istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.14/docs/tasks/security/authorization/authz-ingress/snips.sh

292 lines
8.0 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/security/authorization/authz-ingress/index.md
####################################################################################################
snip_before_you_begin_1() {
kubectl create ns foo
kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin-gateway.yaml) -n foo
}
snip_before_you_begin_2() {
kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do istioctl proxy-config log "$pod" -n istio-system --level rbac:debug; done
}
snip_before_you_begin_3() {
curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
}
! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP
200
ENDSNIP
! read -r -d '' snip_source_ip_address_of_the_original_client_1 <<\ENDSNIP
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol
namespace: istio-system
spec:
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
workloadSelector:
labels:
istio: ingressgateway
ENDSNIP
! read -r -d '' snip_source_ip_address_of_the_original_client_2 <<\ENDSNIP
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogEncoding: JSON
accessLogFile: /dev/stdout
components:
ingressGateways:
- enabled: true
k8s:
hpaSpec:
maxReplicas: 10
minReplicas: 5
serviceAnnotations:
service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "5"
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: elb-logs
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: k8sELBIngressGW
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
istio: ingressgateway
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 1
name: istio-ingressgateway
ENDSNIP
snip_source_ip_address_of_the_original_client_3() {
kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'
}
! read -r -d '' snip_source_ip_address_of_the_original_client_4 <<\ENDSNIP
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogEncoding: JSON
accessLogFile: /dev/stdout
defaultConfig:
gatewayTopology:
numTrustedProxies: 1
ENDSNIP
! read -r -d '' snip_source_ip_address_of_the_original_client_5 <<\ENDSNIP
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogEncoding: JSON
accessLogFile: /dev/stdout
components:
ingressGateways:
- enabled: true
k8s:
hpaSpec:
maxReplicas: 10
minReplicas: 5
serviceAnnotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
ENDSNIP
snip_ipbased_allow_list_and_deny_list_1() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["1.2.3.4", "5.6.7.0/24"]
EOF
}
snip_ipbased_allow_list_and_deny_list_2() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks: ["1.2.3.4", "5.6.7.0/24"]
EOF
}
snip_ipbased_allow_list_and_deny_list_3() {
curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
}
! read -r -d '' snip_ipbased_allow_list_and_deny_list_3_out <<\ENDSNIP
403
ENDSNIP
snip_ipbased_allow_list_and_deny_list_4() {
CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
}
! read -r -d '' snip_ipbased_allow_list_and_deny_list_4_out <<\ENDSNIP
192.168.10.15
ENDSNIP
snip_ipbased_allow_list_and_deny_list_5() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
EOF
}
snip_ipbased_allow_list_and_deny_list_6() {
CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $4}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
}
! read -r -d '' snip_ipbased_allow_list_and_deny_list_6_out <<\ENDSNIP
192.168.10.15
ENDSNIP
snip_ipbased_allow_list_and_deny_list_7() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
EOF
}
snip_ipbased_allow_list_and_deny_list_8() {
curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
}
! read -r -d '' snip_ipbased_allow_list_and_deny_list_8_out <<\ENDSNIP
200
ENDSNIP
snip_ipbased_allow_list_and_deny_list_9() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: ["$CLIENT_IP"]
EOF
}
snip_ipbased_allow_list_and_deny_list_10() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
remoteIpBlocks: ["$CLIENT_IP"]
EOF
}
snip_ipbased_allow_list_and_deny_list_11() {
curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
}
! read -r -d '' snip_ipbased_allow_list_and_deny_list_11_out <<\ENDSNIP
403
ENDSNIP
snip_ipbased_allow_list_and_deny_list_12() {
kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system; done
}
snip_clean_up_1() {
kubectl delete namespace foo
}
snip_clean_up_2() {
kubectl delete authorizationpolicy ingress-policy -n istio-system
}
Reference in New Issue View Git Blame Copy Permalink