istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.5/help/faq.html

100 lines
46 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><meta name="title" content="Frequently Asked Questions"><meta name="og:title" content="Frequently Asked Questions"><meta name="og:image" content="/v0.5/img/logo.png"/><meta name="theme-color" content="#466BB0"/><meta name="description" content="Frequently Asked Questions about Istio."><meta name="og:description" content="Frequently Asked Questions about Istio."><title>Istioldie 0.5 / Frequently Asked Questions</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.5/feed.xml"><link rel="shortcut icon" href="/v0.5/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.5/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.5/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.5/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.5/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.5/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.5/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.5/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.5/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.5/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.5/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css"><link rel="stylesheet" href="/v0.5/css/light_theme.css" title="light"><link rel="alternate stylesheet" href="/v0.5/css/dark_theme.css" title="dark"> <script src="/v0.5/js/styleswitcher.js"></script></head><body class="language-unknown theme-unknown"><header role="banner"><nav class="navbar navbar-expand-sm navbar-dark fixed-top bg-dark"> <a class="navbar-brand d-flex w-50 mr-auto" href="/v0.5/" style="visibility: visible"> <img class="logo" src="/v0.5/img/istio-logo.svg" alt="Istio Logo"/> <span class="brand-name">Istioldie 0.5</span> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button><div class="collapse navbar-collapse" id="navbarCollapse"><div class="navbar-nav justify-content-end"> <a class="nav-item nav-link " href="/v0.5/about/intro.html">About</a> <a class="nav-item nav-link " href="/v0.5/blog/2018/traffic-mirroring.html">Blog</a> <a class="nav-item nav-link " href="/v0.5/docs/">Docs</a> <a class="nav-item nav-link active" href="/v0.5/help">Help</a> <a class="nav-item nav-link " href="/v0.5/community">Community</a></div><div class="dropdown"> <a href="" class="nav-link nav-item dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <i class='fa fa-lg fa-cog'></i> </a><div class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li><li class="dropdown-divider"></li><li> <i class='fa fa-check light'></i> <a href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a></li><li> <i class='fa fa-check dark'></i> <a href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a></li></div></div><form name="cse" id="searchbox" class="form-inline justify-content-end" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /> <button class="btn btn-search input-group-addon my-2 my-sm-0 fa fa-search" type="submit"></button></div></form></div></nav></header><div class="container-fluid"><div class="row row-offcanvas row-offcanvas-left"><div class="col-6 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar"><div class="spacer"></div><div class="directory" role="tablist"><div class="card"><div class="card-header" role="tab" id="header0"><div title="A bunch of resources to help you deploy, configure and use Istio."> Help!</div></div><div id="collapse0" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header0"><div class="card-body"><ul class="tree"><li> <span class="current" title="Frequently Asked Questions about Istio.">Frequently Asked Questions</span></li><li> <a title="A glossary of common Istio terms." href="/v0.5/help/glossary.html">Glossary</a></li><li> <a title="What to do about bugs" href="/v0.5/help/bugs.html">Reporting Bugs</a></li><li> <a title="Practical advice on practical problems with Istio" href="/v0.5/help/troubleshooting.html">Troubleshooting Guide</a></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-xl-10"><p class="d-md-none"> <label class="sidebar-toggler" data-toggle="offcanvas"> <i class="fa fa-chevron-right"></i> </label></p><main role="main"><h1>Frequently Asked Questions</h1><p>Here are some frequently asked questions about Istio.</p><div class="container-fluid faq"><div class="row"><div class="col-12 col-md-3 col-xl-2"><div class="list-group" role="tablist"> <a class="list-group-item list-group-item-action active" data-toggle="list" role="tab" href="#tab1"> General </a> <a class="list-group-item list-group-item-action " data-toggle="list" role="tab" href="#tab2"> Setup </a> <a class="list-group-item list-group-item-action " data-toggle="list" role="tab" href="#tab3"> Security </a> <a class="list-group-item list-group-item-action " data-toggle="list" role="tab" href="#tab4"> Mixer </a> <a class="list-group-item list-group-item-action " data-toggle="list" role="tab" href="#tab5"> Traffic Management </a></div></div><div class="col-12 col-md-9 col-xl-10"><div class="tab-content"><div class="tab-pane active" id="tab1" role="tabpanel"><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#what-is-istio"><div> What is Istio?</div></a></div><div id="what-is-istio" class="collapse" data-parent="#tab1"><div class="card-body"><p>Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection.</p><p><em>Open</em>: Istio is being developed and maintained as open-source software. We encourage contributions and feedback from the community at-large.</p><p><em>Platform-independent</em>: Istio is not targeted at any specific deployment environment. During the initial stages of development, Istio will support Kubernetes-based deployments. However, Istio is being built to enable rapid and easy adaptation to other environments.</p><p><em>Service mesh</em>: Istio is designed to manage communications between microservices and applications. Without requiring changes to the underlying services, Istio provides automated baseline traffic resilience, service metrics collection, distributed tracing, traffic encryption, protocol upgrades, and advanced routing functionality for all service-to-service communication.</p><p>For more detail, please see: <a href="/v0.5/docs/concepts/what-is-istio/">What is Istio?</a></p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#why-use-istio"><div> Why would I want to use Istio?</div></a></div><div id="why-use-istio" class="collapse" data-parent="#tab1"><div class="card-body"><p>Traditionally, much of the logic handled by Istio has been built directly into applications. Across a fleet of services, managing updates to this communications logic can be a large burden. Istio provides an infrastructure-level solution to managing service communications.</p><p><em>Application developers</em>: With Istio managing how traffic flows across their services, developers can focus exclusively on business logic and iterate quickly on new features.</p><p><em>Service operators</em>: Istio enables policy enforcement and mesh monitoring from a single centralized control point, independent of application evolution. As a result, operators can ensure continuous policy compliance through a simplified management plane.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#how-do-i-get-started"><div> How do I get started using Istio?</div></a></div><div id="how-do-i-get-started" class="collapse" data-parent="#tab1"><div class="card-body"><p>We recommend starting with the <a href="/v0.5/docs/guides/">Guides</a>, which walks through different core Istio concepts in a tutorial style. The guides show case intelligent routing, policy enforcement, security, telemetry, etc.</p><p>To start using Istio on your existing Kubernetes or Consul deployment, please refer to our <a href="/v0.5/docs/setup/">Installation</a> task guide.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#what-is-the-license"><div> What is the license?</div></a></div><div id="what-is-the-license" class="collapse" data-parent="#tab1"><div class="card-body"><p>Istio uses the <a href="https://www.apache.org/licenses/LICENSE-2.0.html">Apache License 2.0</a>.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#how-was-istio-started"><div> How was Istio started?</div></a></div><div id="how-was-istio-started" class="collapse" data-parent="#tab1"><div class="card-body"><p>The Istio project was started by teams from Google and IBM in partnership with the Envoy team from Lyft. Its been developed fully in the open on GitHub.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#what-deployment-environment"><div> What deployment environments are supported?</div></a></div><div id="what-deployment-environment" class="collapse" data-parent="#tab1"><div class="card-body"><p>Istio is designed and built to be platform-independent. For our 0.5 release, Istio supports environments running container orchestration platforms such as Kubernetes (v1.7.4 or greater) and Nomad (with Consul).</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#how-do-i-contribute"><div> How can I contribute?</div></a></div><div id="how-do-i-contribute" class="collapse" data-parent="#tab1"><div class="card-body"><p>Contributions are highly welcome. We look forward to community feedback, additions, and bug reports.</p><p>The code repositories are hosted on <a href="https://github.com/istio">GitHub</a>. Please see our<a href="https://github.com/istio/community/blob/master/CONTRIBUTING.md">Contribution Guidelines</a> to learn how to contribute.</p><p>In addition to the code, there are other ways to contribute to the Istio <a href="/v0.5/community">community</a>, including on <a href="https://stackoverflow.com/questions/tagged/istio">Stack Overflow</a>, and the <a href="https://groups.google.com/forum/#!forum/istio-users">mailing list</a>.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#istio-partners-and-vendors"><div> How can I discover more about Partner and Vendor opportunities?</div></a></div><div id="istio-partners-and-vendors" class="collapse" data-parent="#tab1"><div class="card-body"><p>If youd like to speak to the Istio team about a potential integration and/or a partnership opportunity, please complete this <a href="https://goo.gl/forms/ax2SdpC6FpVh9Th02">form</a>.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#where-is-the-documentation"><div> Where is the documentation?</div></a></div><div id="where-is-the-documentation" class="collapse" data-parent="#tab1"><div class="card-body"><p>Check out the <a href="/v0.5/docs/">documentation</a> right here on istio.io. The docs include <a href="/v0.5/docs/concepts/">concept overviews</a>, <a href="/v0.5/docs/tasks/">task guides</a>, <a href="/v0.5/docs/guides/">guides</a>, and the <a href="/v0.5/docs/reference/">complete reference documentation</a>.</p><p>Detailed developer-level documentation is maintained for each component in GitHub, alongside the code. Please visit each repository for those docs:</p><ul><li><p><a href="https://envoyproxy.github.io/envoy/">Envoy</a></p></li><li><p><a href="https://github.com/istio/istio/tree/master/pilot/doc">Pilot</a></p></li><li><p><a href="https://github.com/istio/istio/tree/master/mixer/doc">Mixer</a></p></li></ul></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#istio-doesnt-work"><div> Istio doesn't work - what do I do?</div></a></div><div id="istio-doesnt-work" class="collapse" data-parent="#tab1"><div class="card-body"><p>Check out the <a href="/v0.5/troubleshooting">troubleshooting guide</a> for finding solutions and our <a href="/v0.5/bugs">bug reporting</a> page for filing bugs.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#roadmap"><div> What is Istio's roadmap?</div></a></div><div id="roadmap" class="collapse" data-parent="#tab1"><div class="card-body"><p>See our <a href="/v0.5/about/feature-stages.html">feature stages page</a> and <a href="/v0.5/about/notes">release notes</a> for more details.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#what-does-istio-mean"><div> What does the word 'Istio' mean?</div></a></div><div id="what-does-istio-mean" class="collapse" data-parent="#tab1"><div class="card-body"><p>Its the Greek word for sail.</p></div></div></div></div><div class="tab-pane " id="tab2" role="tabpanel"><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#k8s-checking-cluster-alpha-features"><div> Kubernetes - How do I check if my cluster has enabled the alpha features required for automatic sidecar injection?</div></a></div><div id="k8s-checking-cluster-alpha-features" class="collapse" data-parent="#tab2"><div class="card-body"><p>Automatic sidecar injection requires the <a href="https://kubernetes.io/docs/admin/extensible-admission-controllers/#enable-initializers-alpha-feature">initializer alpha feature</a>. Run the following command to check if the initializer has been enabled (empty output indicates that initializers are not enabled):</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl api-versions | <span class="nb">grep </span>admissionregistration
</code></pre></div></div><p>In addition, the Kubernetes API server must be started with the Initializer plugin <a href="https://kubernetes.io/docs/admin/extensible-admission-controllers/#enable-initializers-alpha-feature">enabled</a>. Failure to enable the <code class="highlighter-rouge">Initializer</code> plugin will result in the following error when trying to create the initializer deployment.</p><blockquote><p>The Deployment “istio-initializer” is invalid: metadata.initializers.pending: Invalid value: “null”: must be non-empty when result is not set</p></blockquote></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#k8s-sidecar-injection-not-working"><div> Kubernetes - How can I debug problems with automatic sidecar injection?</div></a></div><div id="k8s-sidecar-injection-not-working" class="collapse" data-parent="#tab2"><div class="card-body"><p>Ensure that your cluster has met the <a href="/v0.5/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection">prerequisites</a> for the automatic sidecar injection. If your microservice is deployed in kube-system, kube-public or istio-system namespaces, they are exempted from automatic sidecar injection. Please use a different namespace instead.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#k8s-migrating"><div> Kubernetes - Can I migrate an existing installation from Istio v0.1.x to v0.2.x?</div></a></div><div id="k8s-migrating" class="collapse" data-parent="#tab2"><div class="card-body"><p>Upgrading from Istio 0.1.x to 0.2.x is not supported. You must uninstall Istio v0.1, <em>including pods with Istio sidecars</em> and start with a fresh install of Istio v0.2.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#consul-app-not-working"><div> Consul - My application isn't working, where can I troubleshoot this?</div></a></div><div id="consul-app-not-working" class="collapse" data-parent="#tab2"><div class="card-body"><p>Please ensure all required containers are running: etcd, istio-apiserver, consul, registrator, pilot. If one of them is not running, you may find the {containerID} using <code class="highlighter-rouge">docker ps -a</code> and then use <code class="highlighter-rouge">docker logs {containerID}</code> to read the logs.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#consul-unset-context"><div> Consul - How do I unset the context changed by istioctl at the end?</div></a></div><div id="consul-unset-context" class="collapse" data-parent="#tab2"><div class="card-body"><p>Your <code class="highlighter-rouge">kubectl</code> is switched to use the istio context at the end of the <code class="highlighter-rouge">istio context-create</code> command. You can use <code class="highlighter-rouge">kubectl config get-contexts</code> to obtain the list of contexts and <code class="highlighter-rouge">kubectl config use-context {desired-context}</code> to switch to use your desired context.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#eureka-app-not-working"><div> Eureka - My application isn't working, where can I troubleshoot this?</div></a></div><div id="eureka-app-not-working" class="collapse" data-parent="#tab2"><div class="card-body"><p>Please ensure all required containers are running: etcd, istio-apiserver, consul, registrator, istio-pilot. If one of them is not running, you may find the {containerID} using <code class="highlighter-rouge">docker ps -a</code> and then use <code class="highlighter-rouge">docker logs {containerID}</code> to read the logs.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#eureka-unset-context"><div> Eureka - How do I unset the context changed by `istioctl` at the end?</div></a></div><div id="eureka-unset-context" class="collapse" data-parent="#tab2"><div class="card-body"><p>Your <code class="highlighter-rouge">kubectl</code> is switched to use the istio context at the end of the <code class="highlighter-rouge">istio context-create</code> command. You can use <code class="highlighter-rouge">kubectl config get-contexts</code> to obtain the list of contexts and <code class="highlighter-rouge">kubectl config use-context {desired-context}</code> to switch to use your desired context.</p></div></div></div></div><div class="tab-pane " id="tab3" role="tabpanel"><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#enabling-disabling-mtls"><div> How can I enable/disable mTLS encryption after I installed Istio?</div></a></div><div id="enabling-disabling-mtls" class="collapse" data-parent="#tab3"><div class="card-body"><p>The most straightforward way to enable/disable mTLS is by entirely uninstalling and re-installing Istio.</p><p>If you are an advanced user and understand the risks you can also do the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl edit configmap <span class="nt">-n</span> istio-system istio
</code></pre></div></div><p>comment out or uncomment out <code class="highlighter-rouge">authPolicy: MUTUAL_TLS</code> to toggle mTLS and then</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl delete pods <span class="nt">-n</span> istio-system <span class="nt">-l</span> <span class="nv">istio</span><span class="o">=</span>pilot
</code></pre></div></div><p>to restart Pilot, after a few seconds (depending on your <code class="highlighter-rouge">*RefreshDelay</code>) your Envoy proxies will have picked up the change from Pilot. During that time your services may be unavailable.</p><p>We are working on a smoother solution.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#istio-to-not-istio"><div> Can a service with Istio Auth enabled communicate with a service without Istio?</div></a></div><div id="istio-to-not-istio" class="collapse" data-parent="#tab3"><div class="card-body"><p>This is not supported currently, but will be in the near future.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#auth-mix-and-match"><div> Can I enable Istio Auth with some services while disable others in the same cluster?</div></a></div><div id="auth-mix-and-match" class="collapse" data-parent="#tab3"><div class="card-body"><p>Starting with release 0.3, you can use service-level annotations to disable (or enable) Istio Auth for particular service-port. The annotation key should be <code class="highlighter-rouge">auth.istio.io/{port_number}</code>, and the value should be <code class="highlighter-rouge">NONE</code> (to disable), or <code class="highlighter-rouge">MUTUAL_TLS</code> (to enable).</p><p>Example: disable Istio Auth on port 9080 for service <code class="highlighter-rouge">details</code>.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">details</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">details</span>
<span class="na">annotations</span><span class="pi">:</span>
<span class="s">auth.istio.io/9080</span><span class="pi">:</span> <span class="s">NONE</span>
</code></pre></div></div></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#k8s-health-checks"><div> How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled?</div></a></div><div id="k8s-health-checks" class="collapse" data-parent="#tab3"><div class="card-body"><p>If Istio Auth is enabled, http and tcp health check from kubelet will not work since they do not have Istio Auth issued certs. A workaround is to use a <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command">liveness command</a> for health check, e.g., one can install curl in the service pod and curl itself within the pod. The Istio team is actively working on a solution.</p><p>An example of readinessProbe:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">livenessProbe</span><span class="pi">:</span>
<span class="na">exec</span><span class="pi">:</span>
<span class="na">command</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">curl</span>
<span class="pi">-</span> <span class="s">-f</span>
<span class="pi">-</span> <span class="s">http://localhost:8080/healthz</span> <span class="c1"># Replace port and URI by your actual health check</span>
<span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="s">10</span>
<span class="na">periodSeconds</span><span class="pi">:</span> <span class="s">5</span>
</code></pre></div></div></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#k8s-api-server"><div> Can I access the Kubernetes API Server with Auth enabled?</div></a></div><div id="k8s-api-server" class="collapse" data-parent="#tab3"><div class="card-body"><p>The Kubernetes API server does not support mutual TLS authentication, so strictly speaking: no. However, if you use version 0.3 or later, see next question to learn how to disable mTLS in upstream config on clients side so they can access API server.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#accessing-control-services"><div> How to disable Auth on clients to access the Kubernetes API Server (or any control services that don't have Istio sidecar)?</div></a></div><div id="accessing-control-services" class="collapse" data-parent="#tab3"><div class="card-body"><p>Starting with release 0.3, edit the <code class="highlighter-rouge">mtlsExcludedServices</code> list in Istio config map to contain the fully-qualified name of the API server (and any other control services for that matter). The default value of <code class="highlighter-rouge">mtlsExcludedServices</code> already contains <code class="highlighter-rouge">kubernetes.default.svc.cluster.local</code>, which is the default service name of the Kubernetes API server.</p><p>For a quick reference, here are commands to edit Istio configmap and to restart pilot.</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl edit configmap <span class="nt">-n</span> istio-system istio
kubectl delete pods <span class="nt">-n</span> istio-system <span class="nt">-l</span> <span class="nv">istio</span><span class="o">=</span>pilot
</code></pre></div></div><blockquote><p>Note: DO NOT use this approach to disable mTLS for services that are managed by Istio (i.e. using Istio sidecar). Instead, use service-level annotations to overwrite the authentication policy (see above).</p></blockquote></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#does-istio-support-authorization"><div> Does Istio Auth support authorization?</div></a></div><div id="does-istio-support-authorization" class="collapse" data-parent="#tab3"><div class="card-body"><p>Yes. Starting from Istio 0.5 release, we provide Role Based Access Control for services in Istio mesh. <a href="/v0.5/docs/concepts/security/rbac.html">Learn more</a>.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#use-k8s-secrets"><div> Does Istio Auth use Kubernetes secrets?</div></a></div><div id="use-k8s-secrets" class="collapse" data-parent="#tab3"><div class="card-body"><p>Yes. The key and certificate distribution in Istio Auth is based on <a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes secrets</a>.</p><p>Secrets have known <a href="https://kubernetes.io/docs/concepts/configuration/secret/#risks">security risks</a>. The kubernetes team is working on <a href="https://docs.google.com/document/d/1T2y-9geg9EfHHtCDYTXptCa-F4kQ0RyiH-c_M1SyD0s">several features</a> to improve Kubernetes secret security, from secret encryption to node-level access control. And as of version 1.6, Kubernetes introduces <a href="https://kubernetes.io/docs/admin/authorization/rbac/">RBAC authorization</a>, which can provide fine-grained secrets management.</p></div></div></div></div><div class="tab-pane " id="tab4" role="tabpanel"><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#why-mixer"><div> Why does Istio need Mixer?</div></a></div><div id="why-mixer" class="collapse" data-parent="#tab4"><div class="card-body"><p>Mixer provides a rich intermediation layer between the Istio components as well as Istio-based services, and the infrastructure backends used to perform access control checks and telemetry capture. This layer enables operators to have rich insights and control over service behavior without requiring changes to service binaries.</p><p>Mixer is designed as a stand-alone component, distinct from Envoy. This has numerous benefits:</p><ul><li><p><em>Scalability</em>. The work that Mixer and Envoy do is very different in nature, leading to different scalability requirements. Keeping the components separate enables independent component-appropriate scaling.</p></li><li><p><em>Resource Usage</em>. Istio depends on being able to deploy many instances of its proxy, making it important to minimize the cost of each individual instance. Moving Mixers complex logic into a distinct component makes it possible for Envoy to remain svelte and agile.</p></li><li><p><em>Reliability</em>. Mixer and its open-ended extensibility model represents the most complex parts of the data path processing pipeline. By hosting this functionality in Mixer rather than Envoy, it creates distinct failure domains which enables Envoy to continue operating even if Mixer fails, preventing outages.</p></li><li><p><em>Isolation</em>. Mixer provides a level of insulation between Istio and the infrastructure backends. Each Envoy instance can be configured to have a very narrow scope of interaction, limiting the impact of potential attacks.</p></li><li><p><em>Extensibility</em>. It was imperative to design a simple extensibility model to allow Istio to interoperate with as widest breath of backends as possible. Due to its design and language choice, Mixer is inherently easier to extend than Envoy is. The separation of concerns also makes it possible to use Istio policy and telemetry processing with different proxies, just as a mix of Envoy and NGINX.</p></li></ul><p>Envoy implements sophisticated caching, batching, and prefetching, to largely mitigate the latency impact of needing to interact with Mixer on the request path.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#seeing-mixer-config"><div> How do I see all of the configuration for Mixer?</div></a></div><div id="seeing-mixer-config" class="collapse" data-parent="#tab4"><div class="card-body"><p>Configuration for <em>instances</em>, <em>handlers</em>, and <em>rules</em> is stored as Kubernetes <a href="https://kubernetes.io/docs/concepts/api-extension/custom-resources/">Custom Resources</a>. Configuration may be accessed by using <code class="highlighter-rouge">kubectl</code> to query the Kubernetes <a href="https://kubernetes.io/docs/admin/kube-apiserver/">API server</a> for the resources.</p><h4 id="rules">Rules</h4><p>To see the list of all rules, execute the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get rules <span class="nt">--all-namespaces</span>
</code></pre></div></div><p>Output will be similar to:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAMESPACE NAME KIND
default mongoprom rule.v1alpha2.config.istio.io
istio-system promhttp rule.v1alpha2.config.istio.io
istio-system promtcp rule.v1alpha2.config.istio.io
istio-system stdio rule.v1alpha2.config.istio.io
</code></pre></div></div><p>To see an individual rule configuration, execute the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nt">-n</span> &lt;namespace&gt; get rules &lt;name&gt; <span class="nt">-o</span> yaml
</code></pre></div></div><h4 id="handlers">Handlers</h4><p>Handlers are defined based on Kubernetes <a href="https://kubernetes.io/docs/concepts/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definitions</a> for adapters.</p><p>First, identify the list of adapter kinds:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get crd <span class="nt">-listio</span><span class="o">=</span>mixer-adapter
</code></pre></div></div><p>The output will be similar to:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAME KIND
deniers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
listcheckers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
memquotas.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
noops.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
prometheuses.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
stackdrivers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
statsds.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
stdios.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
svcctrls.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
</code></pre></div></div><p>Then, for each adapter kind in that list, issue the following command:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get &lt;adapter kind name&gt; <span class="nt">--all-namespaces</span>
</code></pre></div></div><p>Output for <code class="highlighter-rouge">stdios</code> will be similar to:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAMESPACE NAME KIND
istio-system handler stdio.v1alpha2.config.istio.io
</code></pre></div></div><p>To see an individual handler configuration, execute the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nt">-n</span> &lt;namespace&gt; get &lt;adapter kind name&gt; &lt;name&gt; <span class="nt">-o</span> yaml
</code></pre></div></div><h4 id="instances">Instances</h4><p>Instances are defined according to Kubernetes <a href="https://kubernetes.io/docs/concepts/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definitions</a> for instances.</p><p>First, identify the list of instance kinds:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get crd <span class="nt">-listio</span><span class="o">=</span>mixer-instance
</code></pre></div></div><p>The output will be similar to:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAME KIND
checknothings.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
listentries.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
logentries.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
metrics.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
quotas.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
reportnothings.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io
</code></pre></div></div><p>Then, for each instance kind in that list, issue the following command:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get &lt;instance kind name&gt; <span class="nt">--all-namespaces</span>
</code></pre></div></div><p>Output for <code class="highlighter-rouge">metrics</code> will be similar to:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAMESPACE NAME KIND
default mongoreceivedbytes metric.v1alpha2.config.istio.io
default mongosentbytes metric.v1alpha2.config.istio.io
istio-system requestcount metric.v1alpha2.config.istio.io
istio-system requestduration metric.v1alpha2.config.istio.io
istio-system requestsize metric.v1alpha2.config.istio.io
istio-system responsesize metric.v1alpha2.config.istio.io
istio-system tcpbytereceived metric.v1alpha2.config.istio.io
istio-system tcpbytesent metric.v1alpha2.config.istio.io
</code></pre></div></div><p>To see an individual instance configuration, execute the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nt">-n</span> &lt;namespace&gt; get &lt;instance kind name&gt; &lt;name&gt; <span class="nt">-o</span> yaml
</code></pre></div></div></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#attribute-expressions"><div> What is the full set of attribute expressions Mixer supports?</div></a></div><div id="attribute-expressions" class="collapse" data-parent="#tab4"><div class="card-body"><p>Please see the <a href="/v0.5/docs/reference/config/mixer/expression-language.html">Expression Language Reference</a> for the full set of supported attribute expressions.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#mixer-self-monitoring"><div> Does Mixer provide any self-monitoring?</div></a></div><div id="mixer-self-monitoring" class="collapse" data-parent="#tab4"><div class="card-body"><p>Mixer exposes a monitoring endpoint (default port: <code class="highlighter-rouge">9093</code>). There are a few useful paths to investigate Mixer performance and audit function:</p><ul><li><code class="highlighter-rouge">/metrics</code> provides Prometheus metrics on the Mixer process as well as gRPC metrics related to API calls and metrics on adapter dispatch.</li><li><code class="highlighter-rouge">/debug/pprof</code> provides an endpoint for profiling data in <a href="https://golang.org/pkg/net/http/pprof/">pprof format</a>.</li><li><code class="highlighter-rouge">/debug/vars</code> provides an endpoint exposing server metrics in JSON format.</li></ul><p>Mixer logs can be accessed via a <code class="highlighter-rouge">kubectl logs</code> command, as follows:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nt">-n</span> istio-system logs <span class="k">$(</span>kubectl <span class="nt">-n</span> istio-system get pods <span class="nt">-listio</span><span class="o">=</span>mixer <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[0].metadata.name}'</span><span class="k">)</span> mixer
</code></pre></div></div><p>Mixer trace generation is controlled by the command-line flag <code class="highlighter-rouge">traceOutput</code>. If the flag value is set to <code class="highlighter-rouge">STDOUT</code> or <code class="highlighter-rouge">STDERR</code> trace data will be written directly to those locations. If a URL is provided, Mixer will post Zipkin-formatted data to that endpoint (example: <code class="highlighter-rouge">http://zipkin:9411/api/v1/spans</code>).</p><p>In the 0.2 release, Mixer only supports Zipkin tracing.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#writing-custom-adapters"><div> How can I write a custom adapter for Mixer?</div></a></div><div id="writing-custom-adapters" class="collapse" data-parent="#tab4"><div class="card-body"><p>Learn how to implement a new adapter for Mixer by consulting the <a href="https://github.com/istio/istio/blob/master/mixer/doc/adapters.md">Adapter Developers Guide</a>.</p></div></div></div></div><div class="tab-pane " id="tab5" role="tabpanel"><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#viewing-current-rules"><div> How can I view the current route rules I have configured with Istio?</div></a></div><div id="viewing-current-rules" class="collapse" data-parent="#tab5"><div class="card-body"><p>Rules can be viewed using <code class="highlighter-rouge">istioctl get routerules -o yaml</code> or <code class="highlighter-rouge">kubectl get routerules -o yaml</code>.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#weighted-rules-not-working"><div> Why is creating a weighted route rule to split traffic between two versions of a service not working as expected?</div></a></div><div id="weighted-rules-not-working" class="collapse" data-parent="#tab5"><div class="card-body"><p>For the current Envoy sidecar implementation, up to 100 requests may be required for the desired distribution to be observed.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#unreachable-services"><div> How come some of my services are unreachable after creating route rules?</div></a></div><div id="unreachable-services" class="collapse" data-parent="#tab5"><div class="card-body"><p>This is an known issue with the current Envoy sidecar implementation. After two seconds of creating the rule, services should become available.</p></div></div></div><div class="card"><div class="card-header"> <a data-toggle="collapse" href="#ingress-with-no-route-rules"><div> Can I use standard Ingress specification without any route rules?</div></a></div><div id="ingress-with-no-route-rules" class="collapse" data-parent="#tab5"><div class="card-body"><p>Simple ingress specifications, with host, TLS, and exact path based matches will work out of the box without the need for route rules. However, note that the path used in the ingress resource should not have any <code class="highlighter-rouge">.</code> characters.</p><p>For example, the following ingress resource matches requests for the example.com host, with /helloworld as the URL.</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl create -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: simple-ingress
annotations:
kubernetes.io/ingress.class: istio
spec:
rules:
- host: example.com
http:
paths:
- path: /helloworld
backend:
serviceName: myservice
servicePort: grpc
</span><span class="no">EOF
</span></code></pre></div></div><p>However, the following rules will not work because it uses regular expressions in the path and uses <code class="highlighter-rouge">ingress.kubernetes.io</code> annotations:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl create -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: this-will-not-work
annotations:
kubernetes.io/ingress.class: istio
# Ingress annotations other than ingress class will not be honored
ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /hello(.*?)world/
backend:
serviceName: myservice
servicePort: grpc
</span><span class="no">EOF
</span></code></pre></div></div></div></div></div></div></div></div></div></div></main></div></div></div><div class="footer"><footer><div class="container-fluid"><div class="row"><div class="col-sm-2"></div><nav class=" col-12 col-sm-3" role="navigation"><ul class="first"><li><a class="header" href="/v0.5/docs">Docs</a></li><li><a href="/v0.5/docs/concepts">Concepts</a></li><li><a href="/v0.5/docs/setup">Setup</a></li><li><a href="/v0.5/docs/tasks">Tasks</a></li><li><a href="/v0.5/docs/guides">Guides</a></li><li><a href="/v0.5/docs/reference">Reference</a></li></ul></nav><nav class="col-12 col-sm-3" role="navigation"><ul><li><a class="header" href="/v0.5/help">Help</a></li><li><a href="/v0.5/help/faq.html">FAQ</a></li><li><a href="/v0.5/help/glossary.html">Glossary</a></li><li><a href="/v0.5/help/troubleshooting.html">Troubleshooting</a></li><li><a href="/v0.5/help/bugs.html">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _help/faq.md" target="_blank" rel="noopener">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_help/faq.md" target="_blank" rel="noopener">Edit This Page</a></li></ul></nav><nav class="col-12 col-sm-3" role="navigation"><ul><li><a class="header" href="/v0.5/community">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></nav></div><div class="row"><div class="col-12"><p class="description text-center" role="contentinfo"> Istio 0.5, Copyright &copy; 2018 Istio Authors<br> Archived on 14-Feb-2018</p></div></div></div></footer></div><script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://www.google.com/cse/brand?form=searchbox"></script> <script src="/v0.5/js/misc.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink