Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Egress blog part 2 #4232
Egress blog part 2 #4232
Changes from 4 commits
864f87e
01ae898
e40747e
32fb3a7
ebab675
41f57c1
5f2bafa
bf8aaec
b250996
e4e6eed
ee44d6e
73c2862
e35fd31
be8cd6e
54310ab
3246d3b
fba3171
9006b8d
4e8499e
1e6abbd
38cd520
1168042
7ec2976
f9e7361
21dffa9
1a1fe95
023d2fa
2f5c8c1
1ecd16e
0ff7872
d6897ba
871b59f
7e233ec
cb851b7
085fdc4
36ddd4e
71a6ace
45d8cb0
28ebd57
dc0c41a
3a6ef70
cf2fe79
646daae
6b32e4b
e19a520
ba764da
c451971
5475653
eb5ecd0
f75c6c5
4a2f41f
be2bfe0
abc996d
78dc2c3
07669dc
4b21ebc
7112f17
6cf8c6b
9abcacc
76bd3f5
eaf5ff8
195327a
0e57bef
c982b07
adead22
b28a3c5
3c03e27
e00708b
781f82d
78adaa2
1434b3a
77711b3
abebb00
1de47e3
65dc36e
539602e
6dc44eb
7134b43
1a82f2e
66fb3db
297695d
e74f844
df4ccc6
16d8c6e
3a7f4d8
5f5fd4e
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are letting folks know all the things they need to do but without a clear order or a reason why. The ultimate goal is clear but why do readers must direct TLS traffic to external services through an egress gateway in order to reach that goal, secure control of egress traffic, is not clear, for example. How do these things you want readers to do bring them closer to that secure control they want? In the previous part we tackled what the problem was. Here you are letting people know how to tackle that problem using the Istio feature.
Try introducing all these steps with a sentence like: "To securely control the egress traffic of your mesh, you must first perform the following configurations:"
That way, readers know why they are doing these things, namely, to configure the mesh to gain the secure control they seek.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx I wrote this post differently - first I tell the readers what they must do, and then I explain them how the steps they took prevent the attacks. It is like to tell the reader:
The threat: The attackers want to penetrate your house.
What the reader should do: Build a high fence and lock the gate, add a surveillance system.
How it will prevent the attacks:
The issue is that for the secure control of egress traffic you apply a set of mechanisms, and together they prevent all possible attacks (that I can think about).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Number each step you want readers to take, even if the step is linking to a full task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would advise you against including alternative or branching paths in your blog post. Pick the best path you want readers to follow and describe that single path clearly. Adding alternative ways of reaching the same result normally confuses folks getting started who do not know how to pick a path. Usually, picking the simplest path to success is best. In this case I would just provide the link to the task on how to create a custom version of the egress gateway and remove the mention of the alternative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx
I removed the wildcard domains mentioning cb851b7.
I still propose to leave two main alternatives:
None is better than the other, the reader should choose it according to their circumstances. Each has its pros and cons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest you make this a list of general security best practices for meshes and introduce it as such:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx Monitor the control plane more thoroughly means more thoroughly than you monitor application pods. For example, if you perform some inspection on the application pods once a month, perform such inspection on the control plane once a week.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is an example of what you described in the previous sentence, you need to let readers know how the two are linked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx it should be "an L3 firewall", right? Pronounced An el three firewall.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in fba3171. The meaning here is that someone (the reader, the cluster provider, should apply additional security mechanisms, outside of Istio).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx I do not understand this suggested change. Should I remove the sentence "Note that the Istio proxy of the egress gateway performs
policy enforcement and reporting in the same way as the sidecar proxies in the application pods." ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx I do not like this change:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't forget to provide the subject to your readers. Having a clear subject lets readers identify the actors in the narrative and helps them get immersed in that narrative. It's a great tool to make your writing more engaging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the meaning is different. The attackers want to access external services directly, for that they may try to bypass the container's sidecar proxy. (they do not wish to access the container's sidecar proxy).
The security mechanisms mentioned do not help to prevent the attack, they actually prevent it. The readers might understand "Help to prevent" as to reduce the probability of the attack, but still leave some possibility of the attack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx "An egress
Kubernetes network policy or a properly configured L3 firewall help you prevent this type of attack, as discussed earlier in the post."
This does not explain how the attack is prevented. The attack is prevented by:
"a Kubernetes Network Policy or by an L3 firewall that allow egress traffic to exit the mesh only from the egress gateway." only from the egress gateway = not directly.
The attackers want to access the external service directly, the Kubernetes Network Policy or an L3 firewall force them to go through the gateway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the meaning is: the attackers compromise the gateway (break into it) in order to force it to send fake info.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
identity support prevents this attack. In our example, attackers using service A cannot access
mongo1.composedb.com
thanks to our configuration.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcaballeromx the attackers hope it will go undetected - the attackers cannot be so naive :) We are talking about attackers who learned how Istio works and are trying to break various Istio mechanisms.