From bd28deebe2cf19961132f0adaa79690627ca8fa0 Mon Sep 17 00:00:00 2001 From: Mercurio <10175101282@stu.ecnu.edu.cn> Date: Tue, 28 Dec 2021 10:22:40 +0000 Subject: [PATCH 1/4] Improve docs in module12 and module13 --- module12/istio/1.http-gw/httpserver.MD | 2 +- module12/istio/3.https-gw/httpsserver.MD | 2 +- module12/istio/tracing/readme.MD | 2 +- module13/clusternet/access-child-cluster.MD | 6 +- module13/clusternet/deploy-app.MD | 26 ++++--- module13/clusternet/installation.MD | 43 +++++++---- module13/federation/readme.MD | 83 +++++++++++++-------- readme.MD | 3 +- 8 files changed, 101 insertions(+), 66 deletions(-) diff --git a/module12/istio/1.http-gw/httpserver.MD b/module12/istio/1.http-gw/httpserver.MD index a977e6b..361bea9 100644 --- a/module12/istio/1.http-gw/httpserver.MD +++ b/module12/istio/1.http-gw/httpserver.MD @@ -9,7 +9,7 @@ kubectl create -f istio-specs.yaml -n simple ### Check ingress ip ```sh -k get svc -nistio-system +k get svc -n istio-system istio-ingressgateway LoadBalancer 10.108.31.242 ``` diff --git a/module12/istio/3.https-gw/httpsserver.MD b/module12/istio/3.https-gw/httpsserver.MD index 2eb34fc..59d138d 100644 --- a/module12/istio/3.https-gw/httpsserver.MD +++ b/module12/istio/3.https-gw/httpsserver.MD @@ -15,7 +15,7 @@ kubectl apply -f istio-specs.yaml -n securesvc ### Check ingress ip ```sh -k get svc -nistio-system +k get svc -n istio-system istio-ingressgateway LoadBalancer $INGRESS_IP ``` diff --git a/module12/istio/tracing/readme.MD b/module12/istio/tracing/readme.MD index d7e1fca..c3c43b9 100644 --- a/module12/istio/tracing/readme.MD +++ b/module12/istio/tracing/readme.MD @@ -19,7 +19,7 @@ kubectl apply -f istio-specs.yaml -n tracing ### Check ingress ip ```sh -k get svc -nistio-system +k get svc -n istio-system istio-ingressgateway LoadBalancer $INGRESS_IP ``` diff --git a/module13/clusternet/access-child-cluster.MD b/module13/clusternet/access-child-cluster.MD index 7809ee7..ce1a77d 100644 --- a/module13/clusternet/access-child-cluster.MD +++ b/module13/clusternet/access-child-cluster.MD @@ -1,4 +1,4 @@ -``` +```sh # base64 encoded certificate from your child cluster. (PLEASE CHANGE ME!!!) CHILDCLUSTERCERT="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJQW5PaUNCa2JzMHN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRFeE1URXdNVE01TkRGYUZ3MHlNakV4TVRFd01UTTVORE5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXFLMVpDV2dpTmsvVGo3eFAKY1NmVDNOdnlQMFcweEFmOEtBRGxVUHZYNTRzT0gzUGZLcTNycVNmN001M2dRVW5FYklKZXZvWEFvM1ZXNnhoSQpIUmsxL09vNWZhN042ZlAvdW5saEtLc05kY2t2VlYvWi9zWlU4RFNMRmJWdFRqSnZjY1hPSGc0aDJCNExUbk9QCkp6RW1vUm9BcEVBZ3NkcVRsbitKaG4xbUY0b2Q2OHY4c2JBYkpnMkZ2VkordFZ6WXlZc3BqUmlHSTBpbjhHczMKMGx3WEZhSGUvWWJNWDYwYXJoZ1J3NFFSV08rbkNQK2Y1YkpwcVpiVFRrN01Ka2piOUNKR2ZiSWxTUWgraHd3RQpOMVIveFMrWDMvKzFoRnBoUzFlNFNnWmdLSmEzWjZpMXNjUEtPWmRHTjNiUE1MemZNY3JXdFhreVlCQjEzeGM3CmdGNjQ1UUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTeGhYWXVFYUswbnRyWE5JRkNFSU1MUE9nawpxekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHEvQlVPRGkwdEkvT2xSSGlyMzZhZmNYb2xmNUdzWXEzaDlMCjgrekdxbXM5YkdiMjllcmJjL0hnR2FuNW1YZWJPWXJpUElOVHhxdzF6WnM1U0R5Q05SNlpKVmNvOUpad0VOZ2EKN055NEFTMSsxNUFFOE1ocFNHS3h3SXc4NkszTklQZkJZMGVveGhabThOcjcrNUJZQXFDMG0vRnVNWGphK2FOdgpBSTRTK3J2SDM1SHJVZ2pvZkhQQW9tZ1VxaGdiVDFSbUdlaFZ0bDZObStMZG16bC9jV2lmNEs5SmM2c09FRWd1ClZkczNWbFBnTkc3WHZxSzY4K003QkxXT3Y2d0Q5U01hbVRLa25laGVXQWJNZGNIMlgyRGNKNEIvTUp6OU1CSHgKNE1EaFhBNXJuSUwrQ1ZSQVdNZEdlWTVreTQwQ0FvNXdZd29SR2hkeHZ0ZlFMbGhJZ2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" # base64 encoded privatekey from your child cluster. (PLEASE CHANGE ME!!!) @@ -15,7 +15,7 @@ curl -k -XGET -H "Accept: application/json" \ "${APISERVER}/apis/proxies.clusternet.io/v1alpha1/sockets/${CHILDCLUSTERID}/proxy/direct/api/v1/namespaces" ``` -``` +```sh # Here the token is base64 decoded and from your child cluster. (PLEASE CHANGE ME!!!) CHILDCLUSTERTOKEN="ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsQlJMVWRzZVVoa1RtUnhOM04zU0dkNVFXOHRPVGRLYVRNMU16UnRWbXRYV25NMVFWQjJUWE5NUjJzaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGFEWnpjSG9pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalUwTURJMU1HSmpMVGN4T1dFdE5HUTNNUzA1TURkakxUZ3hNemsxTTJOa05UUTBOaUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuU2lXa29RMkhlZ1lJSk8yY3RZTVZhWHgxWTZCWnllRW5MS1N6NXNpREpDSURUU09JQjlrdlNubDF4SFdsa1pPcUdidGVmU2FFSVU5RERCWTZ6SnBxc0MyazA4WllqOWJMQTcxR2ZrT0o4NzFXdG5yaXI4M0ZqaGNYNzFVSHd2WUtwcHV1V2ctTVFBMm5sd0JUdVhkTjloVHlJVHowenEwd09wNllRNnM1encxRDVBd0JPblBZWXphR0JQVXBEbGdNaXdSN0Q4VFRLY3h3c0JyYVVRVXhfUnhkUXNscDBUQk0xbmFRQWlZUFM4TDRVbGxRTEt2blhhRXlGb3VRV29CUVFNQjhNTm1UajBfdEFIYmZyWEpHeTFnMzlWZ254bHhubmdHcE1EdWEwYV9RR1VUbkhkcFE1ZHM3ODQwOVpxOWJ6YkpjVXliTkNGV0lFUnltdkppYVRn" @@ -24,4 +24,4 @@ curl -k -XGET -H "Accept: application/json" \ -H "Authorization: ${PARENTCLUSTERAUTH}" \ -H "Impersonate-Extra-Clusternet-Token: ${CHILDCLUSTERTOKEN}" \ "${APISERVER}/apis/proxies.clusternet.io/v1alpha1/sockets/${CHILDCLUSTERID}/proxy/direct/api/v1/namespaces" -``` \ No newline at end of file +``` diff --git a/module13/clusternet/deploy-app.MD b/module13/clusternet/deploy-app.MD index a2bd8f8..61591a6 100644 --- a/module13/clusternet/deploy-app.MD +++ b/module13/clusternet/deploy-app.MD @@ -1,22 +1,28 @@ -### create deployment in host cluster -``` +### Create deployment in host cluster + +```sh kubectl clusternet apply -f deployment.yaml ``` -### where the object being stored, as manifest object in clusternet-reserved -``` + +### Where the object being stored, as manifest object in clusternet-reserved + +```sh k get manifest -A NAMESPACE NAME AGE clusternet-reserved deployments-foo-my-nginx 9h clusternet-reserved namespaces-foo 9h ``` -### link the deployment and target cluster -``` + +### Link the deployment and target cluster + +```sh kubectl apply -f localization.yaml kubectl apply -f subscription.yaml - -``` -### check generated obj ``` + +### Check generated obj + +```sh k get base -A NAMESPACE NAME AGE clusternet-bmqv4 app-demo 9h @@ -26,7 +32,7 @@ NAMESPACE NAME DEPLOYER STATUS AGE clusternet-bmqv4 app-demo-generic Generic Success 9h ``` -``` +```sh etcdctl --endpoints https://127.0.0.1:2379 \ --cacert /etc/kubernetes/pki/etcd/ca.crt \ --cert /etc/kubernetes/pki/etcd/server.crt \ diff --git a/module13/clusternet/installation.MD b/module13/clusternet/installation.MD index 50b2c19..94e82a5 100644 --- a/module13/clusternet/installation.MD +++ b/module13/clusternet/installation.MD @@ -1,6 +1,8 @@ -## install kubectl clusternet plugin -### install krew -``` +## Install kubectl clusternet plugin + +### Install krew + +```sh ( set -x; cd "$(mktemp -d)" && OS="$(uname | tr '[:upper:]' '[:lower:]')" && @@ -10,35 +12,44 @@ tar zxvf "${KREW}.tar.gz" && ./"${KREW}" install krew ) - -``` -### setup krew ``` + +### Setup krew + +```sh export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" kubectl krew ``` -### install clusternet plugin -``` + +### Install clusternet plugin + +```sh kubectl krew update kubectl krew install clusternet kubectl clusternet version ``` -## setup clusternet control plane -### parent cluster -``` + +## Setup clusternet control plane + +### Parent cluster + +```sh helm repo add clusternet https://clusternet.github.io/charts helm install clusternet-hub -n clusternet-system --create-namespace clusternet/clusternet-hub kubectl apply -f https://raw.githubusercontent.com/clusternet/clusternet/main/manifests/samples/cluster_bootstrap_token.yaml ``` -### child cluster, registrationToken is installed in kube-system -``` + +### Child cluster, registrationToken is installed in kube-system + +```sh helm install clusternet-agent -n clusternet-system --create-namespace \ --set parentURL=https://192.168.34.2:6443 \ --set registrationToken=07401b.f395accd246ae52d \ clusternet/clusternet-agent ``` -### check managed clusters -``` + +### Check managed clusters + +```sh kubectl get managedcluster -A ``` - diff --git a/module13/federation/readme.MD b/module13/federation/readme.MD index 4f992f6..5697770 100644 --- a/module13/federation/readme.MD +++ b/module13/federation/readme.MD @@ -1,64 +1,81 @@ -## install kubefed by kind -### 下载federation代码 -``` +### 下载 federation 代码 + +```sh git clone https://github.com/kubernetes-sigs/kubefed.git ``` -### 选择HostCluster,确认kubeconfig符合federatio命名规范,用vi编辑kubeconfig,确保context属性没用@字符 -``` -vi ~/.kube/config + +### 选择 HostCluster,确认 kubeconfig 符合 federatio 命名规范,用 vi 编辑 kubeconfig,确保 context 属性没用@字符 + +```sh +vi ~/.kube/config ``` +```yaml contexts: - context: - cluster: kubernetes - user: kubernetes-admin + cluster: kubernetes + user: kubernetes-admin name: `cluster1` -current-context: `cluster1` + current-context: `cluster1` +``` ### 安装 -``` + +```sh kind create cluster make deploy.kind kubectl -n kube-federation-system get kubefedcluster -oyaml ``` -### fix -``` -k get po -n kube-system kube-apiserver-kind-control-plane -owide + +### Fix + +```sh +k get po -n kube-system kube-apiserver-kind-control-plane kube-system kube-apiserver-kind-control-plane 1/1 Running 0 24m 172.18.0.2 kind-control-plane 172.18.0.2 ``` -#### edit kubefedcluster and change apiEndpoint to 172.18.0.2:6443 -``` -kubectl -n kube-federation-system edit kubefedcluster -``` -### 安装完成后查看federation -``` + +### 安装完成后查看 federation + +```sh kubectl get all -n kube-federation-system ``` -### 将namespace设置为联邦对象 -``` + +### 将 namespace 设置为联邦对象 + +```sh kubectl create ns federate-me ./bin/kubefedctl federate ns federate-me - -``` -### 创建FederatedDeployment ``` + +### 创建 FederatedDeployment + +```sh kubectl apply -f test-deployment.yaml -n federate-me ``` -### 查看membercluster中的deployment对象 -``` + +### 查看 membercluster 中的 deployment 对象 + +```sh kubectl get deployment test-deployment -n federate-me ``` -### 创建RSP对象 -``` + +### 创建 RSP 对象 + +```sh kubectl apply -f test-deployment-rsp.yaml -n federate-me ``` -### 查看membercluster中的deployment对象 -``` + +### 查看 membercluster 中的 deployment 对象 + +```sh kubectl get deployment test-deployment -n federate-me ``` -### 查看federatedployment,会发现因为rsp,federateddeployment的override属性被更新了 -``` + +### 查看 federatedployment,会发现因为 rsp,federateddeployment 的 override 属性被更新了 + +```sh kubectl get federateddeployment test-deployment -n federate-me ``` -### 删除rsp,发现override没有被拿掉 \ No newline at end of file + +### 删除 rsp,发现 override 没有被拿掉 diff --git a/readme.MD b/readme.MD index 75f4355..f286d27 100644 --- a/readme.MD +++ b/readme.MD @@ -12,7 +12,8 @@ | 9 | Managing Production-ready Kubernetes Clusters | [module9](module9) | | 10 | DevOps with Kubernetes in Production | [module10](module10) | | 11 | Migrating apps to Kubernetes | [module11](module11) | -| 12 | Advanced Traffic Management with Istio | [module11](module12) | +| 12 | Advanced Traffic Management with Istio | [module12](module12) | +| 13 | Cluster Federation and Multi-cluster management with Istio | [module13](module13) | ## Microservice From ebbc5529f87ddff1f0851b3fa28c56ce21f293b6 Mon Sep 17 00:00:00 2001 From: Mercurio <10175101282@stu.ecnu.edu.cn> Date: Thu, 30 Dec 2021 18:59:38 +0000 Subject: [PATCH 2/4] Improve some docs in module14 --- .../networkpolicy/allow-icmp-incluster.yaml | 2 +- module14/networkpolicy/readme.MD | 56 ++++++++++--------- module14/psp/enable-psp.MD | 16 +++--- module14/psp/readme.MD | 56 ++++++++++++------- readme.MD | 1 + 5 files changed, 76 insertions(+), 55 deletions(-) diff --git a/module14/networkpolicy/allow-icmp-incluster.yaml b/module14/networkpolicy/allow-icmp-incluster.yaml index e6443e2..a0fa5c8 100644 --- a/module14/networkpolicy/allow-icmp-incluster.yaml +++ b/module14/networkpolicy/allow-icmp-incluster.yaml @@ -18,4 +18,4 @@ spec: source: selector: all() icmp: - type: 128 # Ping request \ No newline at end of file + type: 128 # Ping request diff --git a/module14/networkpolicy/readme.MD b/module14/networkpolicy/readme.MD index 996206e..40ebd71 100644 --- a/module14/networkpolicy/readme.MD +++ b/module14/networkpolicy/readme.MD @@ -1,44 +1,50 @@ -### create workload -``` +### Create workload + +```sh kubectl apply -f serverpod.yaml ``` -### create default networkpolicy -``` + +### Create default networkpolicy + +```sh kubectl apply -f networkpolicy.yaml ``` -### check server pod -``` + +### Check server pod + +```sh kubectl get po -n calico-demo -owide ``` -### start clientpod -``` + +### Start clientpod + +```sh kubectl apply -f toolbox.yaml kubectl apply -f toolbox.yaml -n calico-demo ``` -### enter toolbox shell -``` + +### Enter toolbox shell + +```sh kubectl exec it bash ``` -### test connectivity -``` + +### Test connectivity + +```sh curl ping ``` -### create global allow policy -``` + +### Create global allow policy + +```sh kubectl create -f allow-icmp-incluster.yaml ``` -### test connectivity from two toolbox pod -``` + +### Test connectivity + +```sh curl ping ``` -### create networkpolicy to allow access -``` -kubectl create -f access-calico-demo.yaml -``` -### test connectivity from two toolbox pod -``` -curl -ping -``` \ No newline at end of file diff --git a/module14/psp/enable-psp.MD b/module14/psp/enable-psp.MD index 174e796..c4c03b9 100644 --- a/module14/psp/enable-psp.MD +++ b/module14/psp/enable-psp.MD @@ -1,13 +1,11 @@ -``` -### create privileged psp, and grant psp to kubernetes key components -``` -kubectl apply -f templates -``` +### Edit apiserver parameter -### edit apiserver parameter -``` +```sh vi /etc/kubernetes/manifests/kube-apiserver.yaml ``` -### add the following in args, and wait for api to come back -``` + +### Add the following in args, and wait for api to come back + +```sh --enable-admission-plugins=PodSecurityPolicy +``` diff --git a/module14/psp/readme.MD b/module14/psp/readme.MD index 2a77319..0bfb3f6 100644 --- a/module14/psp/readme.MD +++ b/module14/psp/readme.MD @@ -1,20 +1,27 @@ -### prepare -``` +### Prepare + +```sh kubectl create namespace psp-example kubectl create serviceaccount -n psp-example fake-user kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user ``` -### create alias to simulate users -``` + +### Create alias to simulate users + +```sh alias kubectl-admin='kubectl -n psp-example' alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example' ``` -### create psp -``` -kubectl-admin apply -f example-psp.yaml -``` -### try pod creation will fail as the psp admit is not passed + +### Create psp + +```sh +kubectl-admin create -f example-psp.yaml ``` + +### Try pod creation will fail as the psp admit is not passed + +```sh kubectl-user create -f- < Date: Thu, 30 Dec 2021 19:18:15 +0000 Subject: [PATCH 3/4] Improve docs in module14 --- .../authentication/peerauthentication.MD | 72 ++++++++++------ .../authentication/requestauthentication.MD | 43 ++++++---- module14/istio/authorization/readme.MD | 49 +++++++---- module14/securityContext/readme.MD | 86 +++++++++++-------- 4 files changed, 157 insertions(+), 93 deletions(-) diff --git a/module14/istio/authentication/peerauthentication.MD b/module14/istio/authentication/peerauthentication.MD index 3575bf5..41cb74e 100644 --- a/module14/istio/authentication/peerauthentication.MD +++ b/module14/istio/authentication/peerauthentication.MD @@ -1,5 +1,6 @@ -### setup -``` +### Setup + +```sh kubectl create ns foo kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo @@ -10,15 +11,20 @@ kubectl create ns legacy kubectl apply -f samples/httpbin/httpbin.yaml -n legacy kubectl apply -f samples/sleep/sleep.yaml -n legacy ``` -### check sleep.bar to httpbin.foo reachability, return 200 -``` + +### Check sleep.bar to httpbin.foo reachability, return 200 + +```sh kubectl exec "$(kubectl get pod -l app=sleep -n bar -o jsonpath={.items..metadata.name})" -c sleep -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n" ``` + ### This one-liner command conveniently iterates through all reachability combinations: -``` + +```sh for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl -s "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done ``` -``` + +```sh sleep.foo to httpbin.foo: 200 sleep.foo to httpbin.bar: 200 sleep.foo to httpbin.legacy: 200 @@ -29,29 +35,41 @@ sleep.legacy to httpbin.foo: 200 sleep.legacy to httpbin.bar: 200 sleep.legacy to httpbin.legacy: 200 ``` -### check connectivity from host -``` + +### Check connectivity from host + +```sh k get po -n foo -w -owide curl 192.168.166.178 ``` -### check peerauthentication -``` + +### Check peerauthentication + +```sh kubectl get peerauthentication --all-namespaces ``` -### there is no dr -``` + +### There is no dr + +```sh kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep "host:" ``` -### display headers to check the actual sidecar to sidecar communication is through mtls -``` + +### Display headers to check the actual sidecar to sidecar communication is through mtls + +```sh kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers - ``` -### while the communication from host to sidecar is through http ``` + +### While the communication from host to sidecar is through http + +```sh curl 192.168.166.178/headers ``` + ### Globally enabling Istio mutual TLS in STRICT mode -``` + +```sh kubectl apply -f - < Date: Thu, 13 Jan 2022 11:09:19 +0000 Subject: [PATCH 4/4] Improve docs in module15 --- module15/1.setup/install.MD | 29 +++++---- .../2.security-hardening/https-gateway.MD | 46 +++++++++------ module15/3.enable-mtls/readme.MD | 30 ++++++---- module15/4.enable-service-rbac/jwt-details.MD | 59 ++++++++++++------- module15/5.scheme-redirect/readme.MD | 11 ++-- module15/6.enable-kiali/readme.MD | 21 ++++--- .../7.canary-deployment/destinationrule.MD | 20 ++++--- module15/8.fault-injection/readme.MD | 15 +++-- module15/9.best-practices/readme.MD | 19 +++--- readme.MD | 1 + 10 files changed, 159 insertions(+), 92 deletions(-) diff --git a/module15/1.setup/install.MD b/module15/1.setup/install.MD index b55b708..5456938 100644 --- a/module15/1.setup/install.MD +++ b/module15/1.setup/install.MD @@ -1,23 +1,28 @@ -### install istio follow by module12 -``` +### Install istio follow by module12 + +```sh cd /root/istio-1.12.0 ``` -### install bookinfo -``` + +### Install bookinfo + +```sh kubectl label namespace default istio-injection=enabled kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml) ``` -### expose the application via istio ingress gateway -``` +### Expose the application via istio ingress gateway + +```sh kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml ``` -### check ingress vip -``` + +### Check ingress vip + +```sh export GATEWAY_URL=192.168.34.2:31783 ``` -### access the productpage via -``` -http://192.168.34.2:31783/productpage -``` +### Access the productpage via + +http://192.168.34.2:31783/productpage diff --git a/module15/2.security-hardening/https-gateway.MD b/module15/2.security-hardening/https-gateway.MD index e00c93b..8d7db41 100644 --- a/module15/2.security-hardening/https-gateway.MD +++ b/module15/2.security-hardening/https-gateway.MD @@ -1,36 +1,48 @@ -### enable sidecar auto inject -``` +### Enable sidecar auto inject + +```sh kubectl label namespace default istio-injection=enabled ``` -### cd istio root -``` + +### Go to istio root dir + +```sh cd istio-1.12.0/ ``` -### create bookinfo app -``` + +### Create bookinfo app + +```sh kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml kubectl get pods ``` -### create expose to gateway -``` + +### Expose to gateway + +```sh kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml ``` -### check ingress service http nodePort -``` + +### Check ingress service http nodePort + +```sh kubectl get svc -n istio-system ``` -### access productpage -``` + +### Access productpage + +```sh curl http://192.168.34.2:31783/productpage ``` -### secure the gateway by https protocol -``` +### Secure the gateway by https protocol + +```sh openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=192.168.34.2' -keyout bookinfo.key -out bookinfo.crt kubectl create -n istio-system secret tls bookinfo-credential --key=bookinfo.key --cert=bookinfo.crt kubectl apply -f https-gateway.yaml ``` -### access product page via safari(chrome blocks self sign certs) -``` + +### Access product page via + https://192.168.34.2:31106/productpage -``` diff --git a/module15/3.enable-mtls/readme.MD b/module15/3.enable-mtls/readme.MD index 9e5ceaa..6061c50 100644 --- a/module15/3.enable-mtls/readme.MD +++ b/module15/3.enable-mtls/readme.MD @@ -1,6 +1,8 @@ -### access service via service ip -``` +### Access service via service ip + +```sh k get svc + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE details ClusterIP 10.111.90.142 9080/TCP 6d5h kubernetes ClusterIP 10.96.0.1 443/TCP 13d @@ -9,19 +11,25 @@ ratings ClusterIP 10.106.145.231 9080/TCP 6d5h reviews ClusterIP 10.109.136.179 9080/TCP 6d5h simple ClusterIP 10.97.215.11 80/TCP 7d4h ``` -### access product page directly -``` + +### Access product page directly + +```sh curl 10.111.120.47:9080 ``` -### enable mtls globally -``` + +### Enable mtls globally + +```sh kubectl apply -f mtls.yaml -n istio-system ``` -### access product page directly again, and it will fail with connection reset error -``` + +### Access product page directly again, and it will fail with connection reset error + +```sh curl 10.111.120.47:9080 ``` -### access the gateway page via istio ingress gateway and it is still working -``` + +### Access the gateway page via istio ingress gateway and it is still working + https://192.168.34.2:31106/productpage -``` \ No newline at end of file diff --git a/module15/4.enable-service-rbac/jwt-details.MD b/module15/4.enable-service-rbac/jwt-details.MD index 931104e..fff16dc 100644 --- a/module15/4.enable-service-rbac/jwt-details.MD +++ b/module15/4.enable-service-rbac/jwt-details.MD @@ -1,40 +1,57 @@ -### create RequestAuthentication which enables jwt token validation -after this, requests with invalid token will be rejected -requests without token or with valid token will be accepted -``` +### Create RequestAuthentication which enables jwt token validation + +After this, requests with invalid token will be rejected, while requests without token or with valid token will be accepted. + +```sh kubectl apply -f requestauthentication.yaml ``` -### create AuthorizationPolicy which enables check of authorization -after this, requests without token will be rejected -``` + +### Create AuthorizationPolicy which enables check of authorization + +After this, requests without token will be rejected. + +```sh kubectl apply -f authorizationpolicy.yaml ``` -### access productpage and you will see + +### Access productpage and you will see + ``` Sorry, product details are currently unavailable for this book. ``` -### get jwt token -``` + +### Get jwt token + +```sh TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.12/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode - echo eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg| cut -d '.' -f2 -|base64 -d {"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"} ``` - -### add jwt token to productpage source code -``` + +### Add jwt token to productpage source code + +```sh cat productpage-v2/productpage.py ``` -### build docker images for productpage v2 with jwt token -### create product page v2 -``` + +### Build docker images for productpage v2 with jwt token + +### Create product page v2 + +```sh kubectl apply -f productpage-v2/productpage.yaml ``` -### access productpage and you will see error in 50% percents + +### Access productpage and you will see error in 50% percents + ``` Sorry, product details are currently unavailable for this book. ``` -### scale done v1 and keep v2 only -### this is how microservice talks to each others with jwt token -- requestauthentication defines how the jwt token can be decrypted -- authorizationpolicy defines how the request SPIFFE or request princile being authorized \ No newline at end of file + +### Scale done v1 and keep v2 only + +### This is how microservice talks to each others with jwt token + +- RequestAuthentication defines how the jwt token can be decrypted +- AuthorizationPolicy defines how the request SPIFFE or request princile being authorized diff --git a/module15/5.scheme-redirect/readme.MD b/module15/5.scheme-redirect/readme.MD index 5b3ac9e..910556b 100644 --- a/module15/5.scheme-redirect/readme.MD +++ b/module15/5.scheme-redirect/readme.MD @@ -1,8 +1,11 @@ -### apply gateway with tls redirect setting -``` +### Apply gateway with tls redirect setting + +```sh kubectl apply -f https-gateway.yaml ``` -access gateway via http port -``` + +### Access gateway via http port + +```sh curl 10.109.127.136/productpage -v -L -k ``` diff --git a/module15/6.enable-kiali/readme.MD b/module15/6.enable-kiali/readme.MD index d0459e4..ed4c9bb 100644 --- a/module15/6.enable-kiali/readme.MD +++ b/module15/6.enable-kiali/readme.MD @@ -1,16 +1,21 @@ -### install prometheus +### Install prometheus +```sh kubectl apply -f prometheus.yaml - -### install kiali ``` + +### Install kiali + +```sh kubectl apply -f samples/addons/kiali.yaml ``` -### update kiali svc to NodePort -``` + +### Update kiali svc to NodePort + +```sh k edit svc kiali -n istio-system ``` -### access kiali, go graph, select all namespaces -``` + +### Access kiali, go to graph, select all namespaces + http://192.168.34.2:31816/ -``` \ No newline at end of file diff --git a/module15/7.canary-deployment/destinationrule.MD b/module15/7.canary-deployment/destinationrule.MD index 7989b67..da640e9 100644 --- a/module15/7.canary-deployment/destinationrule.MD +++ b/module15/7.canary-deployment/destinationrule.MD @@ -1,13 +1,19 @@ -### create dr for all services, this defines multiple subsets for all services -``` +### Create dr for all services, this defines multiple subsets for all services + +```sh kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml ``` -### define virtualservice to route all traffic to v1 -``` + +### Define virtualservice to route all traffic to v1 + +```sh kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml ``` -### shift all request from jason to v2 -``` + +### Shift all request from jason to v2 + +```sh kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml ``` -### On the /productpage of the Bookinfo app, log in as user jason. + +### On the `/productpage` of the Bookinfo app, log in as user jason. diff --git a/module15/8.fault-injection/readme.MD b/module15/8.fault-injection/readme.MD index a706308..1568d4c 100644 --- a/module15/8.fault-injection/readme.MD +++ b/module15/8.fault-injection/readme.MD @@ -1,10 +1,15 @@ -### apply the following spec and visit bookinfo you will see timeout error with jason logon -`Sorry, product reviews are currently unavailable for this book.` -``` +### Apply the following spec and visit bookinfo you will see timeout error with jason logon + +```sh kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml ``` -### apply the following spec and visit bookinfo you will see 5xx error ``` +Sorry, product reviews are currently unavailable for this book. +``` + +### Apply the following spec and visit bookinfo you will see 5xx error + +```sh kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml -``` \ No newline at end of file +``` diff --git a/module15/9.best-practices/readme.MD b/module15/9.best-practices/readme.MD index 754b5d3..f1d8c4c 100644 --- a/module15/9.best-practices/readme.MD +++ b/module15/9.best-practices/readme.MD @@ -1,5 +1,6 @@ -### add client time settings -``` +### Add client time settings + +```sh kubectl apply -f - <