Istio

istio AuthorizationPolicy deny rule question

和自甴很熟 提交于 2021-02-05 08:56:31
问题 I defined the following first policy to deny all requests to workload1 in namespace foo unless they come from workload2 or workload3 I get RBAC: access denied when trying to access from workload2 to workload1. But when rewritten them with ALLOW policy shown below the access from workload2 to workload1 succeeded. I wonder why is that as the two rules should be equivalent (taken from https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule where Fields in the source are

Need help troubleshooting Istio IngressGateway HTTP ERROR 503

北慕城南 提交于 2021-02-05 05:51:41
问题 My Test Environment Cluster has the following configurations : Global Mesh Policy (Installed as part of cluster setup by our org) : output of kubectl describe MeshPolicy default Name: default Namespace: Labels: operator.istio.io/component=Pilot operator.istio.io/managed=Reconcile operator.istio.io/version=1.5.6 release=istio Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":

How to use Istio's Prometheus to configure kubernetes hpa?

倖福魔咒の 提交于 2021-02-04 16:23:05
问题 We have an Istio cluster and we are trying to configure horizontal pod autoscale for Kubernetes. We want to use the request count as our custom metric for hpa. How can we utilise Istio's Prometheus for the same purpose? 回答1: This question turned out to be much more complex than I expected, but finally here I am with the answer. First of all, you need to configure your application to provide custom metrics. It is on the developing application side. Here is an example, how to make it with Go

Istio complicated K8sObjectOverlay.PathValue

☆樱花仙子☆ 提交于 2021-02-04 08:09:17
问题 Istio can be deployed via IstioOperator. You can patch anything created by a certain component using the K8sObjectOverlay, which takes a PathValue. I cannot for the life of me understand how to provide complicated PathValues. Here are some example patches I've found (search for "patches:" on those pages) in case it helps. The patch I'm trying to apply is changing the default ingressGateway that gets created from: ... spec: profile: default components: ingressGateways: - namespace: istio

盘点大厂的那些开源项目

心已入冬 提交于 2021-01-30 12:37:45
小米是一家以手机、智能硬件和IoT平台为核心的互联网公司,以智能手机、智能电视、笔记本等丰富的产品与服务。致力于让全球每个人都能享受科技带来的美好生活。 “为发烧而生”是小米的产品概念。“让每个人都能享受科技的乐趣”是小米公司的愿景。小米公司应用了互联网开发模式开发产品的模式,用极客精神做产品,用互联网模式干掉中间环节,致力让全球每个人,都能享用来自中国的优质科技产品。 Github主页: https://github.com/xiaomi HuUI 分类:前端组件库 开发语言:JavaScript HIUI是一个面向中后台系统的前端组件库,可以帮助开发人员快速实现交互一致,界面美观的界面。 特征 •高度降低用户对交互成本和交互可预测性的了解•建立出色的虚拟风格,并获得典型场景的虚拟设计和界面规范•在OA,仓储和售后系统,BI系统以及公司中间站项目中具有高度完善的设计经验 Stars: 351 Github: https://github.com/XiaoMi/hiui [1] MACE 分类:神经网络计算框架 开发语言:C++,Python Mobile AI Compute Engine (MACE) 是一个专为移动端异构计算设备优化的深度学习前向预测框架。MACE覆盖了常见的移动端计算设备(CPU、GPU、Hexagon DSP、Hexagon HTA、MTK APU)

Serverless Kubernetes:理想,现实与未来

筅森魡賤 提交于 2021-01-29 17:35:21
作者 | 易立、张维 来源 | 阿里巴巴云原生公众号 导读 :当前 Serverless 容器的行业趋势如何?有哪些应用价值?如果 Kubernetes 天生长在云上,它的架构应该如何设计?Serverless 容器需要哪些基础设施?阿里云容器服务产品负责人易立及阿里云 Serverless Kubernetes 产品 TL 张维将分享他们对 Serverless 容器架构和背后的关键思考。 从 Serverless 容器到 Serverless Kubernetes Serverless(无服务器)容器是让用户无需购买和管理服务器直接部署容器应用的产品、技术形态。 Serverless 容器可以极大提高容器应用部署的敏捷度和弹性能力,降低用户计算成本;让用户聚焦业务应用而非底层基础设施管理,极大地提高应用开发效率,降低运维成本。 目前 Kubernetes 已经成为业界容器编排系统的事实标准,基于 Kubernetes 的云原生应用生态(Helm, Istio, Knative, Kubeflow, Spark on K8s 等)更是让 Kubernetes 成为云操作系统。一方面通过 Serverless 方式根本性解决 K8s 自身的管理复杂性,让用户无需受困于 K8s 集群容量规划、安全维护、故障诊断;一方面进一步释放了云计算的能力,将安全、可用性

Istio Pilot warning when adding multiple external services - “pilot_conflict_outbound_listener_tcp_over_current_tcp”

这一生的挚爱 提交于 2021-01-29 14:37:01
问题 I was trying to define multiple external services to route through Istio egress gateway using the following config. apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: cnn spec: hosts: - edition.cnn.com ports: - number: 443 name: tls-cnn protocol: TLS resolution: DNS --- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: google spec: hosts: - www.google.com ports: - number: 443 name: tls-google protocol: TLS resolution: DNS --- apiVersion:

Istio-ingressgateway with https - Connection refused

时光毁灭记忆、已成空白 提交于 2021-01-29 14:12:50
问题 Following this doc I got istio-ingressgateway running but using curl to test the URL I am facing this problem: curl: (7) Failed to connect to httpbin.example.com port 31390: Connection refused This is the Gateway: apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential # must be the same

Istio queryParams always returning truthy

久未见 提交于 2021-01-29 09:41:22
问题 Set up istio and the basic bookinfo app set up the virtual service as such: one with headers: kind: VirtualService apiVersion: networking.istio.io/v1alpha3 metadata: name: bookinfo spec: hosts: - '*' gateways: - bookinfo-gateway http: - match: - headers: apiKey: exact: test rewrite: uri: /productpage route: - destination: host: productpage port: number: 9080 tcp: ~ tls: ~ and another with queryParams as the routing differentiator: kind: VirtualService apiVersion: networking.istio.io/v1alpha3

Unable to reach an external mongo db server from istio

只愿长相守 提交于 2021-01-29 09:37:22
问题 I am trying to implement service mesh using istio and envoy for a service which requires connecting to external mongodB server but for some reasons, my service is unable to reach the external mongodB server from istio proxy Below is the gateway and virtual service configuration for my service apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gtreviews spec: selector: istio: ingressgateway servers: - port: number: 7890 name: http protocol: GRPC hosts: - "*" --- apiVersion:
订阅 Istio