User guide for istioctl managing webhooks #5162
Conversation
041a962 to
592957e
Compare
|
/test lint_istio.io |
|
|
||
| ## Before you begin | ||
|
|
||
| * Create a new Kubernetes cluster to run the example in this tutorial. |
There was a problem hiding this comment.
nit: I don't think this is needed
There was a problem hiding this comment.
Creating a new cluster is not strictly needed, but to on the safe side -> avoid affecting an existing cluster.
| install/kubernetes/helm/istio > istio-webhook-config.yaml | ||
| {{< /text >}} | ||
|
|
||
| 1. From `istio-webhook-config.yaml`, search `'kind: MutatingWebhookConfiguration'` and save |
There was a problem hiding this comment.
If this is for more then experimental we need to improve the UX here. If its is just experimental we should make that more clear
There was a problem hiding this comment.
Added TODOs to improve the UX here. The document has a warning at the top saying this is an experimental feature.
| keywords: [security,webhook] | ||
| --- | ||
|
|
||
| {{< warning >}} |
There was a problem hiding this comment.
Use the boilerplate for this warning please.
| @@ -0,0 +1,243 @@ | |||
| --- | |||
| title: Istio Webhook Management | |||
| description: Shows how to manage webhooks in Istio through istioctl. | |||
There was a problem hiding this comment.
Can you include why a user would want to do this? Adding this doc, which is a lot of complicated and manual steps, makes it look like this is a required thing to user Istio properly
There was a problem hiding this comment.
Added the following explanation why a user would want to do this:
Istio has two webhooks (Galley and Sidecar Injector). In current Istio implementation,
Galley and Sidecar Injector manage their own webhook configurations, which from
security perspective is not recommended because a compromised webhook may conduct
privilege escalation attacks.
This task shows how to use istioctl, instead of Galley and Sidecar Injector, to
manage the webhook configurations of Galley and Sidecar Injector.
|
@istio/wg-docs-maintainers-english All review comments have been addressed, can you approve the PR? |
|
@rcaballeromx This feature is for Istio with version >= 1.4. Readers can run all commands successfully on Istio with version >= 1.4. The user guide will not be cherrypicked to older Istio versions (e.g., 1.3, 1.2, etc) |
|
@rcaballeromx Per the discussion, the installation step is removed to decouple the installation from the user guide. Please take a look. |
|
|
||
| {{< text plain >}} | ||
| Error from server: error when creating "invalid-gateway.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: gateway must have at least one server | ||
| {{< /text >}} |
There was a problem hiding this comment.
same comment here, i would expect this to fail in the default install also.
There was a problem hiding this comment.
need more wording to explain why this is different and how to detect this is running in this new mode.
There was a problem hiding this comment.
@linsun How this is different does not belong in the task. We can work on a blog post evaluating both approaches but let's try not to overburden readers with information here.
There was a problem hiding this comment.
Added a step to verify that there are no existing webhook configurations for Galley and the sidecar injector before running the webhook enable command.
| @@ -0,0 +1,231 @@ | |||
| --- | |||
| title: Istio Webhook Management [Experimental] | |||
| description: Shows how to manage webhooks in Istio through istioctl. | |||
There was a problem hiding this comment.
Shows How to manage webhooks in Istio through istioctl.
There was a problem hiding this comment.
Revised accordingly.
| Istio has two webhooks: Galley and the sidecar injector. By default, | ||
| these webhooks manage their own configurations. From a | ||
| security perspective, this default behavior is not recommended because a compromised webhook could then conduct | ||
| privilege escalation attacks. |
There was a problem hiding this comment.
It should be privilege escalation attacks.
| security perspective, this default behavior is not recommended because a compromised webhook could then conduct | ||
| privilege escalation attacks. | ||
|
|
||
| This task shows how to use `istioctl`, instead of the webhooks, to |
There was a problem hiding this comment.
This task shows how to use istioctl, instead of the webhooks, to
There was a problem hiding this comment.
Revised accordingly.
| This task shows how to use `istioctl`, instead of the webhooks, to | ||
| manage their configurations. | ||
|
|
||
| ## Before you begin |
There was a problem hiding this comment.
Revised accordingly.
|
|
||
| ## Check webhook certificates | ||
|
|
||
| To display the DNS names in the webhook certificates of Galley and the sidecar injector, we get the secret |
There was a problem hiding this comment.
To display the DNS names in the webhook certificates of Galley and the sidecar injector, we you need to get the secret
There was a problem hiding this comment.
Revised accordingly.
| {{< /text >}} | ||
|
|
||
| 1. To check that the sidecar injector webhook is working, verify that the webhook injects a | ||
| sidecar container into an example pod with the following commands: |
There was a problem hiding this comment.
To Check that the sidecar injector webhook is working by verifying that the webhook injects a
sidecar container into an example pod with the following commands:
There was a problem hiding this comment.
The current one is more accurate.
| $ kubectl get pod -n test-injection | ||
| {{< /text >}} | ||
|
|
||
| The output from the `get pod` command should show the following output. The `2/2` value means that |
There was a problem hiding this comment.
The output from the get pod command should show the following output. The 2/2 value means that
There was a problem hiding this comment.
Revised accordingly.
| $ istioctl experimental post-install webhook disable --validation=false --injection-config=istio-sidecar-injector | ||
| {{< /text >}} | ||
|
|
||
| 1. If you name Galleys's configuration `istio-galley`, disable the webhook with the following command: |
There was a problem hiding this comment.
If you named Galleys's configuration istio-galley, disable the webhook with the following command:
There was a problem hiding this comment.
Revised accordingly.
|
|
||
| After completing this tutorial, you may delete the testing cluster created | ||
| at the beginning of this tutorial. You may also run the following command to delete | ||
| the resources created. |
There was a problem hiding this comment.
After completing this tutorial, you may delete the testing cluster created You
at the beginning of this tutorial.may also can run the following command to delete
the resources created at the beginning of this tutorial.
There was a problem hiding this comment.
Revised accordingly.
| {{< /text >}} | ||
|
|
||
| <!-- TODO (lei-tang): improve the UX for obtain MutatingWebhookConfiguration --> | ||
| 1. Open the `istio.yaml` configuration file, search `'kind: MutatingWebhookConfiguration'` and save |
There was a problem hiding this comment.
| 1. Open the `istio.yaml` configuration file, search `'kind: MutatingWebhookConfiguration'` and save | |
| 1. Open the `istio.yaml` configuration file, search for `kind: MutatingWebhookConfiguration` and save |
| {{< /text >}} | ||
|
|
||
| <!-- TODO (lei-tang): improve the UX for obtain ValidatingWebhookConfiguration --> | ||
| 1. Open the `istio.yaml` configuration file, search `'kind: ValidatingWebhookConfiguration'` and save |
There was a problem hiding this comment.
| 1. Open the `istio.yaml` configuration file, search `'kind: ValidatingWebhookConfiguration'` and save | |
| 1. Open the `istio.yaml` configuration file, search for `kind: ValidatingWebhookConfiguration` and save |
| the webhook injected a sidecar into the example pod: | ||
|
|
||
| {{< text plain >}} | ||
| NAME READY STATUS RESTARTS AGE |
There was a problem hiding this comment.
| NAME READY STATUS RESTARTS AGE | |
| NAME READY STATUS RESTARTS AGE |
| sidecar container into an example pod with the following commands: | ||
|
|
||
| {{< text bash >}} | ||
| $ kubectl create namespace test-injection; kubectl label namespaces test-injection istio-injection=enabled |
There was a problem hiding this comment.
| $ kubectl create namespace test-injection; kubectl label namespaces test-injection istio-injection=enabled | |
| $ kubectl create namespace test-injection | |
| $ kubectl label namespaces test-injection istio-injection=enabled |
| security perspective, this default behavior is not recommended because a compromised webhook could then conduct | ||
| privilege escalation attacks. | ||
|
|
||
| This task shows how to use `istioctl`, instead of webhooks, to |
There was a problem hiding this comment.
| This task shows how to use `istioctl`, instead of webhooks, to | |
| This task shows how to use the new [{{< istioctl >}} x post-install webhook](/docs/reference/commands/istioctl/#istioctl-experimental-post-install-webhook) command to |
There was a problem hiding this comment.
Revised accordingly.
| privilege escalation attacks. | ||
|
|
||
| This task shows how to use `istioctl`, instead of webhooks, to | ||
| manage their configurations. |
There was a problem hiding this comment.
| manage their configurations. | |
| securely manage the configurations of the webhooks. |
There was a problem hiding this comment.
Revised accordingly.
| $ istioctl manifest generate > istio.yaml | ||
| {{< /text >}} | ||
|
|
||
| <!-- TODO (lei-tang): improve the UX for obtain MutatingWebhookConfiguration --> |
There was a problem hiding this comment.
Remove this line. It is causing the numbered list not to render properly.
| istio-injection: enabled | ||
| {{< /text >}} | ||
|
|
||
| <!-- TODO (lei-tang): improve the UX for obtain ValidatingWebhookConfiguration --> |
|
/retest |
|
/test lint_istio.io |
A guide of using istioctl to manage webhooks in Istio.
This PR has URLs pointing to: istio/istio#17867 and #5152.
Thus the lint test will fail until these PRs are merged.
Please provide a description for what this PR is for: istio/istio#17061.
Design documents:
[1]https://docs.google.com/document/d/1VHyBre8943USOx_YEVtA18KfEoGTmLT1iBHESO5bzcA/edit#heading=h.qex63c29z2to
[2] https://docs.google.com/document/d/1v8BxI07u-mby5f5rCruwF7odSXgb9G8-C9W5hQtSIAg/edit#heading=h.xw1gqgyqs5b
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.
[ ] Configuration Infrastructure
[ ] Docs
[ X] Installation
[ X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure