Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-2139

Limit the Abilities of Istio

    XMLWordPrintable

Details

    • Task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • not-targeted
    • operator
    • None
    • 1

    Description

      Validator can tell you off for using TLS for example.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Ascending order - Click to sort in descending order
          simon.murray Simon Murray added a comment -

          So technically you only need networkPlatform: Istio when using mTLS (a result of us needing /etc/hosts injection to avoid CBS routing things the wrong way).  You can specify this flag when using NONE and still use CB TLS for peer authentication.  I think this will be too limiting.  There is an annotation that is applied to the Operator pod that gives a hint at the true mode, but then we are tying ourselves to a 3rd party thing, and even then this isn't visible to the DAC.  For this reason, I guess I'm nervous about going further for now.  Everything is documented if you read it.

          simon.murray Simon Murray added a comment - So technically you only need networkPlatform: Istio when using mTLS (a result of us needing /etc/hosts injection to avoid CBS routing things the wrong way).  You can specify this flag when using NONE and still use CB TLS for peer authentication.  I think this will be too limiting.  There is an annotation that is applied to the Operator pod that gives a hint at the true mode, but then we are tying ourselves to a 3rd party thing, and even then this isn't visible to the DAC.  For this reason, I guess I'm nervous about going further for now.  Everything is documented if you read it.
          simon.murray Simon Murray added a comment -

          Another option is a DAC flag that tweaks what it rejects...

          simon.murray Simon Murray added a comment - Another option is a DAC flag that tweaks what it rejects...

          People

            simon.murray Simon Murray
            simon.murray Simon Murray
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty