istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.12/blog/2019/isolated-clusters/index.html

100 lines
30 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Multi-Mesh Deployments for Isolation and Boundary Protection"><meta name=description content="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation."><meta name=author content="Vadim Eisenberg (IBM)"><meta name=keywords content="microservices,services,mesh,traffic-management,multicluster,security,gateway,tls"><meta property="og:title" content="Multi-Mesh Deployments for Isolation and Boundary Protection"><meta property="og:type" content="website"><meta property="og:description" content="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation."><meta property="og:url" content="/v1.12/blog/2019/isolated-clusters/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.12 / Multi-Mesh Deployments for Isolation and Boundary Protection</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.12/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.12/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.12/feed.xml><link rel="shortcut icon" href=/v1.12/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.12/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.12/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.12/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.12/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.12/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.12/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.12/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.12/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.12/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.12/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.12/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.12/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.12/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.12";const docTitle="Multi-Mesh Deployments for Isolation and Boundary Protection";const iconFile="\/v1.12/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.12/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.12/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.12/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.12/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.12/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.12/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.12/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.12/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.12/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.12/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.12/news/releases/1.12.x/announcing-1.12.3/ class=banner data-title="Latest Release-2022-02-11 00:00:00 +0000 UTC" data-period-start=1644537600000 data-period-end=1645142400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.12.3 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Multi-Mesh Deployments for Isolation and Boundary Protection</h1><p>Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.</p></div><p class=post-author>Oct 2, 2019 <span>|</span> By Vadim Eisenberg - IBM</p><div><p>Various compliance standards require protection of sensitive data environments. Some of the important standards and the
types of sensitive data they protect appear in the following table:</p><table><thead><tr><th>Standard</th><th>Sensitive data</th></tr></thead><tbody><tr><td><a href=https://www.pcisecuritystandards.org/pci_security>PCI DSS</a></td><td>payment card data</td></tr><tr><td><a href=https://www.fedramp.gov>FedRAMP</a></td><td>federal information, data and metadata</td></tr><tr><td><a href="http://www.gpo.gov/fdsys/search/pagedetails.action?granuleId=CRPT-104hrpt736&packageId=CRPT-104hrpt736">HIPAA</a></td><td>personal health data</td></tr><tr><td><a href=https://gdpr-info.eu>GDPR</a></td><td>personal data</td></tr></tbody></table><p><a href=https://www.pcisecuritystandards.org/pci_security>PCI DSS</a>, for example, recommends putting cardholder data
environment on a network, separate from the rest of the system. It also requires using a <a href=https://en.wikipedia.org/wiki/DMZ_(computing)>DMZ</a>,
and setting firewalls between the public Internet and the DMZ, and between the DMZ and the internal network.</p><p>Isolation of sensitive data environments from other information systems can reduce the scope of the compliance checks
and improve the security of the sensitive data. Reducing the scope reduces the risks of failing a compliance check and
reduces the costs of compliance since there are less components to check and secure, according to compliance
requirements.</p><p>You can achieve isolation of sensitive data by separating the parts of the application that process that data
into a separate service mesh, preferably on a separate network, and then connect the meshes with different
compliance requirements together in a <span class=term data-title=Multi-Mesh data-body='<p>Multi-mesh is a deployment model that consists of two or more <a href="/docs/reference/glossary/#service-mesh">service meshes</a>.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through <a href="/docs/reference/glossary/#mesh-federation">mesh federation</a>.
The resulting deployment is a multi-mesh deployment.</p>'>multi-mesh</span> deployment.
The process of connecting inter-mesh
applications is called <span class=term data-title="Mesh Federation" data-body='<p>Mesh federation is the act of exposing services between meshes and enabling
communication across mesh boundaries. Each mesh may expose a subset of its
services to enable one or more other meshes to consume the exposed services. You
can use mesh federation to enable communication between meshes in a
<a href="/docs/ops/deployment/deployment-models/#multiple-meshes">multi-mesh deployment</a>.</p>'>mesh federation</span>.</p><p>Note that using mesh federation to create a multi-mesh deployment is very different than creating a
<span class=term data-title=Multicluster data-body='<p>Multicluster is a deployment model that consists of a
<a href="/docs/reference/glossary/#service-mesh">mesh</a> with multiple
<a href="/docs/reference/glossary/#cluster">clusters</a>.</p>'>multicluster</span> deployment, which defines a single service mesh composed from services spanning more than one cluster. Unlike multi-mesh, a multicluster deployment is not suitable for
applications that require isolation and boundary protection.</p><p>In this blog post I describe the requirements for isolation and boundary protection, and outline the principles of
multi-mesh deployments. Finally, I touch on the current state of mesh-federation support and automation work under way for
Istio.</p><h2 id=isolation-and-boundary-protection>Isolation and boundary protection</h2><p>Isolation and boundary protection mechanisms are explained in the
<a href=http://dx.doi.org/10.6028/NIST.SP.800-53r4>NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations</a>,
<em>Appendix F, Security Control Catalog, SC-7 Boundary Protection</em>.</p><p>In particular, the <em>Boundary protection, isolation of information system components</em> control enhancement:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg></div><div class=content>Organizations can isolate information system components performing different missions and/or business functions.
Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy
greater levels of protection for selected components. Separating system components with boundary protection mechanisms
provides the capability for increased protection of individual components and to more effectively control information
flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and
errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms
include, for example, routers, gateways, and firewalls separating system components into physically separate networks or
subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows
among system components using distinct encryption keys.</div></aside></div><p>Various compliance standards recommend isolating environments that process sensitive data from the rest of the
organization.
The <a href=https://www.pcisecuritystandards.org/pci_security/>Payment Card Industry (PCI) Data Security Standard</a>
recommends implementing network isolation for <em>cardholder data</em> environment and requires isolating this environment from
the <a href=https://en.wikipedia.org/wiki/DMZ_(computing)>DMZ</a>.
<a href=https://www.fedramp.gov/assets/resources/documents/CSP_A_FedRAMP_Authorization_Boundary_Guidance.pdf>FedRAMP Authorization Boundary Guidance</a>
describes <em>authorization boundary</em> for federal information and data, while
<a href=https://doi.org/10.6028/NIST.SP.800-37r2>NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy</a>
recommends protecting of such a boundary in <em>Appendix G, Authorization Boundary Considerations</em>:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg></div><div class=content>Dividing a system into subsystems (i.e., divide and conquer) facilitates a targeted application of controls to achieve
adequate security, protection of individual privacy, and a cost-effective risk management process. Dividing complex
systems into subsystems also supports the important security concepts of domain separation and network segmentation,
which can be significant when dealing with high value assets. When systems are divided into subsystems, organizations
may choose to develop individual subsystem security and privacy plans or address the system and subsystems in the same
security and privacy plans.
Information security and privacy architectures play a key part in the process of dividing complex systems into
subsystems. This includes monitoring and controlling communications at internal boundaries among subsystems and
selecting, allocating, and implementing controls that meet or exceed the security and privacy requirements of the
constituent subsystems.</div></aside></div><p>Boundary protection, in particular, means:</p><ul><li>put an access control mechanism at the boundary (firewall, gateway, etc.)</li><li>monitor the incoming/outgoing traffic at the boundary</li><li>all the access control mechanisms must be <em>deny-all</em> by default</li><li>do not expose private IP addresses from the boundary</li><li>do not let components from outside the boundary to impact security inside the boundary</li></ul><p>Multi-mesh deployments facilitate division of a system into subsystems with different
security and compliance requirements, and facilitate the boundary protection.
You put each subsystem into a separate service mesh, preferably on a separate network.
You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of
each mesh.</p><h2 id=features-of-multi-mesh-deployments>Features of multi-mesh deployments</h2><ul><li><strong>non-uniform naming</strong>. The <code>withdraw</code> service in the <code>accounts</code> namespace in one mesh might have
different functionality and API than the <code>withdraw</code> services in the <code>accounts</code> namespace in other meshes.
Such situation could happen in an organization where there is no uniform policy on naming of namespaces and services, or
when the meshes belong to different organizations.</li><li><strong>expose-nothing by default</strong>. None of the services in a mesh are exposed by default, the mesh owners must
explicitly specify which services are exposed.</li><li><strong>boundary protection</strong>. The access control of the traffic must be enforced at the ingress gateway, which stops
forbidden traffic from entering the mesh. This requirement implements
<a href=https://en.wikipedia.org/wiki/Defense_in_depth_(computing)>Defense-in-depth principle</a> and is part of some compliance
standards, such as the
<a href=https://www.pcisecuritystandards.org/pci_security/>Payment Card Industry (PCI) Data Security Standard</a>.</li><li><strong>common trust may not exist</strong>. The Istio sidecars in one mesh may not trust the Citadel certificates in other
meshes, due to some security requirement or due to the fact that the mesh owners did not initially plan to federate
the meshes.</li></ul><p>While <strong>expose-nothing by default</strong> and <strong>boundary protection</strong> are required to facilitate compliance and improve
security, <strong>non-uniform naming</strong> and <strong>common trust may not exist</strong> are required when connecting
meshes of different organizations, or of an organization that cannot enforce uniform naming or cannot or may not
establish common trust between the meshes.</p><p>An optional feature that you may want to use is <strong>service location transparency</strong>: consuming services send requests
to the exposed services in remote meshes using local service names. The consuming services are oblivious to the fact
that some of the destinations are in remote meshes and some are local services. The access is uniform, using the local
service names, for example, in Kubernetes, <code>reviews.default.svc.cluster.local</code>.
<strong>Service location transparency</strong> is useful in the cases when you want to be able to change the location of the
consumed services, for example when some service is migrated from private cloud to public cloud, without changing the
code of your applications.</p><h2 id=the-current-mesh-federation-work>The current mesh-federation work</h2><p>While you can perform mesh federation using standard Istio configurations already today,
it requires writing a lot of boilerplate YAML files and is error-prone. There is an effort under way to automate
the mesh federation process. In the meantime, you can look at these
<a href=https://github.com/istio-ecosystem/multi-mesh-examples>multi-mesh deployment examples</a>
to get an idea of what a generated federation might include.</p><h2 id=summary>Summary</h2><p>In this blog post I described the requirements for isolation and boundary protection of sensitive data environments by
using Istio multi-mesh deployments. I outlined the principles of Istio
multi-mesh deployments and reported the current work on
mesh federation in Istio.</p><p>I will be happy to hear your opinion about <span class=term data-title=Multi-Mesh data-body='<p>Multi-mesh is a deployment model that consists of two or more <a href="/docs/reference/glossary/#service-mesh">service meshes</a>.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through <a href="/docs/reference/glossary/#mesh-federation">mesh federation</a>.
The resulting deployment is a multi-mesh deployment.</p>'>multi-mesh</span> and
<span class=term data-title=Multicluster data-body='<p>Multicluster is a deployment model that consists of a
<a href="/docs/reference/glossary/#service-mesh">mesh</a> with multiple
<a href="/docs/reference/glossary/#cluster">clusters</a>.</p>'>multicluster</span> at <a href=https://discuss.istio.io>discuss.istio.io</a>.</p></div><nav class=pagenav><div class=left><a title="Configure Istio ingress gateway to act as a proxy for external services." href=/v1.12/blog/2019/proxy/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.12/img/icons.svg#left-arrow"/></svg>Istio as a Proxy for External Services</a></div><div class=right><a title="How can you use Istio to monitor blocked and passthrough external traffic." href=/v1.12/blog/2019/monitoring-external-service-traffic/ class=next-link>Monitoring Blocked and Passthrough External Service Traffic<svg class="icon right-arrow"><use xlink:href="/v1.12/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.12/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.12/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.12/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.12/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.12/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.12/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.12/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.12/content/en/blog/2019/isolated-clusters/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.12.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/isolated-clusters\/');return false;">current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/isolated-clusters\/');return false;">next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.12/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink