Auto mTLS user guide doc on istio.io #5313
Conversation
|
/cc @linsun just fyi, if you want to provide some feedback to how to make better wording or organizing content. |
|
@rcaballeromx This is a new doc task. let me know if you have quick early high level feedback requiring big changes first, so that we can worry about fine grane polishing later. I should be able to get a review from @diemtvu soon on technical part. Thanks. |
| apiVersion: extensions/v1beta1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: httpbin |
There was a problem hiding this comment.
This is the same deployment as on line 49, isn't it? Won't this replace the previous one, so the pod with sidecar will be deleted?
Why do we need both anyway? What special is it demonstrating?
There was a problem hiding this comment.
This deployment is created inline, without sidecar injected, i made the changes on the label. This won't replace previous deployment (which has sidecar and different app labels).
But you're right, probably i need to modify the deployment name as well.
I'm trying to demonstrate customers don't have to worry about configuration with mTLS, even when their server workloads are partially sidecar injected. Compared with foo namespace
There was a problem hiding this comment.
modified the name to be httpbin-nosidecar this should be more obvious now.
|
This is ready for another look, thanks! @frankbu |
| You should also verify that there is a default mesh authentication policy in the system, which you can do as follows: | ||
|
|
||
| {{< text bash >}} | ||
| $ kubectl get policies.authentication.istio.io --all-namespaces |
There was a problem hiding this comment.
Not sure if we need to mention this. It is internal policy for grafana and may confuse users.
There was a problem hiding this comment.
This is copied from old doc. I think it ensure that customer dont have some leftover of their own policy, right?
|
Per @diemtvu suggestion, use new |
|
@incfly Thanks for clarifying things. Technically, it looks much better now! There are still lots of English wording and grammar problems that should be fixed. Not sure if it would be easier to merge it now and then fix the grammar in a followup PR, instead of trying to suggest many more changes. @rcaballeromx @geeknoid WDYT? |
|
@frankbu Thanks for the feedback! Yes, to clarify, regarding the timeline, we definitely need this as minimal viable docs for this important security feature in 1.4 before release is cut. I treat this as my highest priority task at the moment. Let me know if anything I can do on my side to expedite the doc process. @geeknoid @rcaballeromx , thanks. |
| * Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related | ||
| [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts. | ||
|
|
||
| * Have a Kubernetes cluster with Istio installed (e.g use `install/kubernetes/istio-demo.yaml` as described in |
There was a problem hiding this comment.
| * Have a Kubernetes cluster with Istio installed (e.g use `install/kubernetes/istio-demo.yaml` as described in | |
| * Install Istio with the `global.mtls.enabled` option set to false and `global.mtls.auto` set to true. |
|
Thanks a lot! |
Auto mTLS user guide doc on istio.io.
A separate task page under Istio security section to explain how to use auto mutual TLS, the impact, consequences, instructions.
istio/istio#14524