istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.7/help/faq/security.html

46 lines
30 KiB
HTML
Raw Blame History

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><meta name="theme-color" content="#466BB0"/><meta name="title" content="Security"><meta name="description" content="Security Q&amp;A"><meta name="og:title" content="Security"><meta name="og:description" content="Security Q&amp;A"><meta name="og:url" content="/help/faq/security.html"><meta name="og.site_name" content="Istio"><title>Istioldie 0.7 / Security</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.7/feed.xml"><link rel="shortcut icon" href="/v0.7/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.7/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.7/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.7/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.7/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.7/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.7/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.7/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.7/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.7/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.7/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css"><link rel="stylesheet" href="/v0.7/css/light_theme.css" title="light"><link rel="alternate stylesheet" href="/v0.7/css/dark_theme.css" title="dark"> <script src="/v0.7/js/styleSwitcher.min.js"></script></head><body class="language-unknown theme-unknown"><header role="banner"><nav class="navbar navbar-expand-sm navbar-dark fixed-top bg-dark justify-content-between"> <a class="navbar-brand" href="/v0.7/" style="visibility: visible"> <img class="logo" src="/v0.7/img/istio-logo.svg" alt="Istio Logo"/> <span class="brand-name">Istioldie 0.7</span> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button><div class="collapse navbar-collapse justify-content-end" id="navbarCollapse"><ul id="navbar-links" class="navbar-nav active"><li class="nav-item"> <a class="nav-link " href="/v0.7/docs/">Docs</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/blog/2018/traffic-mirroring.html">Blog</a></li><li class="nav-item"> <a class="nav-link active" href="/v0.7/help/">Help</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/community.html">Community</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/about/">About</a></li><li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap"> <a href="" class="nav-link" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <i style="width: 1em" class='fa fa-lg fa-cog'></i> </a><ul class="dropdown-menu dropdown-menu-right" aria-labelledby="gearDropdown"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li><li class="dropdown-divider"></li><li> <i class='fa fa-check light'></i> <a href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a></li><li> <i class='fa fa-check dark'></i> <a href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a></li><li class="dropdown-divider"></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _help/faq/security.html">Report Site Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_help/faq/security.html">Edit this Page on GitHub</a></li></ul></li><li class="nav-item"> <a id="search_show" class="nav-link" href=""><i style="width: 1em" class="fa fa-lg fa-search"></i></a></li></ul><form name="cse" id="search_form" class="form-inline mr-sm-2" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /> <input id="search_textbox" class="form-control" name="q" type="text" /> <button id="search_close" type="reset"><i class="far fa-lg fa-times-circle"></i></button> </form></div></nav></header><div class="container-fluid"><div class="row row-offcanvas row-offcanvas-left"><div class="col-6 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar"><div class="spacer"></div><div class="directory" role="tablist"><div class="card"><div class="card-header" role="tab" id="header0"><div title="A bunch of resources to help you deploy, configure and use Istio."> Help!</div></div><div id="collapse0" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header0"><div class="card-body"><ul class="tree"><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-down'></i> <a class="" title="Frequently Asked Questions about Istio." href="/v0.7/help/faq">FAQ</a> </label><ul class="tree"><li> <a title="General Q&amp;A" href="/v0.7/help/faq/general.html">General</a></li><li> <a title="Setup Q&amp;A" href="/v0.7/help/faq/setup.html">Setup</a></li><li> <span class="current" title="Security Q&amp;A">Security</span></li><li> <a title="Mixer Q&amp;A" href="/v0.7/help/faq/mixer.html">Mixer</a></li><li> <a title="Traffic Management Q&amp;A" href="/v0.7/help/faq/traffic-management.html">Traffic Management</a></li></ul></li><li> <a title="A glossary of common Istio terms." href="/v0.7/help/glossary.html">Glossary</a></li><li> <a title="What to do about bugs" href="/v0.7/help/bugs.html">Reporting Bugs</a></li><li> <a title="Practical advice on practical problems with Istio" href="/v0.7/help/troubleshooting.html">Troubleshooting Guide</a></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-lg-6 col-xl-7"><p class="d-md-none"> <label class="sidebar-toggler" data-toggle="offcanvas"> <i class="fa fa-chevron-right"></i> </label></p><main role="main"><h1>Security</h1><h4 id="enabling-disabling-mtls">Q: How can I enable/disable mTLS encryption after I installed Istio?</h4><p>The most straightforward way to enable/disable mTLS is by entirely uninstalling and re-installing Istio.</p><p>If you are an advanced user and understand the risks you can also do the following:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl edit configmap <span class="nt">-n</span> istio-system istio
</code></pre></div></div><p>comment out or uncomment out <code class="highlighter-rouge">authPolicy: MUTUAL_TLS</code> to toggle mTLS and then</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl delete pods <span class="nt">-n</span> istio-system <span class="nt">-l</span> <span class="nv">istio</span><span class="o">=</span>pilot
</code></pre></div></div><p>to restart Pilot, after a few seconds (depending on your <code class="highlighter-rouge">*RefreshDelay</code>) your Envoy proxies will have picked up the change from Pilot. During that time your services may be unavailable.</p><p>We are working on a smoother solution.</p><h4 id="istio-to-not-istio">Q: Can a service with Istio Auth enabled communicate with a service without Istio?</h4><p>This is not supported currently, but will be in the near future.</p><h4 id="auth-mix-and-match">Q: Can I enable Istio Auth with some services while disable others in the same cluster?</h4><p>Starting with release 0.3, you can use service-level annotations to disable (or enable) Istio Auth for particular service-port. The annotation key should be <code class="highlighter-rouge">auth.istio.io/{port_number}</code>, and the value should be <code class="highlighter-rouge">NONE</code> (to disable), or <code class="highlighter-rouge">MUTUAL_TLS</code> (to enable).</p><p>Example: disable Istio Auth on port 9080 for service <code class="highlighter-rouge">details</code>.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">details</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">details</span>
<span class="na">annotations</span><span class="pi">:</span>
<span class="s">auth.istio.io/9080</span><span class="pi">:</span> <span class="s">NONE</span>
</code></pre></div></div><h4 id="k8s-health-checks">Q: How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled?</h4><p>If Istio Auth is enabled, http and tcp health check from kubelet will not work since they do not have Istio Auth issued certs. A workaround is to use a <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command">liveness command</a> for health check, e.g., one can install curl in the service pod and curl itself within the pod. The Istio team is actively working on a solution.</p><p>An example of readinessProbe:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">livenessProbe</span><span class="pi">:</span>
<span class="na">exec</span><span class="pi">:</span>
<span class="na">command</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">curl</span>
<span class="pi">-</span> <span class="s">-f</span>
<span class="pi">-</span> <span class="s">http://localhost:8080/healthz</span> <span class="c1"># Replace port and URI by your actual health check</span>
<span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="s">10</span>
<span class="na">periodSeconds</span><span class="pi">:</span> <span class="s">5</span>
</code></pre></div></div><h4 id="k8s-api-server">Q: Can I access the Kubernetes API Server with Auth enabled?</h4><p>The Kubernetes API server does not support mutual TLS authentication, so strictly speaking: no. However, if you use version 0.3 or later, see next question to learn how to disable mTLS in upstream config on clients side so they can access API server.</p><h4 id="accessing-control-services">Q: How to disable Auth on clients to access the Kubernetes API Server (or any control services that don't have Istio sidecar)?</h4><p>Starting with release 0.3, edit the <code class="highlighter-rouge">mtlsExcludedServices</code> list in Istio config map to contain the fully-qualified name of the API server (and any other control services for that matter). The default value of <code class="highlighter-rouge">mtlsExcludedServices</code> already contains <code class="highlighter-rouge">kubernetes.default.svc.cluster.local</code>, which is the default service name of the Kubernetes API server.</p><p>For a quick reference, here are commands to edit Istio configmap and to restart pilot.</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl edit configmap <span class="nt">-n</span> istio-system istio
kubectl delete pods <span class="nt">-n</span> istio-system <span class="nt">-l</span> <span class="nv">istio</span><span class="o">=</span>pilot
</code></pre></div></div><blockquote><p>Note: DO NOT use this approach to disable mTLS for services that are managed by Istio (i.e. using Istio sidecar). Instead, use service-level annotations to overwrite the authentication policy (see above).</p></blockquote><h4 id="cert-lifetime-config">Q: How to configure the lifetime for Istio certificates?</h4><p>For the workloads running in Kubernetes, the lifetime of their Istio certificates is controlled by the <code class="highlighter-rouge">workload-cert-ttl</code> flag on Istio CA. The default value is 19 hours. This value should be no greater than <code class="highlighter-rouge">max-workload-cert-ttl</code> of the Istio CA.</p><p>The Istio CA uses a flag <code class="highlighter-rouge">max-workload-cert-ttl</code> to control the maximum lifetime for Istio certificates issued to workloads. The default value is 7 days. If <code class="highlighter-rouge">workload-cert-ttl</code> on CA or node agent is greater than <code class="highlighter-rouge">max-workload-cert-ttl</code>, Istio CA will fail issuing the certificate.</p><p>Modify the <code class="highlighter-rouge">istio-auth.yaml</code> file to customize the CA configuration. The following modification specifies that the Istio certificates for workloads running in Kubernetes has 1 hours lifetime. Besides that, the maximum allowed Istio certificate lifetime is 48 hours.</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
kind: Deployment
...
metadata:
name: istio-ca
namespace: istio-system
spec:
...
template:
...
spec:
...
containers:
- name: istio-ca
...
args:
- <span class="nt">--workload-cert-ttl</span><span class="o">=</span>1h <span class="c"># Lifetime of certificates issued to workloads in Kubernetes.</span>
- <span class="nt">--max-workload-cert-ttl</span><span class="o">=</span>48h <span class="c"># Maximum lifetime of certificates issued to workloads by the CA.</span>
</code></pre></div></div><p>For the workloads running on VMs and bare metal hosts, the lifetime of their Istio certificates is specified by the <code class="highlighter-rouge">workload-cert-ttl</code> flag on each node agent. The default value is also 19 hours. This value should be no greater than <code class="highlighter-rouge">max-workload-cert-ttl</code> of the Istio CA.</p><p>To customize this configuration, the argument for the node agent service should be modified. After <a href="/v0.7/docs/setup/kubernetes/mesh-expansion.html#setting-up-the-machines">setting up th machines</a> for Istio mesh expansion, modify the file <code class="highlighter-rouge">/lib/systemd/system/istio-auth-node-agent.service</code> on the VMs or bare metal hosts:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
<span class="o">[</span>Service]
<span class="nv">ExecStart</span><span class="o">=</span>/usr/local/bin/node_agent <span class="nt">--workload-cert-ttl</span><span class="o">=</span>24h <span class="c"># Specify certificate lifetime for workloads on this machine.</span>
<span class="nv">Restart</span><span class="o">=</span>always
<span class="nv">StartLimitInterval</span><span class="o">=</span>0
<span class="nv">RestartSec</span><span class="o">=</span>10
...
</code></pre></div></div><p>The above configuraiton specifies that the Istio certificates for workloads running on this VM or bare metal host will have 24 hours lifetime.</p><p>After configuring the service, restart the node agent by running <code class="highlighter-rouge">systemctl daemon-reload</code>.</p><h4 id="does-istio-support-authorization">Q: Does Istio Auth support authorization?</h4><p>Yes. Starting from Istio 0.5 release, we provide Role Based Access Control for services in Istio mesh. <a href="/v0.7/docs/concepts/security/rbac.html">Learn more</a>.</p><h4 id="use-k8s-secrets">Q: Does Istio Auth use Kubernetes secrets?</h4><p>Yes. The key and certificate distribution in Istio Auth is based on <a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes secrets</a>.</p><p>Secrets have known <a href="https://kubernetes.io/docs/concepts/configuration/secret/#risks">security risks</a>. The kubernetes team is working on <a href="https://docs.google.com/document/d/1T2y-9geg9EfHHtCDYTXptCa-F4kQ0RyiH-c_M1SyD0s">several features</a> to improve Kubernetes secret security, from secret encryption to node-level access control. And as of version 1.6, Kubernetes introduces <a href="https://kubernetes.io/docs/admin/authorization/rbac/">RBAC authorization</a>, which can provide fine-grained secrets management.</p><h4 id="secret-encryption">Q: Is the secret encrypted for workload key and cert?</h4><p>By default, they are base64 encoded but not encrypted. However, the <a href="https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/">secret encryption feature</a> is supported in Kubernetes and you can do it by following the instruction.</p><p>Notice that this feature is not enabled yet in Google Container Enginer (GKE). While the data may not be encrypted inside the etcd running on the master node, the contents of the master node itself are encrypted, see <a href="https://cloud.google.com/security/encryption-at-rest/default-encryption/#encryption_of_data_at_rest">here</a> for more info.</p><h4 id="secure-ingress">Q: How to configure Istio Ingress to only accept TLS traffic?</h4><p>By following the instructions on <a href="/v0.7/docs/tasks/traffic-management/ingress.html#configuring-secure-ingress-https">Configuring secure ingress</a>, Istio Ingress can be secured to only accept TLS traffic.</p></main></div><div class="col-12 col-md-3 d-none d-lg-block"><nav class="toc"><div class="spacer"></div><div class="directory" role="directory"><ul><li><a href="#enabling-disabling-mtls">Q: How can I enable/disable mTLS encryption after I installed Istio?</a></li><li><a href="#istio-to-not-istio">Q: Can a service with Istio Auth enabled communicate with a service without Istio?</a></li><li><a href="#auth-mix-and-match">Q: Can I enable Istio Auth with some services while disable others in the same cluster?</a></li><li><a href="#k8s-health-checks">Q: How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled?</a></li><li><a href="#k8s-api-server">Q: Can I access the Kubernetes API Server with Auth enabled?</a></li><li><a href="#accessing-control-services">Q: How to disable Auth on clients to access the Kubernetes API Server (or any control services that don&#8217;t have Istio sidecar)?</a></li><li><a href="#cert-lifetime-config">Q: How to configure the lifetime for Istio certificates?</a></li><li><a href="#does-istio-support-authorization">Q: Does Istio Auth support authorization?</a></li><li><a href="#use-k8s-secrets">Q: Does Istio Auth use Kubernetes secrets?</a></li><li><a href="#secret-encryption">Q: Is the secret encrypted for workload key and cert?</a></li><li><a href="#secure-ingress">Q: How to configure Istio Ingress to only accept TLS traffic?</a></li></ul></div></nav></div></div></div><div class="footer"><footer><div class="container-fluid"><div class="row"><div class="col-6 col-lg-4" role="navigation"><div class="container-fluid"><div class="row justify-content-start"><div class="icon"> <a title="Join the istio-users@ mailing list to participate in discussions and get help troubleshooting problems" href="https://groups.google.com/forum/#!forum/istio-users"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490 490"><path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495 C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/><path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982 c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121 c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/> </svg> </a></div><div class="icon"> <a title="Follow us on Twitter to get the latest news" href="https://twitter.com/IstioMesh"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 310 310"><path d="M302.973,57.388c-4.87,2.16-9.877,3.983-14.993,5.463c6.057-6.85,10.675-14.91,13.494-23.73 c0.632-1.977-0.023-4.141-1.648-5.434c-1.623-1.294-3.878-1.449-5.665-0.39c-10.865,6.444-22.587,11.075-34.878,13.783 c-12.381-12.098-29.197-18.983-46.581-18.983c-36.695,0-66.549,29.853-66.549,66.547c0,2.89,0.183,5.764,0.545,8.598 C101.163,99.244,58.83,76.863,29.76,41.204c-1.036-1.271-2.632-1.956-4.266-1.825c-1.635,0.128-3.104,1.05-3.93,2.467 c-5.896,10.117-9.013,21.688-9.013,33.461c0,16.035,5.725,31.249,15.838,43.137c-3.075-1.065-6.059-2.396-8.907-3.977 c-1.529-0.851-3.395-0.838-4.914,0.033c-1.52,0.871-2.473,2.473-2.513,4.224c-0.007,0.295-0.007,0.59-0.007,0.889 c0,23.935,12.882,45.484,32.577,57.229c-1.692-0.169-3.383-0.414-5.063-0.735c-1.732-0.331-3.513,0.276-4.681,1.597 c-1.17,1.32-1.557,3.16-1.018,4.84c7.29,22.76,26.059,39.501,48.749,44.605c-18.819,11.787-40.34,17.961-62.932,17.961 c-4.714,0-9.455-0.277-14.095-0.826c-2.305-0.274-4.509,1.087-5.294,3.279c-0.785,2.193,0.047,4.638,2.008,5.895 c29.023,18.609,62.582,28.445,97.047,28.445c67.754,0,110.139-31.95,133.764-58.753c29.46-33.421,46.356-77.658,46.356-121.367 c0-1.826-0.028-3.67-0.084-5.508c11.623-8.757,21.63-19.355,29.773-31.536c1.237-1.85,1.103-4.295-0.33-5.998 C307.394,57.037,305.009,56.486,302.973,57.388z"/> </svg> </a></div><div class="icon"> <a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href="https://stackoverflow.com/questions/tagged/istio"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8 "/><path d="M38.8,68.4l37.8,7.9l1.6-7.6l-37.8-7.9L38.8,68.4z M43.8,50.4l35,16.3l3.2-7l-35-16.4L43.8,50.4z M53.5,33.2 l29.7,24.7l4.9-5.9L58.4,27.3L53.5,33.2z M72.7,14.9l-6.2,4.6l23,31l6.2-4.6L72.7,14.9z M38,86h38.6v-7.7H38V86z"/> </svg> </a></div></div><div class="row justify-content-start d-none d-lg-flex"><p class="tag">for users</p></div></div></div><div class="col-6 col-lg-4"><p class="text-center copyright" role="contentinfo"> Istio Archive 0.7, Copyright &copy; 2018 Istio Authors<br> Archived on 05-May-2018</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role="navigation"><div class="container-fluid"><div class="row justify-content-end"><div class="icon"> <a title="Join the istio-dev@ mailing list to discuss development issues around the Istio project" href="https://groups.google.com/forum/#!forum/istio-dev"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490 490"><path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495 C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/><path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982 c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121 c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/> </svg> </a></div><div class="icon"> <a title="GitHub is where development takes place on Istio code" href="https://github.com/istio/community"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 478.165 478.165"><path d="M349.22,55.768c6.136,14.046,10.241,37.556,4.224,54.69 c24.426,20.999,33.073,71.904,21.079,113.704c35.006,2.73,76.666-1.235,103.642,9.484c-25.183-3.248-59.651-9.563-91.987-7.431 c-6.136,0.458-15.361-0.239-14.903,8.408c37.735,3.008,75.092,6.117,105.894,15.779c-30.702-4.981-67.74-12.552-105.894-13.668 c-15.54,30.921-47.239,46.262-90.991,49.49c4.682,10.261,13.847,14.066,15.879,30.702c3.267,24.406-4.881,60.328,3.208,76.686 c4.064,7.89,10.579,8.009,14.863,14.604c-10.699,12.871-37.257-1.395-40.186-14.604c-5.14-22.852,7.89-58.256-6.415-73.737 c0.996,24.865-5.718,59.85,0.996,82.145c2.789,8.806,10.659,12.113,8.647,20.063c-49.809,5.08-28.989-64.373-37.177-105.356 c-7.471,0.697-4.204,11.197-4.224,15.76c-0.199,40.106,8.189,94.836-34.846,89.556c-1.315-8.348,5.838-11.217,8.467-19.007 c7.91-22.434-1.454-56.045,2.112-83.161c-16.417,12.512,1.793,55.666-8.428,77.961c-5.838,12.671-24.785,18.27-39.19,12.651 c1.873-9.464,11.695-7.989,15.879-16.875c5.818-12.452,0.02-30.244,2.092-48.494c-30.423,6.097-53.993-0.877-65.608-20.023 c-5.12-8.507-6.356-18.708-12.632-26.219c-6.117-7.551-16.098-8.507-19.087-18.808c37.755-9.185,39.17,38.771,73.06,39.807 c10.44,0.418,15.799-2.909,25.402-5.16c2.749-12.113,8.428-21.039,16.875-27.494c-42.078-5.658-76.865-18.788-93.023-50.466 c-38.293,1.893-73.339,7.013-105.894,14.843c29.547-10.679,65.807-14.604,104.778-15.819c-2.351-13.807-22.434-10.022-34.866-9.543 C47.677,227.17,18.449,230.138,0,233.645c26.817-9.543,64.233-8.348,100.454-8.428c-11.038-34.767-7.232-90.014,17.015-110.615 c-6.854-17.254-4.722-45.346,4.184-58.834c27.036,1.175,43.374,12.891,60.388,24.247c21.019-6.017,43.035-9.045,71.904-7.451 c12.133,0.677,24.705,6.097,33.731,5.32c8.906-0.877,18.728-10.898,27.534-14.843C326.507,58.099,336.17,56.206,349.22,55.768z"/> </svg> </a></div><div class="icon"> <a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href="https://groups.google.com/forum/#!forum/istio-team-drive-access"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 207.027 207.027"><path d="M69.866,15.557L0,138.919l28.732,52.552l143.288-0.029l35.008-59.588L136.39,15.735L69.866,15.557z M17.166,139.046 L74.268,38.205L91.21,67.783L33.24,168.447L17.166,139.046z M99.841,82.851l23.805,41.558l-47.732-0.006L99.841,82.851z M163.434,176.443l-117.332,0.024l21.53-37.065l64.606,0.008l0.067,0.119l52.865-0.085L163.434,176.443z M140.932,124.411 L90.157,35.767l-2.966-5.178l40.751,0.121l57.003,93.706L140.932,124.411z"/> </svg> </a></div><div class="icon"> <a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927,11.558c-23.854,0-37.057,12.362-36.814,36.182c0.348,32.623,14.211,52.414,36.814,52.068 c0,0,36.802,1.492,36.802-52.068C256.729,23.918,244.294,11.558,219.927,11.558z"/><path d="M285.017,124.567l-36.77-14.659l-8.608-7.256c-2.274-1.922-5.636-1.78-7.741,0.317l-11.973,11.904l-12.008-11.907 c-2.109-2.094-5.465-2.229-7.736-0.313l-8.611,7.256l-36.77,14.661c-11.842,4.715-11.83,46.647-12.848,50.497h155.93 C296.866,171.228,296.862,129.28,285.017,124.567z"/><path d="M77.976,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182 c-23.854,0-37.057,12.362-36.814,36.182C41.509,209.124,55.372,228.915,77.976,228.568z"/><path d="M143.065,253.329l-36.77-14.658l-8.609-7.256c-2.275-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908 c-2.109-2.094-5.465-2.229-7.736-0.312l-8.611,7.256l-36.77,14.66C1.006,258.045,1.018,299.977,0,303.827h155.93 C154.915,299.988,154.911,258.042,143.065,253.329z"/><path d="M361.878,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182 c-23.854,0-37.057,12.362-36.812,36.182C325.411,209.124,339.274,228.915,361.878,228.568z"/><path d="M426.968,253.329l-36.77-14.658l-8.609-7.256c-2.273-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908 c-2.109-2.094-5.465-2.229-7.736-0.312l-8.61,7.256l-36.771,14.66c-11.842,4.715-11.83,46.646-12.848,50.497h155.93 C438.817,299.988,438.812,258.042,426.968,253.329z"/> </svg> </a></div><div class="icon"> <a title="Interactively discuss development issues with the Istio community on Slack (invitation-only)" href="https://istio.slack.com"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.444 31.443"><path d="M31.202,16.369c-0.62-1.388-2.249-2.011-3.637-1.391l-1.325,0.594l-3.396-7.591l1.325-0.592 c1.388-0.622,2.01-2.25,1.389-3.637c-0.62-1.389-2.248-2.012-3.637-1.39l-1.324,0.593l-0.593-1.326 c-0.621-1.388-2.249-2.009-3.637-1.388c-1.388,0.62-2.009,2.247-1.389,3.637l0.593,1.325L7.98,8.598L7.388,7.273 c-0.621-1.39-2.249-2.009-3.637-1.39C2.363,6.504,1.742,8.132,2.362,9.52l0.592,1.324L1.63,11.438 c-1.388,0.621-2.01,2.247-1.389,3.636c0.62,1.388,2.249,2.01,3.637,1.39l1.325-0.594l3.394,7.592l-1.325,0.592 c-1.388,0.621-2.009,2.25-1.389,3.637c0.621,1.389,2.249,2.011,3.637,1.391l1.324-0.593l0.593,1.325 c0.621,1.389,2.249,2.01,3.637,1.389c1.387-0.62,2.009-2.248,1.388-3.636l-0.591-1.326l7.591-3.394l0.592,1.321 c0.621,1.391,2.248,2.013,3.637,1.392c1.388-0.619,2.01-2.248,1.389-3.637l-0.592-1.324l1.323-0.594 C31.201,19.384,31.823,17.757,31.202,16.369z M13.623,21.215l-3.395-7.593l7.591-3.394l3.395,7.591L13.623,21.215z"/> </svg> </a></div></div><div class="row justify-content-end text-right"><p class="text-right tag">for developers</p></div></div></div></div></div></footer></div><script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://www.google.com/cse/brand?form=search_form"></script> <script src="/v0.7/js/misc.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink