Christian Posta christian-posta

source .env.sh

Create cluster

Based on this documentation: https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/google-gke.html

Create a cluster with CPU nodes and we'll add GPU nodes later

Istio + Multus CNI: Annotation clobbering, replication and fix

This details a reference deployment of Istio w/ Multus CNI to demonstrate a problem where annotations are being clobbered by the Istio webhook. It also provides a patch and workflow for a possible fix.

This article first demonstrates how to reproduce the article, then proposes a patch, and demonstrates a way to build and deploy Istio with the modified code.

NOTE: Ignore the 1.5.1 through the install, I replicate it with latest (Nov 2021), and provide further steps following the rest of the installation.

Suggested system

Stop using JWTs!

TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.

If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)

A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/

The reason to avoid JWTs comes down to a couple different points:

The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions

Freezer cgroup FTW

In a terminal start a server.

$ python -m SimpleHTTPServer 8000

In another terminal set up the cgroups freezer.

Download the files to a directory and start services using Docker Compose.

docker-compose up -d

Generate some load (run few times with different trace IDs)

curl -H "x-client-trace-id: 23423sfdf3" http://localhost:8000

	# Install Ambient Mesh with Helm Charts

	REPO="https://istio-release.storage.googleapis.com/charts"
	VERSION=1.19.0
	helm_opts="upgrade -i --namespace istio-system --create-namespace --repo ${REPO} --version ${VERSION}"

	# base
	helm $(echo $helm_opts) istio-base base

	# istiod

	apiVersion: gloo.solo.io/v1
	kind: Upstream
	metadata:
	name: green-cell1
	namespace: gloo-system
	spec:
	healthChecks:
	- timeout: 1s
	interval: 1s
	unhealthyThreshold: 1

	#!/bin/bash
	set -x #echo on

	## PREREQ: SET CONTEXTS for management-plane-context and remote-cluster-context

	#### Cleanup
	kubectl config use-context management-plane-context
	meshctl uninstall
	kubectl -n service-mesh-hub delete secret -l solo.io/kubeconfig=true
	kubectl delete istiooperator istiocontrolplane-default -n istio-operator --context management-plane-context

	# based on the "patch deployment" strategy in this comment:
	# https://github.com/kubernetes/kubernetes/issues/13488#issuecomment-372532659
	# requires jq

	# $1 is a valid namespace
	function refresh-all-pods() {
	echo
	DEPLOYMENT_LIST=$(kubectl -n $1 get deployment -o json\|jq -r .items[].metadata.name)
	echo "Refreshing pods in all Deployments"
	for deployment_name in $DEPLOYMENT_LIST ; do

	FROM ubuntu:xenial

	# This Dockerfile has been taken from:
	# https://github.com/nmnellis/istio/blob/access-logging/ci/Dockerfile

	RUN apt-get update \
	&& apt-get install -y openjdk-8-jdk make libtool m4 autoconf uuid-dev cmake golang-go curl python python-pip git \
	&& echo "deb [arch=amd64] http://storage.googleapis.com/bazel-apt stable jdk1.8" \| tee /etc/apt/sources.list.d/bazel.list \
	&& curl https://bazel.build/bazel-release.pub.gpg \| apt-key add - \
	&& apt-get update \