istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/blog/2021/migrate-alpha-policy/index.html

232 lines
51 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Migrate pre-Istio 1.4 Alpha security policy to the current APIs"><meta name=description content="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version."><meta name=author content="Yangmin Zhu (Google), Craig Box (Google)"><meta name=keywords content="microservices,services,mesh,security,policy,migrate,alpha,beta,deprecate,peer,jwt,authorization"><meta property="og:title" content="Migrate pre-Istio 1.4 Alpha security policy to the current APIs"><meta property="og:type" content="website"><meta property="og:description" content="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version."><meta property="og:url" content="/v1.9/blog/2021/migrate-alpha-policy/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / Migrate pre-Istio 1.4 Alpha security policy to the current APIs</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="Migrate pre-Istio 1.4 Alpha security policy to the current APIs";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2021\/migrate-alpha-policy\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2021\/migrate-alpha-policy\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2021." aria-controls=card0-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2021 Posts</button><div class="body default" aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="The Product Security working group announces Patch Tuesdays, how 0-days and embargoes are handled, updates to the security best practices page and the notification of the early disclosure list (May 11, 2021)" href=/v1.9/blog/2021/patch-tuesdays/>Updates to how Istio security releases are handled: Patch Tuesday, embargoes, and 0-days</a></li><li role=none><a role=treeitem title="Learn how to use discovery selectors and how they intersect with Sidecar resources (April 30, 2021)" href=/v1.9/blog/2021/discovery-selectors/>Use discovery selectors to configure namespaces for your Istio service mesh</a></li><li role=none><a role=treeitem title="Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take (April 15, 2021)" href=/v1.9/blog/2021/upcoming-networking-changes/>Upcoming networking changes in Istio 1.10</a></li><li role=none><a role=treeitem title="An update on Envoy and Istio's WebAssembly-based extensibility effort (March 5, 2021)" href=/v1.9/blog/2021/wasm-progress/>Istio and Envoy WebAssembly Extensibility, One Year On</a></li><li role=none><span role=treeitem class=current title="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version (March 3, 2021)">Migrate pre-Istio 1.4 Alpha security policy to the current APIs</span></li><li role=none><a role=treeitem title="Understanding the benefits Istio brings, even when no configuration is used (February 25, 2021)" href=/v1.9/blog/2021/zero-config-istio/>Zero Configuration Istio</a></li><li role=none><a role=treeitem title="Learn about sessions, panels, workshops and more on the IstioCon website (February 16, 2021)" href=/v1.9/blog/2021/istiocon-2021-program/>IstioCon 2021: Schedule Is Live!</a></li><li role=none><a role=treeitem title="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system (February 9, 2021)" href=/v1.9/blog/2021/better-external-authz/>Better External Authorization</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2020." aria-controls=card1-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh (December 16, 2020)" href=/v1.9/blog/2020/proxying-legacy-services-using-egress-gateways/>Proxying legacy services using Istio egress gateways</a></li><li role=none><a role=treeitem title="How to enable proxy protocol on AWS NLB and Istio ingress gateway (December 11, 2020)" href=/v1.9/blog/2020/show-source-ip/>Proxy protocol on AWS NLB and Istio ingress gateway</a></li><li role=none><a role=treeitem title="The inaugural conference for Istio will take place at the end of February (December 8, 2020)" href=/v1.9/blog/2020/istiocon-2021/>Join us for the first IstioCon in 2021!</a></li><li role=none><a role=treeitem title="How to ensure your clusters are not impacted by Docker Hub rate limiting (December 7, 2020)" href=/v1.9/blog/2020/docker-rate-limit/>Handling Docker Hub rate limiting</a></li><li role=none><a role=treeitem title="Workload Local DNS resolution to simplify VM integration, multicluster, and more (November 12, 2020)" href=/v1.9/blog/2020/dns-proxy/>Expanding into New Frontiers - Smart DNS Proxying in Istio</a></li><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.9/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.9/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.9/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.9/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.9/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.9/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.9/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.9/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.9/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.9/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.9/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.9/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.9/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.9/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.9/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.9/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.9/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.9/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2019." aria-controls=card2-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.9/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.9/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.9/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.9/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.9/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.9/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.9/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.9/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.9/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.9/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.9/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.9/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.9/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.9/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.9/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.9/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.9/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.9/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.9/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.9/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.9/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.9/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.9/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2018." aria-controls=card3-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.9/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.9/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.9/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.9/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.9/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.9/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.9/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.9/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.9/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.9/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.9/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.9/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.9/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card4 title="Blog posts for 2017." aria-controls=card4-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card4 role=region id=card4-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card4><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.9/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.9/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.9/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.9/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.9/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.9/blog/2021/ title="Blog posts for 2021.">2021 Posts</a></li><li>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</h1><p class=byline><span>By</span>
<span class=attribution>Yangmin Zhu (Google), Craig Box (Google)</span><span> | </span><span><svg class="icon calendar"><use xlink:href="/v1.9/img/icons.svg#calendar"/></svg><span>&nbsp;</span>March 3, 2021</span><span> | </span><span title="1779 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>9 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Overview><a href=#overview>Overview</a><li role=none aria-label="Major differences"><a href=#major-differences>Major differences</a><li role=none aria-label="Migration flow"><a href=#migration-flow>Migration flow</a><ol><li role=none aria-label="Step 1: Find related policies"><a href=#step-1-find-related-policies>Step 1: Find related policies</a><li role=none aria-label="Step 2: Convert service name to workload selector"><a href=#step-2-convert-service-name-to-workload-selector>Step 2: Convert service name to workload selector</a><li role=none aria-label="Step 3: Migrate authentication policy"><a href=#step-3-migrate-authentication-policy>Step 3: Migrate authentication policy</a><li role=none aria-label="Step 4: Migrate RBAC policy"><a href=#step-4-migrate-rbac-policy>Step 4: Migrate RBAC policy</a><li role=none aria-label="Step 5: Verify migrated policy"><a href=#step-5-verify-migrated-policy>Step 5: Verify migrated policy</a></ol></li><li role=none aria-label=Example><a href=#example>Example</a><ol><li role=none aria-label="v1alpha1 policy"><a href=#v1alpha1-policy><code>v1alpha1</code> policy</a><li role=none aria-label="httpbin service"><a href=#httpbin-service><code>httpbin</code> service</a><li role=none aria-label="v1beta1 authentication policy"><a href=#v1beta1-authentication-policy><code>v1beta1</code> authentication policy</a><li role=none aria-label="v1beta1 authorization policy"><a href=#v1beta1-authorization-policy><code>v1beta1</code> authorization policy</a></ol></li><li role=none aria-label="Finish the upgrade"><a href=#finish-the-upgrade>Finish the upgrade</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>In versions of Istio prior to 1.4, security policy was configured using <code>v1alpha1</code> APIs (<code>MeshPolicy</code>, <code>Policy</code>, <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>). After consulting with our early adopters, we made <a href=/v1.9/blog/2019/v1beta1-authorization-policy/>major improvements to the policy system</a> and released <code>v1beta1</code> APIs along with Istio 1.4. These refreshed APIs (<code>PeerAuthentication</code>, <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>) helped standardize how we define policy targets in Istio, helped users understand where policies were applied, and cut the number of configuration objects required.</p><p>The old APIs were deprecated in Istio 1.4. Two releases after the <code>v1beta1</code> APIs were introduced, Istio 1.6 removed support for the <code>v1alpha1</code> APIs.</p><p>If you are using a version of Istio prior to 1.6 and you want to upgrade, you will have to migrate your alpha security policy objects to the beta API. This tutorial will help you make that move.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-tip"/></svg></div><div class=content>If you adopted Istio after version 1.6, or you&rsquo;re not using <code>v1alpha1</code> security APIs, you can stop reading.</div></aside></div><h2 id=overview>Overview</h2><p>Your control plane must first be upgraded to a version that supports the <code>v1beta1</code> security policy.</p><p>It is recommended to first upgrade to Istio 1.5 as a transitive version, because it is the only version that supports both
<code>v1alpha1</code> and <code>v1beta1</code> security policies. You will complete the security policy migration in Istio 1.5, remove the
<code>v1alpha1</code> security policy, and then continue to upgrade to later Istio versions. For a given workload, the <code>v1beta1</code>
version will take precedence over the <code>v1alpha1</code> version.</p><p>Alternatively, if you want to do a skip-level upgrade directly from Istio 1.4 to 1.6 or later, you should use the
<a href=/v1.9/docs/setup/upgrade/canary/>canary upgrade</a> method to install a new Istio version as a separate control plane, and
gradually migrate your workloads to the new control plane completing the security policy migration at the same time.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-warning"/></svg></div><div class=content>Skip-level upgrades are not supported by Istio and there might be other issues in this process. Istio 1.6 does not support
the <code>v1alpha1</code> security policy, and if you do not migrate your old policies before the upgrade, you are essentially removing
all your security policies.</div></aside></div><p>In either case, it is recommended to migrate using namespace granularity: for each namespace, find all the
<code>v1alpha1</code> policies that have an effect on workloads in the namespace and migrate all the policies to <code>v1beta1</code>
at the same time. This allows a safer migration as you can make sure everything is working as expected,
and then move forward to the next namespace.</p><h2 id=major-differences>Major differences</h2><p>Before starting the migration, read through the <code>v1beta1</code> <a href=/v1.9/docs/concepts/security/#authentication>authentication</a>
and <a href=/v1.9/docs/concepts/security/#authorization>authorization</a> documentation to understand the <code>v1beta1</code> policy.</p><p>You should examine all of your existing <code>v1alpha1</code> security policies, find out what fields are used and which policies
need migration, compare the findings with the major differences listed below and confirm there are no blocking issues
(e.g., using an alpha feature that is no longer supported in beta):</p><table><thead><tr><th>Major Differences</th><th><code>v1alpha1</code></th><th><code>v1beta1</code></th></tr></thead><tbody><tr><td>API stability</td><td>not backward compatible</td><td>backward compatible</td></tr><tr><td>mTLS</td><td><code>MeshPolicy</code> and <code>Policy</code></td><td><code>PeerAuthentication</code></td></tr><tr><td>JWT</td><td><code>MeshPolicy</code> and <code>Policy</code></td><td><code>RequestAuthentication</code></td></tr><tr><td>Authorization</td><td><code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td><td><code>AuthorizationPolicy</code></td></tr><tr><td>Policy target</td><td>service name based</td><td>workload selector based</td></tr><tr><td>Port number</td><td>service ports</td><td>workload ports</td></tr></tbody></table><p>Although <code>RequestAuthentication</code> in <code>v1beta1</code> security policy is similar to the <code>v1alpha1</code> JWT policy, there is a notable
semantics change. The <code>v1alpha1</code> JWT policy needs to be migrated to two <code>v1beta1</code> resources: <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code>. This will change the JWT deny message due to the use of <code>AuthorizationPolicy</code>. In the alpha version,
the HTTP code 401 is returned with the body <code>Origin authentication failed</code>. In the beta version, the HTTP code 403 is
returned with the body <code>RBAC: access denied</code>.</p><p>The <code>v1alpha1</code> JWT policy <a href=https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Jwt-TriggerRule><code>triggerRule</code> field</a>
is replaced by the <code>AuthorizationPolicy</code> with the exception that the <a href=https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#StringMatch><code>regex</code> field</a>
is no longer supported.</p><h2 id=migration-flow>Migration flow</h2><p>This section describes in detail how to migrate a <code>v1alpha1</code> security policy.</p><h3 id=step-1-find-related-policies>Step 1: Find related policies</h3><p>For each namespace, find all <code>v1alpha1</code> security policies that have an effect on workloads in the namespace. The result
could include:</p><ul><li>a single <code>MeshPolicy</code> that applies to all services in the mesh;</li><li>a single namespace-level <code>Policy</code> that applies to all workloads in the namespace;</li><li>multiple service-level <code>Policy</code> objects that apply to the selected services in the namespace;</li><li>a single <code>ClusterRbacConfig</code> that enables the RBAC on the whole namespace or some services in the namespace;</li><li>multiple namespace-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to all services in the namespace;</li><li>multiple service-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to the selected services in the namespace;</li></ul><h3 id=step-2-convert-service-name-to-workload-selector>Step 2: Convert service name to workload selector</h3><p>The <code>v1alpha1</code> policy selects targets using their service name. You should refer to the corresponding service definition to decide
the workload selector that should be used in the <code>v1beta1</code> policy.</p><p>A single <code>v1alpha1</code> policy may include multiple services. It will need to be migrated to multiple <code>v1beta1</code> policies
because the <code>v1beta1</code> policy currently only supports at most one workload selector per policy.</p><p>Also note the <code>v1alpha1</code> policy uses service port but the <code>v1beta1</code> policy uses the workload port. This means the port number might be
different in the migrated <code>v1beta1</code> policy.</p><h3 id=step-3-migrate-authentication-policy>Step 3: Migrate authentication policy</h3><p>For each <code>v1alpha1</code> authentication policy, migrate with the following rules:</p><ol><li><p>If the whole namespace is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code> without a workload selector for the whole namespace. Fill out the policy based on the
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the namespace.</p></li><li><p>If a workload is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code> with a corresponding workload selector for the workload. Fill out the policy based on the
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the workload.</p></li><li><p>For mTLS related configuration, use <code>STRICT</code> mode if the alpha policy is using <code>STRICT</code>, or use <code>PERMISSIVE</code> in all other cases.</p></li><li><p>For JWT related configuration, refer to the <a href=/v1.9/docs/tasks/security/authentication/authn-policy/#end-user-authentication><code>end-user authentication</code> documentation</a>
to learn how to migrate to <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>.</p></li></ol><p>A <a href=https://github.com/istio-ecosystem/security-policy-migrate>security policy migration tool</a> is provided to
automatically migrate authentication policy automatically. Please refer to the tool&rsquo;s README for its usage.</p><h3 id=step-4-migrate-rbac-policy>Step 4: Migrate RBAC policy</h3><p>For each <code>v1alpha1</code> RBAC policy, migrate with the following rules:</p><ol><li><p>If the whole namespace is enabled with RBAC, create an <code>AuthorizationPolicy</code> without a workload selector for the whole
namespace. Add an empty rule so that it will deny all requests to the namespace by default.</p></li><li><p>If a workload is enabled with RBAC, create an <code>AuthorizationPolicy</code> with a corresponding workload selector for the workload.
Add rules based on the semantics of the corresponding <code>ServiceRole</code> and <code>ServiceRoleBinding</code> for the workload.</p></li></ol><h3 id=step-5-verify-migrated-policy>Step 5: Verify migrated policy</h3><ol><li><p>Double check the migrated <code>v1beta1</code> policies: make sure there are no policies with duplicate names, the namespace
is specified correctly and all <code>v1alpha1</code> policies for the given namespace are migrated.</p></li><li><p>Dry-run the <code>v1beta1</code> policy with the command <code>kubectl apply --dry-run=server -f beta-policy.yaml</code> to make sure it
is valid.</p></li><li><p>Apply the <code>v1beta1</code> policy to the given namespace and closely monitor the effect. Make sure to test both allow and
deny scenarios if JWT or authorization are used.</p></li><li><p>Migrate the next namespace. Only remove the <code>v1alpha1</code> policy after completing migration for all namespaces successfully.</p></li></ol><h2 id=example>Example</h2><h3 id=v1alpha1-policy><code>v1alpha1</code> policy</h3><p>This section gives a full example showing the migration for namespace <code>foo</code>. Assume the namespace <code>foo</code> has the following
<code>v1alpha1</code> policies that affect the workloads in it:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># A MeshPolicy that enables mTLS globally, including the whole foo namespace
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;MeshPolicy&#34;
metadata:
name: &#34;default&#34;
spec:
peers:
- mtls: {}
---
# A Policy that enables mTLS permissive mode and enables JWT for the httpbin service on port 8000
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: httpbin
namespace: foo
spec:
targets:
- name: httpbin
ports:
- number: 8000
peers:
- mtls:
mode: PERMISSIVE
origins:
- jwt:
issuer: testing@example.com
jwksUri: https://www.example.com/jwks.json
triggerRules:
- includedPaths:
- prefix: /admin/
excludedPaths:
- exact: /admin/status
principalBinding: USE_ORIGIN
---
# A ClusterRbacConfig that enables RBAC globally, including the foo namespace
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &#39;ON&#39;
---
# A ServiceRole that enables RBAC for the httpbin service
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
methods: [&#34;GET&#34;]
---
# A ServiceRoleBinding for the above ServiceRole
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: cluster.local/ns/foo/sa/sleep
roleRef:
kind: ServiceRole
name: httpbin
</code></pre><h3 id=httpbin-service><code>httpbin</code> service</h3><p>The <code>httpbin</code> service has the following definition:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: foo
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
</code></pre><p>This means the service name <code>httpbin</code> should be replaced by the workload selector <code>app: httpbin</code>, and the service port 8000
should be replaced by the workload port 80.</p><h3 id=v1beta1-authentication-policy><code>v1beta1</code> authentication policy</h3><p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> authentication policies in <code>foo</code> namespace are listed below:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># A PeerAuthentication that enables mTLS for the foo namespace, migrated from the MeshPolicy
# Alternatively the MeshPolicy could also be migrated to a PeerAuthentication at mesh level
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
---
# A PeerAuthentication that enables mTLS for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
# port level mtls set for the workload port 80 corresponding to the service port 8000
portLevelMtls:
80:
mode: PERMISSIVE
--
# A RequestAuthentication that enables JWT for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: testing@example.com
jwksUri: https://www.example.com/jwks.json
---
# An AuthorizationPolicy that enforces to require JWT validation for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-jwt
namespace: foo
spec:
# Use DENY action to explicitly deny requests without JWT token
action: DENY
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
# This makes sure requests without JWT token will be denied
notRequestPrincipals: [&#34;*&#34;]
to:
- operation:
# This should be the workload port 80, not the service port 8000
ports: [&#34;80&#34;]
# The path and notPath is converted from the trigger rule in the Policy
paths: [&#34;/admin/*&#34;]
notPaths: [&#34;/admin/status&#34;]
</code></pre><h3 id=v1beta1-authorization-policy><code>v1beta1</code> authorization policy</h3><p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> RBAC policies in <code>foo</code> namespace are listed below:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># An AuthorizationPolicy that denies by default, migrated from the ClusterRbacConfig
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default
namespace: foo
spec:
# An empty rule that allows nothing
{}
---
# An AuthorizationPolicy that enforces to authorization for the httpbin workload, migrated from the ServiceRole and ServiceRoleBinding
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
action: ALLOW
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/foo/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
</code></pre><h2 id=finish-the-upgrade>Finish the upgrade</h2><p>Congratulations; having reached this point, you should only have <code>v1beta1</code> policy objects, and you will be able to continue upgrading Istio to 1.6 and beyond.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-jwt/>JWT Token</a></p><p class=desc>Shows how to set up access control for JWT token.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/concepts/security/>Security</a></p><p class=desc>Describes Istio's authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></p><p class=desc>Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></p><p class=desc>Using Istio to secure multi-cloud Kubernetes applications with zero code changes.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></p><p class=desc>Shows how to set up access control to deny traffic explicitly.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="An update on Envoy and Istio's WebAssembly-based extensibility effort." href=/v1.9/blog/2021/wasm-progress/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>Istio and Envoy WebAssembly Extensibility, One Year On</a></div><div class=right><a title="Understanding the benefits Istio brings, even when no configuration is used." href=/v1.9/blog/2021/zero-config-istio/>Zero Configuration Istio<svg class="icon right-arrow"><use xlink:href="/v1.9/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Overview><a href=#overview>Overview</a><li role=none aria-label="Major differences"><a href=#major-differences>Major differences</a><li role=none aria-label="Migration flow"><a href=#migration-flow>Migration flow</a><ol><li role=none aria-label="Step 1: Find related policies"><a href=#step-1-find-related-policies>Step 1: Find related policies</a><li role=none aria-label="Step 2: Convert service name to workload selector"><a href=#step-2-convert-service-name-to-workload-selector>Step 2: Convert service name to workload selector</a><li role=none aria-label="Step 3: Migrate authentication policy"><a href=#step-3-migrate-authentication-policy>Step 3: Migrate authentication policy</a><li role=none aria-label="Step 4: Migrate RBAC policy"><a href=#step-4-migrate-rbac-policy>Step 4: Migrate RBAC policy</a><li role=none aria-label="Step 5: Verify migrated policy"><a href=#step-5-verify-migrated-policy>Step 5: Verify migrated policy</a></ol></li><li role=none aria-label=Example><a href=#example>Example</a><ol><li role=none aria-label="v1alpha1 policy"><a href=#v1alpha1-policy><code>v1alpha1</code> policy</a><li role=none aria-label="httpbin service"><a href=#httpbin-service><code>httpbin</code> service</a><li role=none aria-label="v1beta1 authentication policy"><a href=#v1beta1-authentication-policy><code>v1beta1</code> authentication policy</a><li role=none aria-label="v1beta1 authorization policy"><a href=#v1beta1-authorization-policy><code>v1beta1</code> authorization policy</a></ol></li><li role=none aria-label="Finish the upgrade"><a href=#finish-the-upgrade>Finish the upgrade</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink