Istio 1.0 is non-compliant with CT1614 because it does not support certificate revocation (e.g. CRL). Issue 3886 has been created to track this feature request.
| Task | # of Hours |
|---|---|
| Learn Existing Codebase | 40 |
| Understand PKI, CRL, etc. Details | 36 |
Daneyon Hansen danehans
Istio consists of several services that intercommunicate to form the service mesh control-plane. The Istio data-plane consists of a proxy mesh, where a proxy is deployed as a sidecar with each end-user application service. Mutual TLS (mTLS) can be used to secure end-user services running within or outside of the mesh and for securing Istio control-plane communication.
Not allowing customers to define outbound credentials destroys the usefulness of authentication functionality on peers.
Following: https://github.com/kubernetes-sigs/federation-v2/blob/master/docs/development.md
$ kubebuilder create resource --group core --version v1alpha1 --kind FederatedServiceAccount
Creating API files for you to edit...
Edit your API schema...
pkg/apis/core/v1alpha1/federatedserviceaccount_types.go
pkg/apis/core/v1alpha1/federatedserviceaccount_types_test.go
Creating controller ...
Edit your controller function...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ kubectl exec -it productpage-v1-7bbdd59459-brq62 -c istio-proxy /bin/bash | |
| $ curl http://127.0.0.1:15000/config_dump | |
| { | |
| "configs": { | |
| "routes": { | |
| "@type": "type.googleapis.com/envoy.admin.v2alpha.RoutesConfigDump", | |
| "static_route_configs": [ | |
| { | |
| "route_config": { | |
| "name": "inbound|9080||productpage.default.svc.cluster.local", |
This document represents the plan for refactoring the Jaeger Agent to support different Reporters. The use case is identified by Issue 927.
Jaeger Workflow:
Instrumented App > Jaeger Client Library >---(SPANs)---> Agent > Collector > Storage (ES, Cassandra)
Istio consists of several services that intercommunicate to form the service mesh control-plane. The Istio data-plane consists of a proxy mesh, where a proxy is deployed as a sidecar with each end-user application service. Mutual TLS (mTLS) can be used to secure end-user services running within the mesh and for securing Istio control-plane communication.
This document provides instructions for testing x.509 certificate validation performed by Istio proxies. The httpbin and sleep applications are used to perform
Istio supports Mutual TLS (mTLS), which is documented
here.
This document provides instructions for testing Istio mTLS. The document will use the
bookinfo application and ssldump to verify mTLS is being used
for network communication between application services. The bookinfo application consists of multiple services,
please review this diagram to better understand the
service<>service communication used for Istio mTLS validation.
Istio consists of several services that intercommunicate to form the service mesh control-plane. The Istio data-plane consists of a proxy mesh, where a proxy is deployed as a sidecar with each end-user application service. Mutual TLS (mTLS) can be used to secure end-user services running within the mesh and for securing Istio control-plane communication. This document provides detailed instructions for verifying Istio mTLS certificates.
The following is a list of remaining work items required to restore the house to a state previous to the re-pipe:
- Address water pressure. The water pressure in the master shower is roughly 50% of what it was prior to the re-pipe.
- Repair holes in the outside of the house.
- Hang ceiling fan in living room. Place the ceiling fan remote back on the wall.
- The light switch in the living room does not work due to paint that dried on it and is now stuck in the off position.
- Electric outlet/switch covers are missing and need to be installed.
- Hang blinds.
Since Jaeger does not run in the Istio mesh, a different ingress controller is required to expoer Jaeger outside the k8s cluster. I used the nginx ingress controller in a baremetal setup (CCP). Follow the nginx deploy guide and use the baremetal provider.
Update the Jaeger service to use a different port other than 80:
apiVersion: v1
kind: Service