mirror of https://github.com/istio/istio.io.git
239 lines
70 KiB
HTML
239 lines
70 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Provisioning Identity through SDS"><meta name=description content="Shows how to enable SDS (secret discovery service) for Istio identity provisioning."><meta name=keywords content=microservices,services,mesh,security,auth-sds><meta property=og:title content="Provisioning Identity through SDS"><meta property=og:type content=website><meta property=og:description content="Shows how to enable SDS (secret discovery service) for Istio identity provisioning."><meta property=og:url content=/v1.3/docs/tasks/security/auth-sds/><meta property=og:image content=/v1.3/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.3 / Provisioning Identity through SDS</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.3/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.3/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.3/feed.xml><link rel="shortcut icon" href=/v1.3/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.3/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.3/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.3/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.3/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.3/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.3/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.3/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.3/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.3/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.3/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.3/css/all.css><script src=/v1.3/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.3";const docTitle="Provisioning Identity through SDS";const iconFile="\/v1.3/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.3/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.3/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.3</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
|
|
<a title="Posts about using Istio." href=/v1.3/blog/2019/proxy/>Blog</a>
|
|
<a title="Timely news about the Istio project." href=/v1.3/news/2019/announcing-1.2-eol/>News</a>
|
|
<a title="Frequently Asked Questions about Istio." href=/v1.3/faq/>FAQ</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.3/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/tasks\/security\/auth-sds\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/tasks\/security\/auth-sds\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.3/search>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card32 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card32-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card32 role=region id=card32-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card32><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.3/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.3/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.3/docs/concepts/security/>Policies and Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.3/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.3/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes the system models that impact your overall Istio depolyment." href=/v1.3/docs/concepts/deployment-models/>Deployment Models</a></li></ul></div></div><div class=card><button class="header dynamic" id=card49 title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." aria-controls=card49-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card49 role=region id=card49-body><ul role=tree aria-expanded=true aria-labelledby=card49><li role=none><a role=treeitem title="Download, install, and try out Istio." href=/v1.3/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.3/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.3/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.3/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.3/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.3/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.3/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.3/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.3/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.3/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.3/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.3/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.3/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster for evaluation." href=/v1.3/docs/setup/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.3/docs/setup/install/helm/>Customizable Install with Helm</a></li><li role=none><a role=treeitem title="Install and configure Istio using the Istio Operator CLI." href=/v1.3/docs/setup/install/operator/>Operator CLI-based Installation [Experimental]</a></li><li role=treeitem aria-label="Multi-cluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.3/docs/setup/install/multicluster/>Multi-cluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with replicated control plane instances." href=/v1.3/docs/setup/install/multicluster/gateways/>Replicated control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters." href=/v1.3/docs/setup/install/multicluster/shared-vpn/>Shared control plane (single-network)</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks." href=/v1.3/docs/setup/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.3/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.3." href=/v1.3/docs/setup/upgrade/notice/>1.3 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.3/docs/setup/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.3/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.3/docs/setup/additional-setup/requirements/>Pods and Services</a></li><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.3/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.3/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.3/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="How to do single specific targeted activities with the Istio system." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#tasks"/></svg>Tasks</button><div class="body default" aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.3/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.3/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.3/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.3/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.3/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.3/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.3/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.3/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.3/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.3/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.3/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.3/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.3/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.3/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.3/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.3/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button class=show aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.3/docs/tasks/security/>Security</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.3/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.3/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.3/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.3/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.3/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.3/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.3/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.3/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><span role=treeitem class=current title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning.">Provisioning Identity through SDS</span></li><li role=none><a role=treeitem title="Configure which namespaces Citadel should generate service account secrets for." href=/v1.3/docs/tasks/security/ca-namespace-targeting/>Configure Citadel Service Account Secret Generation</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.3/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.3/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.3/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.3/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.3/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.3/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.3/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.3/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.3/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.3/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.3/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.3/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.3/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.3/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.3/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.3/docs/tasks/telemetry/logs/access-log/>Getting Envoy's Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.3/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.3/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.3/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.3/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.3/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.3/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.3/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.3/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card90 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card90-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card90 role=region id=card90-body><ul role=tree aria-expanded=true aria-labelledby=card90><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.3/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.3/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=treeitem aria-label="Mesh Expansion"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning Kubernetes clusters, VMs and bare metals." href=/v1.3/docs/examples/mesh-expansion/>Mesh Expansion</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.3/docs/examples/mesh-expansion/single-network/>Single-network Mesh Expansion</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes with gateways." href=/v1.3/docs/examples/mesh-expansion/multi-network/>Multi-network Mesh Expansion</a></li><li role=none><a role=treeitem title="Illustrates how to expand the Bookinfo application's mesh with a raw VM service." href=/v1.3/docs/examples/mesh-expansion/bookinfo-expanded/>Bookinfo with Mesh Expansion</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="Multicluster service mesh examples for Istio that you can experiment with." href=/v1.3/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.3/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.3/docs/examples/multicluster/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card104 title="Hints, tips, tricks about running an Istio mesh." aria-controls=card104-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card104 role=region id=card104-body><ul role=tree aria-expanded=true aria-labelledby=card104><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.3/docs/ops/app-health-check/>Health Checking of Istio Services</a></li><li role=treeitem aria-label="Installation and Configuration"><button aria-hidden=true></button><a title="Describes important requirements, concepts, and considerations for installing and configuring Istio." href=/v1.3/docs/ops/setup/>Installation and Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.3/docs/ops/setup/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.3/docs/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.3/docs/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.3/docs/ops/setup/validation/>Configuration Validation Webhook</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.3/docs/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.3/docs/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment or configuration guidelines to avoid networking or traffic management issues." href=/v1.3/docs/ops/traffic-management/deploy-guidelines/>Avoiding Traffic Management Issues</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.3/docs/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.3/docs/ops/traffic-management/protocol-selection/>Protocol Selection</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.3/docs/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.3/docs/ops/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.3/docs/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.3/docs/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="How to enable in-proxy generation of HTTP service-level metrics." href=/v1.3/docs/ops/telemetry/in-proxy-service-telemetry/>Generate Istio Metrics Without Mixer [Experimental]</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.3/docs/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label=Troubleshooting><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.3/docs/ops/troubleshooting/>Troubleshooting</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.3/docs/ops/troubleshooting/istioctl/>Using the istioctl command-line tool</a></li><li role=none><a role=treeitem title="Tools and techniques to address common Istio traffic management and network problems." href=/v1.3/docs/ops/troubleshooting/network-issues/>Network Problems</a></li><li role=none><a role=treeitem title="Tools and techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.3/docs/ops/troubleshooting/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.3/docs/ops/troubleshooting/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.3/docs/ops/troubleshooting/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.3/docs/ops/troubleshooting/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Describes how to resolve Galley configuration problems." href=/v1.3/docs/ops/troubleshooting/validation/>Galley Configuration Problems</a></li><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.3/docs/ops/troubleshooting/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.3/docs/ops/troubleshooting/grafana/>Missing Grafana Output</a></li><li role=none><a role=treeitem title="Fix missing traces in Zipkin." href=/v1.3/docs/ops/troubleshooting/missing-traces/>Missing Zipkin Traces</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.3/docs/ops/troubleshooting/istioctl-describe/>Understand your Mesh with istioctl describe</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.3/docs/ops/troubleshooting/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.3/docs/ops/troubleshooting/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="Limitations for using Tcpdump in pods." href=/v1.3/docs/ops/troubleshooting/tcpdump-notes/>Tcpdump Limitations</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card126 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card126-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card126 role=region id=card126-body><ul role=tree aria-expanded=true aria-labelledby=card126><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.3/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.3/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.3/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.3/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.3/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.3/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.3/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.3/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.3/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.3/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.3/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.3/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.3/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.2 and release-1.3." href=/v1.3/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.3/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.3/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.3/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.3/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter to enforce authentication and authorization policies for web apps and APIs." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/app-identity-access-adapter/>App Identity and Access</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.3/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.3/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.3/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Configuration for Istio control plane installation through the Operator." href=/v1.3/docs/reference/config/istio.operator.v1alpha12.pb/>Operator Installation</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.3/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.3/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.3/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.3/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.3/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.3/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.3/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.3/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.3/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.3/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.3/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.3/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.3/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.3/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.3/docs/tasks/ title="How to do single specific targeted activities with the Istio system.">Tasks</a></li><li><a href=/v1.3/docs/tasks/security/ title="Demonstrates how to secure the mesh.">Security</a></li><li>Provisioning Identity through SDS</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Provisioning Identity through SDS</h1><p class=byline><span title="1373 words"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#clock"/></svg><span> </span>7 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Service-to-service mutual TLS using key/certificate provisioned through SDS"><a href=#service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</a><li role=none aria-label="Verifying no secret-volume mounted file is generated"><a href=#verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</a><li role=none aria-label="Securing SDS with pod security policies"><a href=#securing-sds-with-pod-security-policies>Securing SDS with pod security policies</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Caveats><a href=#caveats>Caveats</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This task shows how to enable
|
|
<a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#sds-configuration>SDS (secret discovery service)</a>
|
|
for Istio identity provisioning.</p><p>Prior to Istio 1.1, the keys and certificates of Istio workloads were generated
|
|
by Citadel and distributed to sidecars through secret-volume mounted files,
|
|
this approach has the following minor drawbacks:</p><ul><li><p>Performance regression during certificate rotation:
|
|
When certificate rotation happens, Envoy is hot restarted to pick up the new
|
|
key and certificate, causing performance regression.</p></li><li><p>Potential security vulnerability:
|
|
The workload private keys are distributed through Kubernetes secrets,
|
|
with known
|
|
<a href=https://kubernetes.io/docs/concepts/configuration/secret/#risks>risks</a>.</p></li></ul><p>These issues are addressed in Istio 1.1 through the SDS identity provision flow.
|
|
The workflow can be described as follows.</p><ol><li><p>The workload sidecar Envoy requests the key and certificates from the Citadel
|
|
agent: The Citadel agent is a SDS server, which runs as per-node <code>DaemonSet</code>.
|
|
In the request, Envoy passes a Kubernetes service account JWT to the agent.</p></li><li><p>The Citadel agent generates a key pair and sends the CSR request to Citadel:
|
|
Citadel verifies the JWT and issues the certificate to the Citadel agent.</p></li><li><p>The Citadel agent sends the key and certificate back to the workload sidecar.</p></li></ol><p>This approach has the following benefits:</p><ul><li><p>The private key never leaves the node: It is only in the Citadel agent
|
|
and Envoy sidecar’s memory.</p></li><li><p>The secret volume mount is no longer needed: The reliance on the Kubernetes
|
|
secrets is eliminated.</p></li><li><p>The sidecar Envoy is able to dynamically renew the key and certificate
|
|
through the SDS API: Certificate rotations no longer require Envoy to restart.</p></li></ul><h2 id=before-you-begin>Before you begin</h2><ul><li>Set up Istio by following the instructions using
|
|
<a href=/v1.3/docs/setup/install/helm/>Helm</a> with SDS setup and global mutual
|
|
TLS enabled.</li></ul><h2 id=service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</h2><p>Follow the <a href=/v1.3/docs/tasks/security/authn-policy/>authentication policy task</a> to
|
|
setup test services.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.3/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.3/samples/httpbin/httpbin.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.3/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.3/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create ns foo
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
|
|
$ kubectl create ns bar
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n bar
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n bar
|
|
</code></pre></div><p>Verify all mutual TLS requests succeed:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ for from in "foo" "bar"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
|
|
sleep.foo to httpbin.foo: 200
|
|
sleep.foo to httpbin.bar: 200
|
|
sleep.bar to httpbin.foo: 200
|
|
sleep.bar to httpbin.bar: 200
|
|
</code></pre><h2 id=verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</h2><p>To verify that no secret-volume mounted file is generated, access the deployed
|
|
workload sidecar container:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c istio-proxy -n foo -- /bin/bash
|
|
</code></pre><p>As you can see there is no secret file mounted at <code>/etc/certs</code> folder.</p><h2 id=securing-sds-with-pod-security-policies>Securing SDS with pod security policies</h2><p>The Istio Secret Discovery Service (SDS) uses the Citadel agent to distribute the certificate to the
|
|
Envoy sidecar via a Unix domain socket. All pods running in the same Kubernetes node share the Citadel
|
|
agent and Unix domain socket.</p><p>To prevent unexpected modifications to the Unix domain socket, enable the <a href=https://kubernetes.io/docs/concepts/policy/pod-security-policy/>pod security policy</a>
|
|
to restrict the pod’s permission on the Unix domain socket. Otherwise, a malicious user who has the
|
|
permission to modify the deployment could hijack the Unix domain socket to break the SDS service or
|
|
steal the identity credentials from other pods running on the same Kubernetes node.</p><p>To enable the pod security policy, perform the following steps:</p><ol><li><p>The Citadel agent fails to start unless it can create the required Unix domain socket. Apply the
|
|
following pod security policy to only allow the Citadel agent to modify the Unix domain socket:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: istio-nodeagent
|
|
spec:
|
|
allowedHostPaths:
|
|
- pathPrefix: "/var/run/sds"
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: istio-nodeagent
|
|
namespace: istio-system
|
|
rules:
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- istio-nodeagent
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: istio-nodeagent
|
|
namespace: istio-system
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: istio-nodeagent
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-nodeagent-service-account
|
|
namespace: istio-system
|
|
EOF
|
|
</code></pre></li><li><p>To stop other pods from modifying the Unix domain socket, change the <code>allowedHostPaths</code> configuration
|
|
for the the path the Citadel agent uses for the Unix domain socket to <code>readOnly: true</code>.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.3/img/icons.svg#callout-warning"/></svg></div><div class=content>The following pod security policy assumes no other pod security policy was applied before. If you
|
|
already applied another pod security policy, add the following configuration values to the existing
|
|
policies instead of applying the configuration directly.</div></aside></div><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: istio-sds-uds
|
|
spec:
|
|
# Protect the unix domain socket from unauthorized modification
|
|
allowedHostPaths:
|
|
- pathPrefix: "/var/run/sds"
|
|
readOnly: true
|
|
# Allow the istio sidecar injector to work
|
|
allowedCapabilities:
|
|
- NET_ADMIN
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: istio-sds-uds
|
|
rules:
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- istio-sds-uds
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: istio-sds-uds
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: istio-sds-uds
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: system:serviceaccounts
|
|
EOF
|
|
</code></pre></li><li><p>Enable pod security policies for your platform. Each supported platform enables pod security
|
|
policies differently. Please refer to the pertinent documentation for your platform. If you are
|
|
using the Google Kubernetes Engine (GKE), you must <a href=https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#enabling_podsecuritypolicy_controller>enable the pod security policy controller</a>.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.3/img/icons.svg#callout-warning"/></svg></div><div class=content>Grant all needed permissions in the pod security policy before enabling it. Once the policy is
|
|
enabled, pods won’t start if they require any permissions not granted.</div></aside></div></li><li><p>Run the following command to restart the Citadel agents:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete pod -l 'app=nodeagent' -n istio-system
|
|
pod "istio-nodeagent-dplx2" deleted
|
|
pod "istio-nodeagent-jrbmx" deleted
|
|
pod "istio-nodeagent-rz878" deleted
|
|
</code></pre></li><li><p>To verify that the Citadel agents work with the enabled pod security policy, wait a few seconds
|
|
and run the following command to confirm the agents started successfully:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -l 'app=nodeagent' -n istio-system
|
|
NAME READY STATUS RESTARTS AGE
|
|
istio-nodeagent-p4p7g 1/1 Running 0 4s
|
|
istio-nodeagent-qdwj6 1/1 Running 0 5s
|
|
istio-nodeagent-zsk2b 1/1 Running 0 14s
|
|
</code></pre></li><li><p>Run the following command to start a normal pod.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: normal
|
|
spec:
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: normal
|
|
spec:
|
|
containers:
|
|
- name: normal
|
|
image: pstauffer/curl
|
|
command: ["/bin/sleep", "3650d"]
|
|
imagePullPolicy: IfNotPresent
|
|
EOF
|
|
</code></pre></li><li><p>To verify that the normal pod works with the pod security policy enabled, wait a few seconds and
|
|
run the following command to confirm the normal pod started successfully.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -l 'app=normal'
|
|
NAME READY STATUS RESTARTS AGE
|
|
normal-64c6956774-ptpfh 2/2 Running 0 8s
|
|
</code></pre></li><li><p>Start a malicious pod that tries to mount the Unix domain socket using a write permission.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: malicious
|
|
spec:
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: malicious
|
|
spec:
|
|
containers:
|
|
- name: malicious
|
|
image: pstauffer/curl
|
|
command: ["/bin/sleep", "3650d"]
|
|
imagePullPolicy: IfNotPresent
|
|
volumeMounts:
|
|
- name: sds-uds
|
|
mountPath: /var/run/sds
|
|
volumes:
|
|
- name: sds-uds
|
|
hostPath:
|
|
path: /var/run/sds
|
|
type: ""
|
|
EOF
|
|
</code></pre></li><li><p>To verify that the Unix domain socket is protected, run the following command to confirm the
|
|
malicious pod failed to start due to the pod security policy:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl describe rs -l 'app=malicious' | grep Failed
|
|
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
|
|
ReplicaFailure True FailedCreate
|
|
Warning FailedCreate 4s (x13 over 24s) replicaset-controller Error creating: pods "malicious-7dcfb8d648-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].volumeMounts[0].readOnly: Invalid value: false: must be read-only]
|
|
</code></pre></li></ol><h2 id=cleanup>Cleanup</h2><ol><li><p>Clean up the test services and the Istio control plane:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete ns foo
|
|
$ kubectl delete ns bar
|
|
$ kubectl delete -f istio-auth-sds.yaml
|
|
</code></pre></li><li><p>Disable the pod security policy in the cluster using the documentation of your platform. If you are using GKE,
|
|
<a href=https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#disabling_podsecuritypolicy_controller>disable the pod security policy controller</a>.</p></li><li><p>Delete the pod security policy and the test deployments:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete psp istio-sds-uds istio-nodeagent
|
|
$ kubectl delete role istio-nodeagent -n istio-system
|
|
$ kubectl delete rolebinding istio-nodeagent -n istio-system
|
|
$ kubectl delete clusterrole istio-sds-uds
|
|
$ kubectl delete clusterrolebinding istio-sds-uds
|
|
$ kubectl delete deploy malicious
|
|
$ kubectl delete deploy normal
|
|
</code></pre></li></ol><h2 id=caveats>Caveats</h2><p>Currently, the SDS identity provision flow has the following caveats:</p><ul><li><p>SDS support is currently in <a href=/v1.3/about/feature-stages/#security-and-policy-enforcement>Alpha</a>.</p></li><li><p>Smoothly migrating a cluster from using secret volume mount to using
|
|
SDS is a work in progress.</p></li></ul><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></p><p class=desc>Using Istio to secure multi-cloud Kubernetes applications with zero code changes.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></p><p class=desc>Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/news/2019/incorrect-sidecar-image-1.2.4/>Istio 1.2.4 sidecar image vulnerability</a></p><p class=desc>An erroneous 1.2.4 sidecar image was available due to a faulty release operation.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></p><p class=desc>Learn how to extend the lifetime of Istio self-signed root certificate.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.3/docs/tasks/security/health-check/><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#left-arrow"/></svg>Citadel Health Checking</a></div><div class=right><a title="Configure which namespaces Citadel should generate service account secrets for." href=/v1.3/docs/tasks/security/ca-namespace-targeting/>Configure Citadel Service Account Secret Generation<svg class="icon"><use xlink:href="/v1.3/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Service-to-service mutual TLS using key/certificate provisioned through SDS"><a href=#service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</a><li role=none aria-label="Verifying no secret-volume mounted file is generated"><a href=#verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</a><li role=none aria-label="Securing SDS with pod security policies"><a href=#securing-sds-with-pod-security-policies>Securing SDS with pod security policies</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Caveats><a href=#caveats>Caveats</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.3.5 now" href=/v1.3/docs/setup#downloading-the-release aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.3.5<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on November 14, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#top"/></svg></button></div></body></html> |