Skip to content

Instantly share code, notes, and snippets.

@electricjesus

electricjesus/$README.md

Last active November 9, 2023 11:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save electricjesus/01c1424b0919b1d72c07cf01b02ed90c to your computer and use it in GitHub Desktop.
Save electricjesus/01c1424b0919b1d72c07cf01b02ed90c to your computer and use it in GitHub Desktop.
Download ZIP
Calico Application Layer Policy via Istio Helm Install
Raw
$README.md

Calico Application Layer Policy via Helm

  1. follow install steps here, EXCEPT the Install Istio part.

  2. install istio-base via helm

    • kubectl create ns istio-system
    • helm install istio-base istio/base -n istio-system --wait

    and then choose one of the below options (marked with OPTION)

  3. install istiod with custom values that have our sidecarInjectionWebhook templates:

    • helm install istiod istio/istiod -n istio-system -f values.yaml --wait

    (warning: this also modifies defaultTemplates to ["sidecar", "dikastes"]. so your whole mesh will have that as the default injection templates.)

  4. activate calico ext authz

    • kubectl apply -f 01-calico-ext-authz.yaml

  5. activate sidecar injection for target namespace.

    • kubectl label namespace default istio-injection=enabled --overwrite

    pods deployed to this namespace will use calico application layer policy.

Other

If you don't want defaultTemplates to automatically include calico app policy and wish to do it manually (e.g. per deployment basis),

  1. edit values.yaml and remove defaultTemplates from sidecarInjectionWebhook configuration.

  2. ensure your deployment pods will have the following annotation(s):

    • inject.istio.io/templates=sidecar,dikastes

      (i.e., you will have to customise your app deployment pod templates to have this annotation. see example httpbin.yaml in this gist)

Raw
01-calico-ext-authz.yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: dikastes
namespace: istio-system
spec:
hosts:
- dikastes.calico.cluster.local
ports:
- name: grpc
protocol: grpc
number: 1
resolution: STATIC
location: MESH_EXTERNAL
endpoints:
- address: unix:///var/run/dikastes/dikastes.sock
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dikastes-mtls
namespace: istio-system
spec:
host: dikastes.calico.cluster.local
trafficPolicy:
tls:
mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.network.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
transport_api_version: V3
stat_prefix: dikastes
grpc_service:
envoy_grpc:
cluster_name: "outbound|1||dikastes.calico.cluster.local"
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: "outbound|1||dikastes.calico.cluster.local"
Raw
httpbin.yaml
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##################################################################################################
# httpbin service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
service: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
annotations:
inject.istio.io/templates: "sidecar,dikastes"
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
annotations:
inject.istio.io/templates: "sidecar,dikastes"
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/kong/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
Raw
values.yaml
sidecarInjectorWebhook:
templates:
dikastes: |
spec:
volumes:
- name: dikastes-sock
emptyDir:
medium: Memory
- name: felix-sync
csi:
driver: "csi.tigera.io"
containers:
- name: dikastes
image: calico/dikastes:master
args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"]
securityContext:
allowPrivilegeEscalation: false
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
livenessProbe:
exec:
command:
- /healthz
- liveness
initialDelaySeconds: 3
periodSeconds: 3
readinessProbe:
exec:
command:
- /healthz
- readiness
initialDelaySeconds: 3
periodSeconds: 3
volumeMounts:
- mountPath: /var/run/dikastes
name: dikastes-sock
- mountPath: /var/run/felix
name: felix-sync
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment