Yangmin Zhu yangminzhu
yangminzhu
/ egress-mtls-authz.yaml
Created
September 18, 2020 06:28
Example policies to enforce mTLS between sidecar and egress gateway
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example policies to enforce mTLS between sidecar and egress gateway, the connection between sidecar | |
| # and egress gateway could be: | |
| # 1. plaintext in (Istio) mTLS or | |
| # 2. TLS in (Istio) mTLS; | |
| # An AuthorizationPolicy is applied on egress gateway to enforce egress access control. | |
| --- | |
| apiVersion: networking.istio.io/v1beta1 | |
| kind: ServiceEntry | |
| metadata: | |
| name: httpbin-org-ext |
yangminzhu
/ lint_with_debug.log
Created
August 24, 2018 00:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| circleci@8a6b1311ace4:/go$ cd src/istio.io/istio/ | |
| circleci@8a6b1311ace4:/go/src/istio.io/istio$ make lint | |
| GOBUILDFLAGS=-i make build | |
| make[1]: Entering directory '/go/src/istio.io/istio' | |
| bin/gobuild.sh /go/out/linux_amd64/release/pilot-discovery ./pilot/cmd/pilot-discovery | |
| real 0m1.272s | |
| user 0m0.888s | |
| sys 0m2.436s | |
| bin/gobuild.sh /go/out/linux_amd64/release/pilot-agent ./pilot/cmd/pilot-agent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [2018-06-26 23:51:57.945][26][debug][filter] external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted | |
| [2018-06-26 23:51:57.945][26][debug][filter] src/envoy/tcp/mixer/filter.cc:28] Called tcp filter: Filter | |
| [2018-06-26 23:51:57.945][26][debug][filter] src/envoy/tcp/mixer/filter.cc:38] Called tcp filter: initializeReadFilterCallbacks | |
| [2018-06-26 23:51:57.945][26][debug][filter] external/envoy/source/common/tcp_proxy/tcp_proxy.cc:168] [C1644] new tcp proxy session | |
| [2018-06-26 23:51:57.946][26][debug][filter] src/envoy/tcp/mixer/filter.cc:98] [C1644] Called tcp filter onNewConnection: remote 172.17.0.20:35552, local 172.17.0.19:90 | |
| [2018-06-26 23:51:57.946][26][debug][filter] external/envoy/source/common/tcp_proxy/tcp_proxy.cc:305] [C1644] Creating connection to cluster inbound|9090||a.istio-system.svc.cluster.local | |
| [2018-06-26 23:51:57.946][26][debug][connection] external/envoy/source/common/network/connection_impl.cc:564] [C1645] connecting to 127. |
yangminzhu
/ test.log
Created
June 21, 2018 03:20
envoy/http/authn/http_filter_integration_test/test.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 exec ${PAGER:-/usr/bin/less} "$0" || exit 1 | |
| 2 Executing tests from //src/envoy/http/authn:http_filter_integration_test | |
| 3 ----------------------------------------------------------------------------- | |
| 4 WARNING: Perftools heap leak checker is active -- Performance may suffer | |
| 5 [==========] Running 12 tests from 1 test case. | |
| 6 [----------] Global test environment set-up. | |
| 7 [----------] 12 tests from IpVersions/AuthenticationFilterIntegrationTest | |
| 8 [ RUN ] IpVersions/AuthenticationFilterIntegrationTest.EmptyPolicy/0 | |
| 9 [2018-06-21 03:18:32.576][15][critical][backtrace] bazel-out/k8-fastbuild/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/ser ver/backtrace.h:125] Caught Segmentation fault, suspect faulting address 0x0 | |
| 10 [2018-06-21 03:18:32.576][15][critical][backtrace] bazel-out/k8-fastbuild/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/ser ver/backtrace.h:94] Backtrace thr<0> obj</usr/local/google/home/ymzhu/.cache/bazel/_bazel_ymzhu/4ee49264c2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start Envoy with RBAC filter, you need to use the latest upstream envoy with RBAC filter support. | |
| # Note: the static config include a RBAC rule that only allows access to path "/allow" | |
| $ envoy -l debug -c sample_rbac_config.yaml | |
| # Start a test server listening on 10001 | |
| $ while true; do echo -e "HTTP/1.1 200 OK\n\n Welcome" | nc -l 127.0.0.1 10001 -q 1; done | |
| # First let's try to access a path that is not included in the RBAC policy | |
| # Check the response is: "RBAC: access denied". This means the request was denied by RBAC filter and didn't access the test server | |
| $ curl http://127.0.0.1:9999/hello |