From 6b88c096d1fb4c1bbedf62222e557a3c1d717c6a Mon Sep 17 00:00:00 2001 From: RichieEscarez Date: Wed, 30 Oct 2019 17:34:05 -0700 Subject: [PATCH 1/2] invalid since v0.8.1 fix for https://github.com/knative/docs/issues/1859 --- docs/serving/outbound-network-access.md | 104 ------------------------ 1 file changed, 104 deletions(-) delete mode 100644 docs/serving/outbound-network-access.md diff --git a/docs/serving/outbound-network-access.md b/docs/serving/outbound-network-access.md deleted file mode 100644 index 273550b646a..00000000000 --- a/docs/serving/outbound-network-access.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: "Configuring outbound network access" -#linkTitle: "OPTIONAL_ALTERNATE_NAV_TITLE" -weight: 45 -type: "docs" ---- - -This guides walks you through enabling outbound network access for a Knative -app. - -Knative blocks all outbound traffic by default. To enable outbound access (when -you want to connect to the Cloud Storage API, for example), you need to change -the scope of the proxy IP range by editing the `config-network` map. - -## Determining the IP scope of your cluster - -To set the correct scope, you need to determine the IP ranges of your cluster. -The scope varies depending on your platform: - -- For Google Kubernetes Engine (GKE) run the following command to determine the - scope. Make sure to replace the variables or export these values first. - - ```shell - gcloud container clusters describe ${CLUSTER_NAME} \ - --zone=${CLUSTER_ZONE} | grep -e clusterIpv4Cidr -e servicesIpv4Cidr - ``` - -- For IBM Cloud Private run the following command: - - ```shell - cat cluster/config.yaml | grep service_cluster_ip_range - ``` - -- For IBM Cloud Kubernetes Service use - `172.30.0.0/16,172.20.0.0/16,10.10.10.0/24` -- For Azure Container Service (ACS) use `10.244.0.0/16,10.240.0.0/16` -- For Pivotal Container Service (PKS) on GCP use `10.200.0.0/16,10.100.200.0/24` -- For Minikube use `10.0.0.1/24` - -## Setting the IP scope - -The `istio.sidecar.includeOutboundIPRanges` parameter in the `config-network` -map specifies the IP ranges that Istio sidecar intercepts. To allow outbound -access, replace the default parameter value with the IP ranges of your cluster. - -Run the following command to edit the `config-network` map: - -```shell -kubectl edit configmap config-network --namespace knative-serving -``` - -Then, use an editor of your choice to change the -`istio.sidecar.includeOutboundIPRanges` parameter value from `*` to the IP range -you need. Separate multiple IP entries with a comma. For example: - -``` -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file will be -# reopened with the relevant failures. -# -apiVersion: v1 -data: - istio.sidecar.includeOutboundIPRanges: '10.16.0.0/14,10.19.240.0/20' -kind: ConfigMap -metadata: - ... -``` - -By default, the `istio.sidecar.includeOutboundIPRanges` parameter is set to `*`, -which means that Istio intercepts all traffic within the cluster as well as all -traffic that is going outside the cluster. Istio blocks all traffic that is -going outside the cluster unless you create the necessary egress rules. - -When you set the parameter to a valid set of IP address ranges, Istio will no -longer intercept traffic that is going to the IP addresses outside the provided -ranges, and you don't need to specify any egress rules. - -If you omit the parameter or set it to `''`, Knative uses the value of the -`global.proxy.includeIPRanges` parameter that is provided at Istio deployment -time. In the default Knative Serving deployment, `global.proxy.includeIPRanges` -value is set to `*`. - -If an invalid value is passed, `''` is used instead. - -If you are still having trouble making off-cluster calls, you can verify that -the policy was applied to the pod running your service by checking the metadata -on the pod. Verify that the `traffic.sidecar.istio.io/includeOutboundIPRanges` -annotation matches the expected value from the config-map. - -```shell -$ kubectl get pod ${POD_NAME} --output yaml - -apiVersion: v1 -kind: Pod -metadata: - annotations: - serving.knative.dev/configurationGeneration: "2" - sidecar.istio.io/inject: "true" - ... - traffic.sidecar.istio.io/includeOutboundIPRanges: 10.16.0.0/14,10.19.240.0/20 -... -``` - - From ca03c63ea307f45411b1dd3a104a29efa5149e71 Mon Sep 17 00:00:00 2001 From: Richie Escarez Date: Wed, 30 Oct 2019 18:04:41 -0700 Subject: [PATCH 2/2] remove references to the invalid topic --- docs/eventing/README.md | 5 ----- docs/install/README.md | 5 ++--- docs/serving/README.md | 1 - docs/serving/samples/rest-api-go/README.md | 2 -- 4 files changed, 2 insertions(+), 11 deletions(-) diff --git a/docs/eventing/README.md b/docs/eventing/README.md index 5d81a52765f..51785f76f90 100644 --- a/docs/eventing/README.md +++ b/docs/eventing/README.md @@ -96,11 +96,6 @@ Learn more about Eventing development in the Knative Eventing currently requires Knative Serving installed with either Istio version >=1.0, or Gloo version >=0.18.16. [Follow the instructions to install on the platform of your choice](../install/README.md). -Many of the sources require making outbound connections to create the event -subscription, and if you have any functions that make use of any external (to -cluster) services, you must enable it also for them to work. -[Follow the instructions to configure outbound network access](../serving/outbound-network-access.md). - ## Architecture The eventing infrastructure supports two forms of event delivery at the moment: diff --git a/docs/install/README.md b/docs/install/README.md index 386d33ab2b0..2b84775205f 100644 --- a/docs/install/README.md +++ b/docs/install/README.md @@ -125,12 +125,11 @@ Now you're ready to deploy an app: ## Configuring Knative Serving After your Knative installation is running, you can set up a custom domain with -a static IP address to be able to use Knative for publicly available services -and set up an Istio IP range for outbound network access: +a static IP address to be able to use Knative for publicly available services, +and set up TLS certificates to use HTTPS: - [Assign a static IP address](../serving/gke-assigning-static-ip-address.md) - [Configure a custom domain](../serving/using-a-custom-domain.md) -- [Configure outbound network access](../serving/outbound-network-access.md) - [Configuring HTTPS with a custom certificate](../serving/using-an-ssl-cert.md) ## Checking the version of your Knative Serving installation diff --git a/docs/serving/README.md b/docs/serving/README.md index f448fb384a9..ebaf1e9abca 100644 --- a/docs/serving/README.md +++ b/docs/serving/README.md @@ -74,7 +74,6 @@ in the Knative Serving repository. ## Configuration and Networking -- [Configuring outbound network access](./outbound-network-access.md) - [Configuring cluster local routes](./cluster-local-route.md) - [Using a custom domain](./using-a-custom-domain.md) - [Assigning a static IP address for Knative on Google Kubernetes Engine](./gke-assigning-static-ip-address.md) diff --git a/docs/serving/samples/rest-api-go/README.md b/docs/serving/samples/rest-api-go/README.md index 50c30bda969..7e736c66118 100644 --- a/docs/serving/samples/rest-api-go/README.md +++ b/docs/serving/samples/rest-api-go/README.md @@ -16,8 +16,6 @@ like `AAPL`,`AMZN`, `GOOG`, `MSFT`, etc. or higher installed. 1. [Docker](https://docs.docker.com/get-started/#prepare-your-docker-environment) installed locally. -1. [Outbound network access](../../outbound-network-access.md) enabled for this - Service to make external API requests. 1. `envsubst` installed locally. This is installed by the `gettext` package. If not installed it can be installed by a Linux package manager, or by [Homebrew](https://brew.sh/) on OS X.