Versions Compared

Old Version 97

changes.mady.by.user Kevin Timoney

Saved on

compared with

New Version 98

changes.mady.by.user Kevin Timoney

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleRules
  rules:
  - to:
    - operation:
        methods: ["GET", "POST", "PUT", "DELETE"]
        paths: ["/a1-policy*"]
    when:
    - key: request.auth.claims[role]
      values: ["pms_admin"]
  - to:
    - operation:
        methods: ["GET"]
        paths: ["/a1-policy*"]
    when:
    - key: request.auth.claims[role]
      values: ["pms_viewer"]

Anchor
kiali
kiali


Istio network policy is enforced at the pod level (in the Envoy proxy), in user-space, (layer 7), as opposed to Kubernetes network policy, which is in kernel-space (layer 4), and is enforced on the host. By operating at application layer, Istio has a richer set of attributes to express and enforce policy in the protocols it understands (e.g. HTTP headers).

Istio Network Policy

Anchor
grafana
grafana

Grafana

Istio also comes with grafana, to start it run : istioctl dashboard grafana

...

  1. Download and install istio: istioctl install --set profile=demo
  2. Install postgres: istioctl kube-inject -f postgres.yaml | kubectl apply -f - (change the hostPath path value to a path on your host)
  3. Install keycloak: istioctl kube-inject -f keycloak.yaml | kubectl apply -f -
  4. Open the keycloak admin console and setup the required realms, users and clients
  5. Setup the "pms_admin" and "pms_viewer" roles for pmsuser and pmsuser2 respectively.
  6. Install Release E: Coordinated Service Exposure: docker build -t nonrtric-server-go:latest .
  7. Create the istio-nonrtric namespace: kubectl create namespace istio-nonrtric
  8. Enable istio for the istio-nonrtric namespace: kubectl label namespace istio-nonrtric istio-injection=enabled
  9. Edit the istio-test.yaml so the host ip specified matches yours.
  10. Also change the userid in the requestPrincipals field to match yours
  11. Install istio-test.yaml : kubectl create -f istio-test.yaml
  12. Install Release E: Coordinated Service Exposure: docker build -t nonrtric-client-go:latest .
  13. Install the test client: istioctl kube-inject -f client.yaml | kubectl apply -f -
  14. Open the kiali dashboard to check your services are up and running
  15. Open the grafana dashboard to view the istio dashboard
  16. Optionally install Release E: Coordinated Service Exposure

...