istio | Connect , secure , control , and observe services | Microservice library
kandi X-RAY | istio Summary
kandi X-RAY | istio Summary
Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of istio
istio Key Features
istio Examples and Code Snippets
Community Discussions
Trending Discussions on istio
QUESTION
I'm trying to access my ETCD database from a K8s controller, but getting rpc error/EOF when trying to open ETCD client.
My setup:
- ETCD service is deployed in my K8s cluster and included in my Istio service mesh (its DNS record:
my-etcd-cluster.my-etcd-namespace.svc.cluster.local
) - I have a custom K8s controller developed with use of Kubebuilder framework and deployed in the same cluster, different namespace, but configured to be a part of the same Istio service mesh
- I'm trying to connect to ETCD database from the controller, using Go client SDK library for ETCD
Here's my affected Go code:
...ANSWER
Answered 2022-Mar-21 at 08:25Turned out to be version mismatch - my ETCD db is v3.5.2 and the clientv3 library that I used was v3.5.0. As seen in ETCD changelog (https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md):
QUESTION
I faced this problem since yesterday, no problems before.
My environment is
- Windows 11
- Docker Desktop 4.4.4
- minikube 1.25.1
- kubernetes-cli 1.23.3
ANSWER
Answered 2022-Mar-07 at 08:38This seems to be a bug introduced with 1.25.0 version of minikube: https://github.com/kubernetes/minikube/issues/13503 . A PR to revert the changes introducing the bug is already open: https://github.com/kubernetes/minikube/pull/13506
The fix is scheduled for minikube v1.26.
QUESTION
I see that for every knative service, 2 VirtualService
objects are created namely ksvc-ingress
which has knative-serving/knative-ingress-gateway
& knative-serving/knative-local-gateway
gateways configured and ksvc-mesh
which has mesh
as the gateway.
I can see the knative-serving/*
gateways using kubectl
but I am unable to find the mesh
gateway object in any namespace. I would like to understand if mesh
here denotes some special object or is it an istio keyword representing something else?
ANSWER
Answered 2022-Feb-18 at 08:33As you noticed, knative uses istio as a service mesh.
In the Istio context mesh is not an object (or resource) like, for example, a Service. Istio About page explain what Service Mesh is:
A service mesh is a dedicated infrastructure layer that you can add to your applications. It allows you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. The term “service mesh” describes both the type of software you use to implement this pattern, and the security or network domain that is created when you use that software.
So mesh is a term that encapsulate all Istio objects (istio-proxy containers, Virtual Services, Ingress Gateways etc.), that work together to allow for traffic management inside cluster.
A Gateway is a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.
QUESTION
We have cluster with Istio and also Jenkins job to get "stable" pods, which uses this kubectl
query:
ANSWER
Answered 2022-Feb-16 at 21:09What about something like this?
QUESTION
I consider if there is a way to use Istio to translate opaque token to JWT.
Use case: There are two services (service 1 which is consumer and service 2 which is producer) Service1 works with opaque token, Service2 can be authenticate & authorize with JWT token. To avoid adding Opaque token authentication in service2 I consider if we can use sidecar pattern (exactly in Istio) to get request (re1) from service1, extract authorization header, pass request (authReq1) to authorization server for exchange opaque token to JWT and then pass request (req1 but with JWT instead of original Opaque Token) to service2.
Edited answer: I see two option (option1, option2) but I am interested in option 3.
...ANSWER
Answered 2022-Feb-15 at 14:48I consider if there is a way to use Istio to translate opaque token to JWT.
Unfortunately, Istio won't be able to translate the tokens. In your case, it seems to me that the easiest way is to get services in such a way that they work on one type of token.
Translation is possible, but not by Istio. Look at this question. You can also read more about Istio Authentication:
Istio provides two types of authentication:
Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:
Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.
Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:
In all cases, Istio stores the authentication policies in the
Istio config store
via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.
QUESTION
I am following this guide.
Ingress requests are getting logged. Egress traffic control is working as expected, except I am unable to log egress HTTP requests. What is missing?
...ANSWER
Answered 2022-Feb-07 at 17:14AFAIK istio collects only ingress HTTP logs by default.
In the istio documentation there is an old article (from 2018) describing how to enable egress traffic HTTP logs.
Please keep in mind that some of the information may be outdated, however I believe this is the part that you are missing.
QUESTION
I see in the official documentation references to commands starting with istioctl x ...
but there is not official definition for the usage of x
.
As far as I can infer from the istioctl manual, it appears to be a shorthand for experimental
.
The command istioctl | grep x
does not show any reference to the x
usage neither.
ANSWER
Answered 2022-Jan-05 at 08:02You are correct - x
is shorthand for experimental
.
You can see more information if you issue istioctl x
without any additional commands:
QUESTION
How to make Istio route custom HTTP methods?
...ANSWER
Answered 2022-Jan-03 at 10:54Envoy does not support custom HTTP methods. Envoy implements the H/1 codec, which has a hardcoded list of HTTP methods it accepts (see RFC)
There is an open issue on the Envoy Github: https://github.com/envoyproxy/envoy/issues/18819
So you can't achieve what you want with an HTTP route. But you can make it work with a TCP/TLS route.
For this do the following:
- Set the correct protocol on the
service istio-ingressgateway
:
QUESTION
I have an Elasticsearch DB running on Kubernetes exposed to my_domain.com/elastic
as an Istio virtual service, which I have no problem accessing via the browser (as in I get to login successfully to the endpoint). I can also query the DB with Python's Requests. But I can't access the DB with the official python client if I use my_domain.com/elastic
. The LoadBalancer IP works perfectly well even with the client. What am I missing? I have SSL certificates set up for my_domain.com via Cert-Manager and CloudFlare.
This works:
...ANSWER
Answered 2021-Dec-30 at 09:56I have reproduced your problem and the solution is as follows. First, pay attention to your yaml file:
QUESTION
How does one go about setting resource limits in EMR on EKS? My driver pod is failing to launch because it is requesting more CPU than it is allowed. This doesn't make sense to me. I am running the getting started code from the docs below.
I have added --conf spark.driver.limit.cores=2
in order to try and make the limit higher than what is listed in the error message below. I got this idea from here https://spark.apache.org/docs/latest/running-on-kubernetes.html#spark-properties
This cluster does have istio running in it. I am not sure if that would cause issues.
Here is the code I am running to trigger the job
...ANSWER
Answered 2021-Dec-21 at 18:41I was able to figure it out.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install istio
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page