New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add the first part of a series about secure egress traffic control in Istio #4196
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vadimeisenbergibm
requested review from
frankbu,
geeknoid and
sdake
as code owners
May 19, 2019 08:32
rcaballeromx
suggested changes
May 21, 2019
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work. Just some rewording suggestions to make the text clearer and flow better.
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-1/index.md
Outdated
Show resolved
Hide resolved
Co-Authored-By: Rigs Caballero <grca@google.com>
…e control of egress traffic Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…"In this installment" Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…m the need Co-Authored-By: Rigs Caballero <grca@google.com>
…requirement the Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…g the third requirement Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…ffic Co-Authored-By: Rigs Caballero <grca@google.com>
…of egress traffic Co-Authored-By: Rigs Caballero <grca@google.com>
… policies regarding egress traffic
…d go so their IPs are not static
rcaballeromx
approved these changes
May 21, 2019
frankbu
approved these changes
May 22, 2019
geeknoid
approved these changes
May 22, 2019
vadimeisenbergibm
added a commit
to vadimeisenbergibm/vadimeisenbergibm.github.io
that referenced
this pull request
May 28, 2019
Merged
Merged
mergify bot
pushed a commit
that referenced
this pull request
Jul 10, 2019
* add the second part of the series about secure egress traffic control in Istio (#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July
mergify bot
pushed a commit
that referenced
this pull request
Jul 10, 2019
* add the second part of the series about secure egress traffic control in Istio (#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
geeknoid
pushed a commit
that referenced
this pull request
Jul 10, 2019
* add the second part of the series about secure egress traffic control in Istio (#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
charili
pushed a commit
to charili/istio.io
that referenced
this pull request
Nov 10, 2019
* add the second part of the series about secure egress traffic control in Istio (istio#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following a recommendation of @rcaballeromx to split #3179 into three parts.