New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Egress blog part 2 #4232
Egress blog part 2 #4232
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This text ended up needing more work than I expected. Please remember to be consistent with the terminology you use, for example: Do not name services applications, do not use pods and workloads indistinctly. Always refer to the feature in the same way: "secure control of egress traffic". Doing so helps establish it in the minds of readers and makes consuming the content easier. I tried to address this things in the suggestions but please ensure you are being consistent throughout the document.
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
1. **Bypass** the container's sidecar proxy and access external services directly. This attack is prevented by a | ||
Kubernetes Network Policy or by an L3 firewall that allow egress traffic to exit the mesh only from the egress | ||
gateway. | ||
1. **Compromise** the egress gateway and force it to send fake information to the monitoring system or to disable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. **Compromise** the egress gateway and force it to send fake information to the monitoring system or to disable | |
- **Compromise:** Attackers gain access to the egress gateway forcing it to send fake information to the monitoring system or to disable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the meaning is: the attackers compromise the gateway (break into it) in order to force it to send fake info.
gateway. | ||
1. **Compromise** the egress gateway and force it to send fake information to the monitoring system or to disable | ||
enforcement of the security policies. | ||
This attack is prevented by applying the special security measures to the egress gateway pods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This attack is prevented by applying the special security measures to the egress gateway pods. | |
Applying the special security measures we discussed helps prevent this attack to the egress gateway. |
1. **Compromise** the egress gateway and force it to send fake information to the monitoring system or to disable | ||
enforcement of the security policies. | ||
This attack is prevented by applying the special security measures to the egress gateway pods. | ||
1. Since the previous attacks are prevented, the attackers have no other option but to direct the traffic through the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Hide: Attackers direct the traffic through the egress gateway hoping it will go undetected. Our configuration ensures all the traffic going through the egress gateway is monitored preventing this attack.
- Impersonate: Attackers wish to access an external service through a service. Istio's strong
identity support prevents this attack. In our example, attackers using service A cannot accessmongo1.composedb.com
thanks to our configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx the attackers hope it will go undetected - the attackers cannot be so naive :) We are talking about attackers who learned how Istio works and are trying to break various Istio mechanisms.
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…s traffic Co-Authored-By: Rigs Caballero <grca@google.com>
…ess traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com>
…n Istio Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
…it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com>
…and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
@rcaballeromx I did another take on the additional security measures, please see 65dc36e. The topic is rather tricky, let me explain it. It is good that we are doing this review cycle. Please note the readers have their unique and complex environment, their tools, their policies. We in Istio are not in a position to prescribe them what to do. We can provide them options, modestly, and it is up to them which option to use. The blog post should be more of a dialog and less of teaching/preaching. The phrase "your mileage may vary" is rather popular in technical blogs. One of the goals of writing a blog post is to provoke a discussion, to get feedback, to hear about more threats/attacks/security measures. So this blog goes like this: If you want to secure egress traffic, you can do it with Istio. To do it with Istio, you must:
|
@rcaballeromx I added 66fb3db to have a conclusion to the subsection, and to solicit feedback, to make the blog post more of a dialog. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just two minor things remain.
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
content/blog/2019/egress-traffic-control-in-istio-part-2/index.md
Outdated
Show resolved
Hide resolved
@vadimeisenbergibm I considered the post as a whole and I think it is communicating your points effectively. We could keep nit-picking the content to death but that would only delay publication further. I have requested some minor changes I noticed after you made the last round of improvements. I can approve the post once those are taken care of. |
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
Co-Authored-By: Rigs Caballero <grca@google.com>
@rcaballeromx I have applied your comments. Thanks a lot for your review, it forced me to restate my claims more clearly. I think the post is much better now as a result of your changes and of my rewrites. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for applying the changes.
* add the second part of the series about secure egress traffic control in Istio (#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
* add the second part of the series about secure egress traffic control in Istio (#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
* add the second part of the series about secure egress traffic control in Istio (istio#4196) * requirements for your system -> requirements for a system for egress traffic control * add links from part 1 to part 2 * add istio-identity to .spelling * add gateway and tls as keywords Co-Authored-By: Rigs Caballero <grca@google.com> * This is -> Welcome to, a new series -> our new series Co-Authored-By: Rigs Caballero <grca@google.com> * an egress traffic control system -> a secure control system for egress traffic Co-Authored-By: Rigs Caballero <grca@google.com> * for controlling egress traffic securely ->to securely control the egress traffic, prevents the -> can help you prevent such Co-Authored-By: Rigs Caballero <grca@google.com> * Egress traffic control by Istio -> Secure control of egress traffic in Istio Co-Authored-By: Rigs Caballero <grca@google.com> * add bullets regarding security measures for Istio control plane Co-Authored-By: Rigs Caballero <grca@google.com> * you can securely monitor the traffic and define security policies on it -> you can securely monitor and define security policies for the traffic Co-Authored-By: Rigs Caballero <grca@google.com> * Possible attacks and their prevention -> Preventing possible attacks Co-Authored-By: Rigs Caballero <grca@google.com> * e.g. -> like, add a comma, split a sentence Co-Authored-By: Rigs Caballero <grca@google.com> * the -> said Co-Authored-By: Rigs Caballero <grca@google.com> * remove "for TLS traffic" it is clear that it is TLS Traffic from TLS origination Co-Authored-By: Rigs Caballero <grca@google.com> * monitor SNI and the service account of the source pod -> monitor SNI and the service account of the source pod's TLS traffic Co-Authored-By: Rigs Caballero <grca@google.com> * L3 firewall -> an L3 firewall, remove parentheses, provided -> should be provided * The L3 firewall can have -> you can configure the L3 firewall Co-Authored-By: Rigs Caballero <grca@google.com> * from pods only -> only allow. Remove "Note that" Co-Authored-By: Rigs Caballero <grca@google.com> * move the diagram right after its introduction * remove parentheses Co-Authored-By: Rigs Caballero <grca@google.com> * emphasize the label (A, B) Co-Authored-By: Rigs Caballero <grca@google.com> * policy with regard -> policies as they regard Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about a compromised pod Co-Authored-By: Rigs Caballero <grca@google.com> * traffic must be monitored -> traffic is monitored Co-Authored-By: Rigs Caballero <grca@google.com> * Note that application A is allowed -> since application A is allowed Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about monitoring access of the compromised version of the application Co-Authored-By: Rigs Caballero <grca@google.com> * split the sentence about detecting suspicious traffic Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence about thwarting the second goal of the attackers Co-Authored-By: Rigs Caballero <grca@google.com> * Istio must enforce -> enforces, forbids access of application A -> forbids application A from accessing Co-Authored-By: Rigs Caballero <grca@google.com> * Rewrite the sentence "let's see which attacks" Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "I hope that" Co-Authored-By: Rigs Caballero <grca@google.com> * in the next blog post -> in the next part Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning wildcard domains * rewrite the "Secure control of egress traffic in Istio" section * remove a leftover from suggested changes * as they regard to egress traffic -> for egress traffic * convert security policies into bullets * make the labels (A,B) bold * remove the sentences about thwarting the second goal * rewrite the paragraph about which goals of the attackers can be thwarted * remove a leftover from the previous changes * such attacks -> the attacks * rewrite the section about preventing the attacks * secure egress traffic control -> secure control of egress traffic * sending HTTP traffic -> sending unencrypted HTTP traffic * define security policies -> enforce security policies * change the publish date to July 9 * formatting Co-Authored-By: Rigs Caballero <grca@google.com> * Kubernetes Network Policies -> Kubernetes network policies Co-Authored-By: Rigs Caballero <grca@google.com> * [an example for Kubernetes Network Policies configuration] -> an example of the [Kubernetes Network Policies configuration] Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 1 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 2 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 3 Co-Authored-By: Rigs Caballero <grca@google.com> * use proper capitalization and punctuation for bullet 4 Co-Authored-By: Rigs Caballero <grca@google.com> * check -> verify, access the destination, mongo1, access mongo1 Co-Authored-By: Rigs Caballero <grca@google.com> * You can thwart the third goal -> to stop attackers from Co-Authored-By: Rigs Caballero <grca@google.com> * remove mentioning anomaly detection Co-Authored-By: Rigs Caballero <grca@google.com> * Provide context instead of "after all" Co-Authored-By: Rigs Caballero <grca@google.com> * split a long line Co-Authored-By: Rigs Caballero <grca@google.com> * connect two sentences Co-Authored-By: Rigs Caballero <grca@google.com> * First -> Next Co-Authored-By: Rigs Caballero <grca@google.com> * use - instead of * for bulleted lists * make the first attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the first attacker's goal a bullet the previous commit was related to the third goal Co-Authored-By: Rigs Caballero <grca@google.com> * make the second attacker's goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * fix indentation Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the first goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * make the reference to prevention of the second goal a bullet Co-Authored-By: Rigs Caballero <grca@google.com> * rephrase the sentence about applying additional security measures Co-Authored-By: Rigs Caballero <grca@google.com> * remove leftover from a previous change Co-Authored-By: Rigs Caballero <grca@google.com> * that will enforce -> to enforce Co-Authored-By: Rigs Caballero <grca@google.com> * split long lines * rewrite the part about increasing security of the control plane pods * fix indentation * fix indentation and remove a leftover from a previous change * extend the bold font from a single word to a phrase * rewrite the prevention of the straightforward access and the attacks * add conclusion after the attacks part * control planes pods -> control plane pods * control plane -> Istio control plane * is able to access it indistinguishable -> is indistinguishable Co-Authored-By: Rigs Caballero <grca@google.com> * rewrite the sentence "The choice would mainly depend on" Co-Authored-By: Rigs Caballero <grca@google.com> * insure -> ensure Co-Authored-By: Rigs Caballero <grca@google.com> * update the publish date to 10-th of July (cherry picked from commit 24f9ca7)
The second part of splitting #3179 into three parts. Continuation of #4196.