You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 17, 2022. It is now read-only.
Does this istio-proxy sidecar needs this below for example?
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-to-istiod
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-controlplane # label name for istio-system namespace
- podSelector:
matchLabels:
istio: pilot # label match for istiod pods
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
And what about the fact that it sends trace to Cloud Monitoring/Trace?
Further considerations too, when I will add the IngressGateway in front of myblog, should I need to change/restrict the Ingress rules like illustrated with productpage in there?
For the last part with the IngressGateway, it's now taken into account since 777f26f with the addition of myblog in the ASM mesh and the new asm-ingress namespace.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm wondering if I could improve the
NetworkPolicies
setup with myblog:Egress is all open, could I restrict the egress wide open but just for the istio-proxy sidecar which needs this? But maybe not the myblog Pod? Today I use the
app=myblog
selector: https://github.com/mathieu-benoit/my-kubernetes-deployments/blob/main/namespaces/myblog/myblog/networkpolicies.yaml#L18Does this
istio-proxy
sidecar needs this below for example?And what about the fact that it sends trace to Cloud Monitoring/Trace?
Further considerations too, when I will add the
IngressGateway
in front of myblog, should I need to change/restrict theIngress
rules like illustrated withproductpage
in there?The text was updated successfully, but these errors were encountered: