Securing Workloads 20%

isaac88 · Jan 5, 2024 · d84a867 · d84a867
1 parent 08be5fd
commit d84a867
Show file tree

Hide file tree

Showing 5 changed files with 538 additions and 26 deletions.
diff --git a/1_istio_installation_upgrade_configuration/README.md b/1_istio_installation_upgrade_configuration/README.md
@@ -1,14 +1,15 @@
 # Istio Installation, Upgrade & Configuration 7%
 
-* Using the Istio CLI to install a basic cluster
-* Customizing the Istio installation with the IstioOperator API
-* Using overlays to manage Istio component settings
-
+* [Using the Istio CLI to install a basic cluster](#using-the-istio-cli-to-install-a-basic-cluster)
+* [Customizing the Istio installation with the IstioOperator API](#customizing-the-istio-installation-with-the-istiooperator-api)
+* [Using overlays to manage Istio component settings](#using-overlays-to-manage-istio-component-settings)
 
 ## Using the Istio CLI to install a basic cluster
 
 [Docs](https://istio.io/latest/docs/setup/install/istioctl/)
 
+[Configuration Reference](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/)
+
 ```bash
 
 # Verify that Istio can be installed or upgraded
@@ -85,7 +86,6 @@ $ istioctl verify-install
 
 ```
 
-
 ## Customizing the Istio installation with the IstioOperator API
 
 [Docs](https://istio.io/latest/docs/setup/additional-setup/customize-installation/)

diff --git a/2_traffic_management/README.md b/2_traffic_management/README.md
@@ -1,14 +1,16 @@
 # Traffic Management 40%
 
-* Controlling network traffic flows within a service mesh
-* Configuring sidecar injection
-* Using the Gateway resource to configure ingress and egress traffic
-* Understanding how to use ServiceEntry resources for adding entries to internal service registry
-* Define traffic policies using DestinationRule
-* Configure traffic mirroring capabilities
+* [Controlling network traffic flows within a service mesh]()
+* [Configuring sidecar injection](#configuring-sidecar-injection)
+* [Using the Gateway resource to configure ingress and egress traffic](#using-the-gateway-resource-to-configure-ingress-and-egress-traffic)
+* [Understanding how to use ServiceEntry resources for adding entries to internal service registry](#understanding-how-to-use-serviceentry-resources-for-adding-entries-to-internal-service-registry)
+* [Define traffic policies using DestinationRule](#define-traffic-policies-using-destinationrule)
+* [Configure traffic mirroring capabilities](#configure-traffic-mirroring-capabilities)
 
 [Docs](https://istio.io/latest/docs/concepts/traffic-management/)
 
+[Configuration Reference](https://istio.io/latest/docs/reference/config/networking/)
+
 [Task - Exam](https://istio.io/latest/docs/tasks/traffic-management/)
 
 ## Configuring sidecar injection
@@ -353,7 +355,7 @@ $ kubectl logs -l istio=egressgateway -n istio-system
 
 ```
 
-## Understanding how to use ServiceEntry resources for adding entries to internal service registry
+## Understanding how to use ServiceEntry resources for adding entries to internal service registry
 
 [Docs](https://istio.io/latest/docs/reference/config/networking/service-entry/)
 
@@ -422,11 +424,11 @@ $ kubectl exec -n istio-system deploy/istiod -- \
 
 ```
 
-## Define traffic policies using DestinationRule
+## Define traffic policies using DestinationRule
 
 [Docs](https://istio.io/latest/docs/reference/config/networking/destination-rule/)
 
-### Load balancing
+### Load balancing
 
 [Load balancing](https://tetratelabs.github.io/istio-0to60/discovery/#load-balancing)
 
@@ -464,7 +466,7 @@ $ istioctl proxy-config cluster deploy/sleep \
   lbPolicy: RANDOM
 ```
 
-### Traffic distribution
+### Traffic distribution
 
 [Traffic distribution](https://tetratelabs.github.io/istio-0to60/discovery/#traffic-distribution)
 
@@ -731,5 +733,4 @@ $ kubectl logs "$V2_POD" -c httpbin
 ...
 127.0.0.6 - - [02/Jan/2024:10:20:00 +0000] "GET /headers HTTP/1.1" 200 562 "-" "curl/8.5.0"
 ...
-
-```
+```
diff --git a/3_resilience_and_fault_injection/README.md b/3_resilience_and_fault_injection/README.md
@@ -1,8 +1,8 @@
 # Resilience and Fault Injection 20%
 
-* Configuring circuit breakers (with or without outlier detection)
-* Using resilience features
-* Creating fault injection
+* [Configuring circuit breakers (with or without outlier detection)](#configuring-circuit-breakers-with-or-without-outlier-detection)
+* [Using resilience features](#using-resilience-features)
+* [Creating fault injection](#creating-fault-injection)
 
 [Docs](https://istio.io/latest/docs/concepts/traffic-management/#network-resilience-and-testing)
 
@@ -316,6 +316,25 @@ $ kubectl logs -f deploy/sleep -c istio-proxy
 # You will see 5 times where it match with the     retries/attempts: 5:
 # "performing retry"
 
+# Check the how that VirtualService retries configuration is translate to Envoy configuration
+$ kubectl exec -it "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})"  -c istio-proxy -- curl -X GET "localhost:15000/config_dump" |grep -A14 "outbound|80|v1|helloworld.default.svc.cluster.local"
+
+"cluster": "outbound|80|v1|helloworld.default.svc.cluster.local",
+"timeout": "0s",
+"retry_policy": {
+"retry_on": "5xx,reset,connect-failure,refused-stream", # retryOn
+"num_retries": 5, # attempts
+"per_try_timeout": "0.001s", # perTryTimeout
+"retry_host_predicate": [
+  {
+  "name": "envoy.retry_host_predicates.previous_hosts",
+  "typed_config": {
+    "@type": "type.googleapis.com/envoy.extensions.retry.host.previous_hosts.v3.PreviousHostsPredicate"
+  }
+  }
+],
+"host_selection_retry_max_attempts": "5"
+
 ```
 
 ## Creating fault injection