Istio Security Assessment5/upgrade-notes/#control-plane-security 5 | Google Istio Security Assessment Google / NCC Group Confidential kubectl exec -it {YOURPOD} -n {YOURNS} -- curl istiod.istio-system.svc.clus ter.local:15014/debug • This of the following command (run with administrative access) and use it below in place of $GATEWAY kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.status.loadBalancer.ingress[0] account to kubectl -n test apply -f the samples/bookinfo/platform/kube/b ookinfo.yaml and samples/bookinfo/networking/bookinfo-gateway.yaml configu- rations 4. Using the restricted user, kubectl -n restrict-test0 码力 | 51 页 | 849.66 KB | 1 年前3- Local Istio DevelopmentHoward / @howardjohn / Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes0 码力 | 16 页 | 424.31 KB | 1 年前3
Secure your microservices with istio step by stepwithout reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar ( kubectl label namespace default istio-injection=disabled/enabled ) Initializing services 1) Deploy bookinfo without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar ( kubectl label namespace default istio-injection=disabled/enabled ) http http http http http http http | base64 -d | openssl x509 -noout -text -in - ● Part of cluster config in envoy config-dump ○ kubectl exec-c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration 0 码力 | 34 页 | 67.93 MB | 1 年前3- Leveraging Istio for Creating API Tests - Low Effort API Testing for Microservicestrace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl apply -f
) Capture traces for E2E test requests Create tests & mocks for all services lua filters Service A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble 0 码力 | 21 页 | 1.09 MB | 1 年前3 - Extending service mesh capabilities using a streamlined way based on WASM and ORASProductp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx] -c istio-proxy curl localhost:15000/config_dump envoy.filters .http.cors 方式挂载volume, 所以拉取的wasm filter会落 盘到对应的节点上; 15 创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json0 码力 | 23 页 | 2.67 MB | 1 年前3
- 生产环境 istiolocal secrets: true accessPolicy: inbound: - name: consumer-a nais.yaml cluster kubectl apply -f nais.yaml application deployment service virtualservice autoscaler networkpolicy0 码力 | 42 页 | 3.45 MB | 1 年前3
- Kubernetes容器应用基于Istio的灰度发布实践集成和定制 ACL 日志 配额 Consul 功能 扩展 Istio总体架构 Istio & Kubernetes:架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints0 码力 | 38 页 | 14.93 MB | 1 年前3
- Kubernetes容器应用基于Istio的灰度发布实践日志 配额 Consul 功 能 扩 展11 Istio总体架构12 Istio & Kubernetes:架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints0 码力 | 34 页 | 2.64 MB | 6 月前3
- Envoy原理介绍及线上问题踩坑rights reserved. Page 25 Envoy问题分析方法 • 查看istio配置 • 通过pilot-agent:访问Envoy 15000端口,指定url获取: • kubectl exec -it $podname -c istio-proxy -- pilot-agent request GET /config_dump > config.json • 查看listener:istioctl0 码力 | 30 页 | 2.67 MB | 1 年前3
共 9 条
- 1