https://twitter.com/IstioMesh" aria-label="Twitter">
<svg viewBox="0 0 310 310">
<path d="M302.973,57.388c-4.87,2.16-9.877,3.983-14.993,5.463c6.057-6.85,10.675-14.91,13.494-23.73
c0.632-1.977-0.023-4.141-1.648-5.434c-1.623-1.294-3.878-1.449-5.665-0.39c-10.865,6.444-22.587,11.075-34.878,13.783
c-12.381-12.098-29.197-18.983-46.581-18.983c-36.695,0-66.549,29.853-66.549,66.547c0,2.89,0.183,5.764,0.545,8.598
C101.163,99.244,58.83,76.863,29.76,41.204c-1.036-1.271-2.632-1.956-4.266-1.825c-1.635,0.128-3.104,1.05-3.93,2.467
c-5.896,10.117-9.013,21.688-9.013,33.461c0,16.035,5.725,31.249,15.838,43.137c-3.075-1.065-6.059-2.396-8.907-3.977
c-1.529-0.851-3.395-0.838-4.914,0.033c-1.52,0.871-2.473,2.473-2.513,4.224c-0.007,0.295-0.007,0.59-0.007,0.889
c0,23.935,12.882,45.484,32.577,57.229c-1.692-0.169-3.383-0.414-5.063-0.735c-1.732-0.331-3.513,0.276-4.681,1.597
c-1.17,1.32-1.557,3.16-1.018,4.84c7.29,22.76,26.059,39.501,48.749,44.605c-18.819,11.787-40.34,17.961-62.932,17.961
c-4.714,0-9.455-0.277-14.095-0.826c-2.305-0.274-4.509,1.087-5.294,3.279c-0.785,2.193,0.047,4.638,2.008,5.895
c29.023,18.609,62.582,28.445,97.047,28.445c67.754,0,110.139-31.95,133.764-58.753c29.46-33.421,46.356-77.658,46.356-121.367
c0-1.826-0.028-3.67-0.084-5.508c11.623-8.757,21.63-19.355,29.773-31.536c1.237-1.85,1.103-4.295-0.33-5.998
C307.394,57.037,305.009,56.486,302.973,57.388z"/>
</svg>
</a>
</div>
<div class="icon">
<span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio"
href="https://stackoverflow.com/questions/tagged/istio" aria-label="Stack Overflow">
<svg viewBox="0 0 120 120">
<polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8 "/>
<path d="M38.8,68.4l37.8,7.9l1.6-7.6l-37.8-7.9L38.8,68.4z M43.8,50.4l35,16.3l3.2-7l-35-16.4L43.8,50.4z M53.5,33.2
l29.7,24.7l4.9-5.9L58.4,27.3L53.5,33.2z M72.7,14.9l-6.2,4.6l23,31l6.2-4.6L72.7,14.9z M38,86h38.6v-7.7H38V86z"/>
</svg>
</a>
</div>
<div class="icon">
<span>rocket chat</span>
<a title="Interactively chat with members of the Istio community."
href="https://istio.rocket.chat" aria-label="Rocket Chat">
<svg viewBox="0 0 512 512">
<path d="M496.293,255.338c0-24.103-7.21-47.215-21.437-68.699c-12.771-19.288-30.666-36.362-53.184-50.745
c-43.474-27.771-100.612-43.065-160.885-43.065c-20.131,0-39.974,1.702-59.222,5.072c-11.942-11.176-25.919-21.233-40.712-29.187
c-79.026-38.298-144.561-0.9-144.561-0.9s60.931,50.053,51.023,93.93c-27.259,27.041-42.033,59.646-42.033,93.594
c0,0.108,0.005,0.216,0.006,0.324c-0.001,0.108-0.006,0.216-0.006,0.324c0,33.949,14.774,66.554,42.033,93.595
c9.907,43.874-51.023,93.93-51.023,93.93s65.535,37.397,144.561-0.901c14.792-7.953,28.77-18.01,40.712-29.188
c19.249,3.372,39.091,5.072,59.222,5.072c60.272,0,117.411-15.294,160.885-43.064c22.518-14.383,40.412-31.457,53.184-50.742
c14.227-21.487,21.437-44.599,21.437-68.702c0-0.107-0.006-0.216-0.006-0.324C496.287,255.554,496.293,255.446,496.293,255.338z
M260.882,387.763c-25.367,0-49.66-2.932-72.107-8.282c-22.81,27.443-72.993,65.596-121.742,53.26
c15.857-17.031,39.352-45.81,34.32-93.207c-29.218-22.738-46.759-51.832-46.759-83.541c0-72.776,92.36-131.769,206.288-131.769
c113.928,0,206.288,58.993,206.288,131.769C467.17,328.765,374.81,387.763,260.882,387.763z M288.283,255.991
c0,15.133-12.27,27.403-27.4,27.403c-15.134,0-27.402-12.271-27.402-27.403s12.268-27.401,27.402-27.401
C276.014,228.59,288.283,240.858,288.283,255.991z M356.163,228.59c-15.133,0-27.4,12.268-27.4,27.401s12.268,27.403,27.4,27.403
c15.134,0,27.399-12.271,27.399-27.403S371.297,228.59,356.163,228.59z M165.601,228.59c-15.133,0-27.4,12.268-27.4,27.401
s12.268,27.403,27.4,27.403c15.134,0,27.401-12.271,27.401-27.403S180.735,228.59,165.601,228.59z"/>
</svg>
</a>
</div>
</div>
<div class="tag row d-none d-lg-flex">
for users
</div>
</div>
</div>
<div class="col-6 col-lg-4">
<p class="text-center copyright" role="contentinfo">
Istio
Archive
0.8<br>&copy; 2018 Istio Authors, <a href="https://policies.google.com/privacy">Privacy Policy</a><br>
Archived on July 31, 2018
</p>
</div>
<div class="col-6 col-lg-4 d-none d-lg-flex" role="navigation">
<div class="container-fluid">
<div class="row justify-content-end">
<div class="icon">
<span>istio-dev@</span>
<a title="Join the istio-dev@ mailing list to discuss development issues around the Istio project"
href="https://groups.google.com/forum/#!forum/istio-dev" aria-label="istio-dev mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>github</span>
<a title="GitHub is where development takes place on Istio code"
href="https://github.com/istio/community" aria-label="GitHub">
<svg viewBox="0 0 478.165 478.165">
<path d="M349.22,55.768c6.136,14.046,10.241,37.556,4.224,54.69
c24.426,20.999,33.073,71.904,21.079,113.704c35.006,2.73,76.666-1.235,103.642,9.484c-25.183-3.248-59.651-9.563-91.987-7.431
c-6.136,0.458-15.361-0.239-14.903,8.408c37.735,3.008,75.092,6.117,105.894,15.779c-30.702-4.981-67.74-12.552-105.894-13.668
c-15.54,30.921-47.239,46.262-90.991,49.49c4.682,10.261,13.847,14.066,15.879,30.702c3.267,24.406-4.881,60.328,3.208,76.686
c4.064,7.89,10.579,8.009,14.863,14.604c-10.699,12.871-37.257-1.395-40.186-14.604c-5.14-22.852,7.89-58.256-6.415-73.737
c0.996,24.865-5.718,59.85,0.996,82.145c2.789,8.806,10.659,12.113,8.647,20.063c-49.809,5.08-28.989-64.373-37.177-105.356
c-7.471,0.697-4.204,11.197-4.224,15.76c-0.199,40.106,8.189,94.836-34.846,89.556c-1.315-8.348,5.838-11.217,8.467-19.007
c7.91-22.434-1.454-56.045,2.112-83.161c-16.417,12.512,1.793,55.666-8.428,77.961c-5.838,12.671-24.785,18.27-39.19,12.651
c1.873-9.464,11.695-7.989,15.879-16.875c5.818-12.452,0.02-30.244,2.092-48.494c-30.423,6.097-53.993-0.877-65.608-20.023
c-5.12-8.507-6.356-18.708-12.632-26.219c-6.117-7.551-16.098-8.507-19.087-18.808c37.755-9.185,39.17,38.771,73.06,39.807
c10.44,0.418,15.799-2.909,25.402-5.16c2.749-12.113,8.428-21.039,16.875-27.494c-42.078-5.658-76.865-18.788-93.023-50.466
c-38.293,1.893-73.339,7.013-105.894,14.843c29.547-10.679,65.807-14.604,104.778-15.819c-2.351-13.807-22.434-10.022-34.866-9.543
C47.677,227.17,18.449,230.138,0,233.645c26.817-9.543,64.233-8.348,100.454-8.428c-11.038-34.767-7.232-90.014,17.015-110.615
c-6.854-17.254-4.722-45.346,4.184-58.834c27.036,1.175,43.374,12.891,60.388,24.247c21.019-6.017,43.035-9.045,71.904-7.451
c12.133,0.677,24.705,6.097,33.731,5.32c8.906-0.877,18.728-10.898,27.534-14.843C326.507,58.099,336.17,56.206,349.22,55.768z"/>
</svg>
</a>
</div>
<div class="icon">
<span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents"
href="https://groups.google.com/forum/#!forum/istio-team-drive-access" aria-label="team drive">
<svg viewBox="0 0 207.027 207.027">
<path d="M69.866,15.557L0,138.919l28.732,52.552l143.288-0.029l35.008-59.588L136.39,15.735L69.866,15.557z M17.166,139.046
L74.268,38.205L91.21,67.783L33.24,168.447L17.166,139.046z M99.841,82.851l23.805,41.558l-47.732-0.006L99.841,82.851z
M163.434,176.443l-117.332,0.024l21.53-37.065l64.606,0.008l0.067,0.119l52.865-0.085L163.434,176.443z M140.932,124.411
L90.157,35.767l-2.966-5.178l40.751,0.121l57.003,93.706L140.932,124.411z"/>
</svg>
</a>
</div>
<div class="icon">
<span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups"
href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" aria-label="working groups">
<svg viewBox="0 -45 439.833 439.833">
<polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/>
<polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/>
<path d="M219.927,11.558c-23.854,0-37.057,12.362-36.814,36.182c0.348,32.623,14.211,52.414,36.814,52.068
c0,0,36.802,1.492,36.802-52.068C256.729,23.918,244.294,11.558,219.927,11.558z"/>
<path d="M285.017,124.567l-36.77-14.659l-8.608-7.256c-2.274-1.922-5.636-1.78-7.741,0.317l-11.973,11.904l-12.008-11.907
c-2.109-2.094-5.465-2.229-7.736-0.313l-8.611,7.256l-36.77,14.661c-11.842,4.715-11.83,46.647-12.848,50.497h155.93
C296.866,171.228,296.862,129.28,285.017,124.567z"/>
<path d="M77.976,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.814,36.182C41.509,209.124,55.372,228.915,77.976,228.568z"/>
<path d="M143.065,253.329l-36.77-14.658l-8.609-7.256c-2.275-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.611,7.256l-36.77,14.66C1.006,258.045,1.018,299.977,0,303.827h155.93
C154.915,299.988,154.911,258.042,143.065,253.329z"/>
<path d="M361.878,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.812,36.182C325.411,209.124,339.274,228.915,361.878,228.568z"/>
<path d="M426.968,253.329l-36.77-14.658l-8.609-7.256c-2.273-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.61,7.256l-36.771,14.66c-11.842,4.715-11.83,46.646-12.848,50.497h155.93
C438.817,299.988,438.812,258.042,426.968,253.329z"/>
</svg>
</a>
</div>
<div class="icon">
<span>slack</span>
<a title="Interactively discuss development issues with the Istio community on Slack (invitation-only)"
href="https://istio.slack.com" aria-label="slack">
<svg viewBox="0 0 31.444 31.443">
<path d="M31.202,16.369c-0.62-1.388-2.249-2.011-3.637-1.391l-1.325,0.594l-3.396-7.591l1.325-0.592
c1.388-0.622,2.01-2.25,1.389-3.637c-0.62-1.389-2.248-2.012-3.637-1.39l-1.324,0.593l-0.593-1.326
c-0.621-1.388-2.249-2.009-3.637-1.388c-1.388,0.62-2.009,2.247-1.389,3.637l0.593,1.325L7.98,8.598L7.388,7.273
c-0.621-1.39-2.249-2.009-3.637-1.39C2.363,6.504,1.742,8.132,2.362,9.52l0.592,1.324L1.63,11.438
c-1.388,0.621-2.01,2.247-1.389,3.636c0.62,1.388,2.249,2.01,3.637,1.39l1.325-0.594l3.394,7.592l-1.325,0.592
c-1.388,0.621-2.009,2.25-1.389,3.637c0.621,1.389,2.249,2.011,3.637,1.391l1.324-0.593l0.593,1.325
c0.621,1.389,2.249,2.01,3.637,1.389c1.387-0.62,2.009-2.248,1.388-3.636l-0.591-1.326l7.591-3.394l0.592,1.321
c0.621,1.391,2.248,2.013,3.637,1.392c1.388-0.619,2.01-2.248,1.389-3.637l-0.592-1.324l1.323-0.594
C31.201,19.384,31.823,17.757,31.202,16.369z M13.623,21.215l-3.395-7.593l7.591-3.394l3.395,7.591L13.623,21.215z"/>
</svg>
</a>
</div>
</div>
<div class="tag row justify-content-end text-right">
for developers
</div>
</div>
</div>
</div>
</footer>
<div class="d-xl-none d-print-none">
<button id="scroll-to-top" aria-hidden="true" onclick="scrollToTop()" title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button>
</div>
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script>
<script src="https://www.google.com/cse/brand?form=search_form"></script>
<script src="/v0.8/js/all.min.js" data-manual></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink