diff --git a/labs/ISTIO/lab.md b/labs/ISTIO/lab.md index 19edc46..70e4ba4 100644 --- a/labs/ISTIO/lab.md +++ b/labs/ISTIO/lab.md @@ -6,14 +6,21 @@ kubectl create clusterrolebinding cluster-admin-binding \ --user="$(gcloud config get-value core/account)" ``` -### Task 2: Install Istio Components and Enable Automatic Sidecar Injection -Istio is huge. Take a look at the install istio-demo-auth.yaml file. These are the Kubernetes objects that are needed to run Istio (including some extra features) in our cluster. Wow. Such yaml. +To interact with Istio, we will use `istioctl` which is bundled as a binary with the Istio install package. +``` +# In the istio-1.0.0 directory +export PATH=$PWD/bin:$PATH +# Ensure the binary is available +istio version +``` +### Task 2: Install Istio Components and Enable Automatic Sidecar Injection +Istio is a massive project. Check out the yaml file located at `istio-1.0.0/install/kubernetes/istio-demo-auth.yaml`. Wow. Such yaml. Let's install the components necessary in our cluster: ``` # In the istio-1.0.0 directory kubectl create -f install/kubernetes ``` -Each pod in the mesh must be running an Istio compatible sidecar. The sidecar is how all traffic to and from pods in the mesh communicate. +Each pod in the mesh must be running an Istio compatible sideecar. The sidecar is how all traffic to and from pods in the mesh Manual injection modifies the controller configuration, e.g. deployment. It does this by modifying the pod template spec such that all pods for that deployment are created with the injected sidecar. Adding/Updating/Removing the sidecar requires modifying the entire deployment. @@ -30,17 +37,32 @@ Since we have automatic injection enabled for the `default` namespace, any deplo # In the manifests/api directory kubectl create -f . ``` -The unshorten service will spin up a load balancer. Ensure the API is accessible by running the following: +The unshorten service will spin up a load balancer. Ensure the API is accessible. Now that our pod is managed by Istio, we are not going to use the link-unshorten-service IP address as in previous labs. We will use the service provisioned by Istio called `istio-ingressgateway` to grab the routable IP address of the API. ``` -kubectl get svc -# Grab the EXTERNAL-IP from the link-unshorten-service +kubectl -n istio-system get service istio-ingressgateway +``` + +Now, paste the IP address with a shortened link as follows in your browser and you will see that there are some issues. Egress is blocked by default. The API is not able to make outbound connections by default. ``` -Now, paste the IP address in your browser and -you will see that there are some issues. Egress is blocked by default http://35.197.37.188/api/check?url=https://bit.ly/hi -NOT ALLOWED! +# NOT ALLOWED or fail to resolve +``` + +### Task 4: Build Egress Rules +Lets build some rules to explictlly allow outbound egress traffic to only bit.ly. This can be accomplished by using a `ServiceEntry`. Check out the file `link-unshorten-egress.yaml` located in the `istio-rules` directory and create it as follows: + +``` +# In the manifests/istio-rules directory +kubectl create -f . +``` + +Once the rules are created, try to visit the API again and you should be able to successfully unshorten links to `bit.ly` domains only. + +### Task 5: Logging and Monitoring with Istio + + + -Lets build some rules to explictlly allow outboud traffic to only bit.ly Grafana kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 8080:3000 diff --git a/labs/ISTIO/manifests/istio-rules/istio-psp.yaml b/labs/ISTIO/manifests/api/istio-psp.yaml similarity index 100% rename from labs/ISTIO/manifests/istio-rules/istio-psp.yaml rename to labs/ISTIO/manifests/api/istio-psp.yaml diff --git a/labs/ISTIO/manifests/istio-rules/link-unshorten-gateway.yaml b/labs/ISTIO/manifests/api/link-unshorten-gateway.yaml similarity index 100% rename from labs/ISTIO/manifests/istio-rules/link-unshorten-gateway.yaml rename to labs/ISTIO/manifests/api/link-unshorten-gateway.yaml diff --git a/labs/ISTIO/manifests/api/link-unshorten-service.yaml b/labs/ISTIO/manifests/api/link-unshorten-service.yaml index 573369d..f9ed005 100644 --- a/labs/ISTIO/manifests/api/link-unshorten-service.yaml +++ b/labs/ISTIO/manifests/api/link-unshorten-service.yaml @@ -3,7 +3,6 @@ kind: Service metadata: name: link-unshorten-service spec: - type: LoadBalancer ports: - port: 8080 targetPort: 8080