diff --git a/samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml new file mode 100644 index 000000000000..63fc5e61c671 --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml @@ -0,0 +1,29 @@ +apiVersion: config.istio.io/v1alpha2 +kind: listchecker +metadata: + name: whitelistip +spec: + # providerUrl: ordinarily black and white lists are maintained + # externally and fetched asynchronously using the providerUrl. + overrides: ["10.57.0.0/16"] # overrides provide a static list + blacklist: false + entryType: IP_ADDRESSES +--- +apiVersion: config.istio.io/v1alpha2 +kind: listentry +metadata: + name: sourceip +spec: + value: source.ip | ip("0.0.0.0") +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: checkip +spec: + match: source.labels["istio"] == "ingressgateway" + actions: + - handler: whitelistip.listchecker + instances: + - sourceip.listentry +--- diff --git a/samples/bookinfo/policy/mixer-rule-deny-ip.yaml b/samples/bookinfo/policy/mixer-rule-deny-ip.yaml new file mode 100644 index 000000000000..b771fd61bcea --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-deny-ip.yaml @@ -0,0 +1,32 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: whitelistip +spec: + compiledAdapter: listchecker + params: + # providerUrl: ordinarily black and white lists are maintained + # externally and fetched asynchronously using the providerUrl. + overrides: ["10.57.0.0/16"] # overrides provide a static list + blacklist: false + entryType: IP_ADDRESSES +--- +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: sourceip +spec: + compiledTemplate: listentry + params: + value: source.ip | ip("0.0.0.0") +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: checkip +spec: + match: source.labels["istio"] == "ingressgateway" + actions: + - handler: whitelistip + instances: [ sourceip ] +--- diff --git a/samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml new file mode 100644 index 000000000000..249d505bdba8 --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml @@ -0,0 +1,24 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: denyreviewsv3handler +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyreviewsv3request +spec: +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: denyreviewsv3 +spec: + match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3" + actions: + - handler: denyreviewsv3handler.denier + instances: [ denyreviewsv3request.checknothing ] diff --git a/samples/bookinfo/policy/mixer-rule-deny-label.yaml b/samples/bookinfo/policy/mixer-rule-deny-label.yaml index 249d505bdba8..0d1e85ee8bf9 100644 --- a/samples/bookinfo/policy/mixer-rule-deny-label.yaml +++ b/samples/bookinfo/policy/mixer-rule-deny-label.yaml @@ -1,17 +1,20 @@ apiVersion: "config.istio.io/v1alpha2" -kind: denier +kind: handler metadata: name: denyreviewsv3handler spec: - status: - code: 7 - message: Not allowed + compiledAdapter: denier + params: + status: + code: 7 + message: Not allowed --- apiVersion: "config.istio.io/v1alpha2" -kind: checknothing +kind: instance metadata: name: denyreviewsv3request spec: + compiledTemplate: checknothing --- apiVersion: "config.istio.io/v1alpha2" kind: rule @@ -20,5 +23,5 @@ metadata: spec: match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3" actions: - - handler: denyreviewsv3handler.denier - instances: [ denyreviewsv3request.checknothing ] + - handler: denyreviewsv3handler + instances: [ denyreviewsv3request ] diff --git a/samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml new file mode 100644 index 000000000000..7486e6ea2756 --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml @@ -0,0 +1,28 @@ +apiVersion: config.istio.io/v1alpha2 +kind: listchecker +metadata: + name: whitelist +spec: + # providerUrl: ordinarily black and white lists are maintained + # externally and fetched asynchronously using the providerUrl. + overrides: ["v1", "v2"] # overrides provide a static list + blacklist: false +--- +apiVersion: config.istio.io/v1alpha2 +kind: listentry +metadata: + name: appversion +spec: + value: source.labels["version"] +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: checkversion +spec: + match: destination.labels["app"] == "ratings" + actions: + - handler: whitelist.listchecker + instances: + - appversion.listentry +--- diff --git a/samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml b/samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml new file mode 100644 index 000000000000..4c51279ca5fb --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml @@ -0,0 +1,31 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: whitelist +spec: + compiledAdapter: listchecker + params: + # providerUrl: ordinarily black and white lists are maintained + # externally and fetched asynchronously using the providerUrl. + overrides: ["v1", "v2"] # overrides provide a static list + blacklist: false +--- +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: appversion +spec: + compiledTemplate: listentry + params: + value: source.labels["version"] +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: checkversion +spec: + match: destination.labels["app"] == "ratings" + actions: + - handler: whitelist + instances: [ appversion ] +--- diff --git a/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml b/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml index 8be170a53722..5b2233bbc31e 100644 --- a/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml +++ b/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml @@ -1,46 +1,50 @@ -apiVersion: "config.istio.io/v1alpha2" -kind: memquota +apiVersion: config.istio.io/v1alpha2 +kind: handler metadata: - name: handler + name: quotahandler namespace: istio-system spec: - quotas: - - name: requestcount.quota.istio-system - maxAmount: 500 - validDuration: 1s - # The first matching override is applied. - # A requestcount instance is checked against override dimensions. - overrides: - # The following override applies to 'reviews' regardless - # of the source. - - dimensions: - destination: reviews - maxAmount: 1 - validDuration: 5s - # The following override applies to 'productpage' when - # the source is a specific ip address. - - dimensions: - destination: productpage - source: "10.28.11.20" + compiledAdapter: memquota + params: + quotas: + - name: requestcountquota.instance.istio-system maxAmount: 500 validDuration: 1s - # The following override applies to 'productpage' regardless - # of the source. - - dimensions: - destination: productpage - maxAmount: 2 - validDuration: 5s + # The first matching override is applied. + # A requestcount instance is checked against override dimensions. + overrides: + # The following override applies to 'reviews' regardless + # of the source. + - dimensions: + destination: reviews + maxAmount: 1 + validDuration: 5s + # The following override applies to 'productpage' when + # the source is a specific ip address. + - dimensions: + destination: productpage + source: "10.28.11.20" + maxAmount: 500 + validDuration: 1s + # The following override applies to 'productpage' regardless + # of the source. + - dimensions: + destination: productpage + maxAmount: 2 + validDuration: 5s --- -apiVersion: "config.istio.io/v1alpha2" -kind: quota +apiVersion: config.istio.io/v1alpha2 +kind: instance metadata: - name: requestcount + name: requestcountquota namespace: istio-system spec: - dimensions: - source: request.headers["x-forwarded-for"] | "unknown" - destination: destination.labels["app"] | destination.service.name | "unknown" - destinationVersion: destination.labels["version"] | "unknown" + compiledTemplate: quota + params: + dimensions: + source: request.headers["x-forwarded-for"] | "unknown" + destination: destination.labels["app"] | destination.service.name | "unknown" + destinationVersion: destination.labels["version"] | "unknown" --- apiVersion: config.istio.io/v1alpha2 kind: QuotaSpec @@ -51,7 +55,7 @@ spec: rules: - quotas: - charge: 1 - quota: requestcount + quota: requestcountquota --- apiVersion: config.istio.io/v1alpha2 kind: QuotaSpecBinding @@ -76,6 +80,6 @@ spec: # quota only applies if you are not logged in. # match: match(request.headers["cookie"], "user=*") == false actions: - - handler: handler.memquota + - handler: quotahandler instances: - - requestcount.quota + - requestcountquota diff --git a/samples/bookinfo/policy/mixer-rule-productpage-redis-quota-rolling-window.yaml b/samples/bookinfo/policy/mixer-rule-productpage-redis-quota-rolling-window.yaml new file mode 100644 index 000000000000..ec524b93dbd6 --- /dev/null +++ b/samples/bookinfo/policy/mixer-rule-productpage-redis-quota-rolling-window.yaml @@ -0,0 +1,87 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: redishandler + namespace: istio-system +spec: + compiledAdapter: redisquota + params: + redisServerUrl: redis-release-master:6379 + connectionPoolSize: 10 + quotas: + - name: requestcountquota.instance.istio-system + maxAmount: 500 + validDuration: 1s + bucketDuration: 500ms + rateLimitAlgorithm: ROLLING_WINDOW + # The first matching override is applied. + # A requestcount instance is checked against override dimensions. + overrides: + # The following override applies to 'reviews' regardless + # of the source. + - dimensions: + destination: reviews + maxAmount: 1 + # The following override applies to 'productpage' when + # the source is a specific ip address. + - dimensions: + destination: productpage + source: "10.28.11.20" + maxAmount: 500 + # The following override applies to 'productpage' regardless + # of the source. + - dimensions: + destination: productpage + maxAmount: 2 +--- +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: requestcountquota + namespace: istio-system +spec: + compiledTemplate: quota + params: + dimensions: + source: request.headers["x-forwarded-for"] | "unknown" + destination: destination.labels["app"] | destination.workload.name | "unknown" + destinationVersion: destination.labels["version"] | "unknown" +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpec +metadata: + name: request-count + namespace: istio-system +spec: + rules: + - quotas: + - charge: 1 + quota: requestcountquota +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpecBinding +metadata: + name: request-count + namespace: istio-system +spec: + quotaSpecs: + - name: request-count + namespace: istio-system + services: + - name: productpage + namespace: default + # - service: '*' # Uncomment this to bind *all* services to request-count +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: quota + namespace: istio-system +spec: + # quota only applies if you are not logged in. + # match: match(request.headers["cookie"], "session=*") == false + actions: + - handler: redishandler + instances: + - requestcountquota +--- diff --git a/samples/bookinfo/telemetry/fluentd-istio-crd.yaml b/samples/bookinfo/telemetry/fluentd-istio-crd.yaml new file mode 100644 index 000000000000..4df061e6bca9 --- /dev/null +++ b/samples/bookinfo/telemetry/fluentd-istio-crd.yaml @@ -0,0 +1,40 @@ +# Configuration for logentry instances +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: newlog + namespace: istio-system +spec: + severity: '"info"' + timestamp: request.time + variables: + source: source.labels["app"] | source.workload.name | "unknown" + user: source.user | "unknown" + destination: destination.labels["app"] | destination.workload.name | "unknown" + responseCode: response.code | 0 + responseSize: response.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a Fluentd handler +apiVersion: "config.istio.io/v1alpha2" +kind: fluentd +metadata: + name: handler + namespace: istio-system +spec: + address: "fluentd-es.logging:24224" +--- +# Rule to send logentry instances to the Fluentd handler +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: newlogtofluentd + namespace: istio-system +spec: + match: "true" # match for all requests + actions: + - handler: handler.fluentd + instances: + - newlog.logentry +--- diff --git a/samples/bookinfo/telemetry/fluentd-istio.yaml b/samples/bookinfo/telemetry/fluentd-istio.yaml new file mode 100644 index 000000000000..c416f31b8e57 --- /dev/null +++ b/samples/bookinfo/telemetry/fluentd-istio.yaml @@ -0,0 +1,44 @@ +# Configuration for logentry instances +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: newlog + namespace: istio-system +spec: + compiledTemplate: logentry + params: + severity: '"info"' + timestamp: request.time + variables: + source: source.labels["app"] | source.workload.name | "unknown" + user: source.user | "unknown" + destination: destination.labels["app"] | destination.workload.name | "unknown" + responseCode: response.code | 0 + responseSize: response.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a Fluentd handler +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: handler + namespace: istio-system +spec: + compiledAdapter: fluentd + params: + address: "fluentd-es.logging:24224" +--- +# Rule to send logentry instances to the Fluentd handler +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: newlogtofluentd + namespace: istio-system +spec: + match: "true" # match for all requests + actions: + - handler: handler + instances: + - newlog +--- diff --git a/samples/bookinfo/telemetry/log-entry-crd.yaml b/samples/bookinfo/telemetry/log-entry-crd.yaml new file mode 100644 index 000000000000..d439676df532 --- /dev/null +++ b/samples/bookinfo/telemetry/log-entry-crd.yaml @@ -0,0 +1,42 @@ +# Configuration for logentry instances +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: newlog + namespace: istio-system +spec: + severity: '"warning"' + timestamp: request.time + variables: + source: source.labels["app"] | source.workload.name | "unknown" + user: source.user | "unknown" + destination: destination.labels["app"] | destination.workload.name | "unknown" + responseCode: response.code | 0 + responseSize: response.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a stdio handler +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: newloghandler + namespace: istio-system +spec: + severity_levels: + warning: 1 # Params.Level.WARNING + outputAsJson: true +--- +# Rule to send logentry instances to a stdio handler +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: newlogstdio + namespace: istio-system +spec: + match: "true" # match for all requests + actions: + - handler: newloghandler.stdio + instances: + - newlog.logentry +--- diff --git a/samples/bookinfo/telemetry/log-entry.yaml b/samples/bookinfo/telemetry/log-entry.yaml new file mode 100644 index 000000000000..43f47e7644cf --- /dev/null +++ b/samples/bookinfo/telemetry/log-entry.yaml @@ -0,0 +1,46 @@ +# Configuration for logentry instances +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: newlog + namespace: istio-system +spec: + compiledTemplate: logentry + params: + severity: '"warning"' + timestamp: request.time + variables: + source: source.labels["app"] | source.workload.name | "unknown" + user: source.user | "unknown" + destination: destination.labels["app"] | destination.workload.name | "unknown" + responseCode: response.code | 0 + responseSize: response.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a stdio handler +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: newloghandler + namespace: istio-system +spec: + compiledAdapter: stdio + params: + severity_levels: + warning: 1 # Params.Level.WARNING + outputAsJson: true +--- +# Rule to send logentry instances to a stdio handler +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: newlogstdio + namespace: istio-system +spec: + match: "true" # match for all requests + actions: + - handler: newloghandler + instances: + - newlog +--- diff --git a/samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml b/samples/bookinfo/telemetry/metrics-crd.yaml similarity index 66% rename from samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml rename to samples/bookinfo/telemetry/metrics-crd.yaml index 0ef6853a0a95..faf627196471 100644 --- a/samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml +++ b/samples/bookinfo/telemetry/metrics-crd.yaml @@ -15,31 +15,29 @@ spec: --- # Configuration for a Prometheus handler apiVersion: "config.istio.io/v1alpha2" -kind: handler +kind: prometheus metadata: - name: prometheusdouble + name: doublehandler namespace: istio-system spec: - compiledAdapter: prometheus - params: - metrics: - - name: double_request_count # Prometheus metric name - instance_name: doublerequestcount.metric.istio-system # Mixer instance name (fully-qualified) - kind: COUNTER - label_names: - - reporter - - source - - destination - - message + metrics: + - name: double_request_count # Prometheus metric name + instance_name: doublerequestcount.metric.istio-system # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - reporter + - source + - destination + - message --- # Rule to send metric instances to a Prometheus handler apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: - name: doublepromtwo + name: doubleprom namespace: istio-system spec: actions: - - handler: prometheusdouble + - handler: doublehandler.prometheus instances: - doublerequestcount.metric diff --git a/samples/bookinfo/telemetry/metrics.yaml b/samples/bookinfo/telemetry/metrics.yaml new file mode 100644 index 000000000000..45d9877e38d1 --- /dev/null +++ b/samples/bookinfo/telemetry/metrics.yaml @@ -0,0 +1,46 @@ +# Configuration for metric instances +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: doublerequestcount + namespace: istio-system +spec: + compiledTemplate: metric + params: + value: "2" # count each request twice + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server") + source: source.workload.name | "unknown" + destination: destination.workload.name | "unknown" + message: '"twice the fun!"' + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: doublehandler + namespace: istio-system +spec: + compiledAdapter: prometheus + params: + metrics: + - name: double_request_count # Prometheus metric name + instance_name: doublerequestcount.instance.istio-system # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - reporter + - source + - destination + - message +--- +# Rule to send metric instances to a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: doubleprom + namespace: istio-system +spec: + actions: + - handler: doublehandler + instances: [ doublerequestcount ] diff --git a/samples/bookinfo/telemetry/tcp-metrics-crd.yaml b/samples/bookinfo/telemetry/tcp-metrics-crd.yaml new file mode 100644 index 000000000000..36ba5ecbaf5f --- /dev/null +++ b/samples/bookinfo/telemetry/tcp-metrics-crd.yaml @@ -0,0 +1,67 @@ +# Configuration for a metric measuring bytes sent from a server +# to a client +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: mongosentbytes + namespace: default +spec: + value: connection.sent.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +# Configuration for a metric measuring bytes sent from a client +# to a server +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: mongoreceivedbytes + namespace: default +spec: + value: connection.received.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +# Configuration for a Prometheus handler +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: mongohandler + namespace: default +spec: + metrics: + - name: mongo_sent_bytes # Prometheus metric name + instance_name: mongosentbytes.metric.default # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - source_service + - source_version + - destination_version + - name: mongo_received_bytes # Prometheus metric name + instance_name: mongoreceivedbytes.metric.default # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - source_service + - source_version + - destination_version +--- +# Rule to send metric instances to a Prometheus handler +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: mongoprom + namespace: default +spec: + match: context.protocol == "tcp" + && destination.service.host == "mongodb.default.svc.cluster.local" + actions: + - handler: mongohandler.prometheus + instances: + - mongoreceivedbytes.metric + - mongosentbytes.metric diff --git a/samples/bookinfo/telemetry/tcp-metrics.yaml b/samples/bookinfo/telemetry/tcp-metrics.yaml new file mode 100644 index 000000000000..817507b4461a --- /dev/null +++ b/samples/bookinfo/telemetry/tcp-metrics.yaml @@ -0,0 +1,73 @@ +# Configuration for a metric measuring bytes sent from a server +# to a client +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: mongosentbytes + namespace: default +spec: + compiledTemplate: metric + params: + value: connection.sent.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +# Configuration for a metric measuring bytes sent from a client +# to a server +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: mongoreceivedbytes + namespace: default +spec: + compiledTemplate: metric + params: + value: connection.received.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +# Configuration for a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: mongohandler + namespace: default +spec: + compiledAdapter: prometheus + params: + metrics: + - name: mongo_sent_bytes # Prometheus metric name + instance_name: mongosentbytes.instance.default # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - source_service + - source_version + - destination_version + - name: mongo_received_bytes # Prometheus metric name + instance_name: mongoreceivedbytes.instance.default # Mixer instance name (fully-qualified) + kind: COUNTER + label_names: + - source_service + - source_version + - destination_version +--- +# Rule to send metric instances to a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: mongoprom + namespace: default +spec: + match: context.protocol == "tcp" + && destination.service.host == "mongodb.default.svc.cluster.local" + actions: + - handler: mongohandler + instances: + - mongoreceivedbytes + - mongosentbytes diff --git a/samples/sleep/policy/sni-serviceaccount.yaml b/samples/sleep/policy/sni-serviceaccount.yaml new file mode 100644 index 000000000000..7e77f493afab --- /dev/null +++ b/samples/sleep/policy/sni-serviceaccount.yaml @@ -0,0 +1,55 @@ +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: requested-server-name + namespace: istio-system +spec: + compiledTemplate: listentry + params: + value: connection.requested_server_name +--- +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: us-wikipedia-checker + namespace: istio-system +spec: + compiledAdapter: listchecker + params: + overrides: ["en.wikipedia.org", "es.wikipedia.org"] + blacklist: false +--- +# Rule to check access to *.wikipedia.org +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: check-us-wikipedia-access + namespace: istio-system +spec: + match: source.labels["app"] == "istio-egressgateway-with-sni-proxy" && destination.labels["app"] == "" && source.principal == "cluster.local/ns/default/sa/sleep-us" + actions: + - handler: us-wikipedia-checker + instances: [ requested-server-name ] +--- +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: canada-wikipedia-checker + namespace: istio-system +spec: + compiledAdapter: listchecker + params: + overrides: ["en.wikipedia.org", "fr.wikipedia.org"] + blacklist: false +--- +# Rule to check access to *.wikipedia.org +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: check-canada-wikipedia-access + namespace: istio-system +spec: + match: source.labels["app"] == "istio-egressgateway-with-sni-proxy" && destination.labels["app"] == "" && source.principal == "cluster.local/ns/default/sa/sleep-canada" + actions: + - handler: canada-wikipedia-checker + instances: [ requested-server-name ] diff --git a/samples/sleep/policy/sni-wikipedia.yaml b/samples/sleep/policy/sni-wikipedia.yaml new file mode 100644 index 000000000000..43fe491c80fc --- /dev/null +++ b/samples/sleep/policy/sni-wikipedia.yaml @@ -0,0 +1,32 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: wikipedia-checker + namespace: istio-system +spec: + compiledAdapter: listchecker + params: + overrides: ["en.wikipedia.org"] # overrides provide a static list + blacklist: true +--- +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: requested-server-name + namespace: istio-system +spec: + compiledTemplate: listentry + params: + value: connection.requested_server_name +--- +# Rule to check access to *.wikipedia.org +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: check-wikipedia-access + namespace: istio-system +spec: + match: source.labels["app"] == "istio-egressgateway-with-sni-proxy" && destination.labels["app"] == "" + actions: + - handler: wikipedia-checker + instances: [ requested-server-name ] diff --git a/samples/sleep/telemetry/sni-logging.yaml b/samples/sleep/telemetry/sni-logging.yaml new file mode 100644 index 000000000000..cf1c89ae2b16 --- /dev/null +++ b/samples/sleep/telemetry/sni-logging.yaml @@ -0,0 +1,45 @@ +# Log entry for egress access +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: egress-access + namespace: istio-system +spec: + compiledTemplate: logentry + params: + severity: '"info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + source: source.labels["app"] | "unknown" + sourceNamespace: source.namespace | "unknown" + sourceWorkload: source.workload.name | "" + sourcePrincipal: source.principal | "unknown" + requestedServerName: connection.requested_server_name | "unknown" + destinationApp: destination.labels["app"] | "" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Handler for info egress access entries +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: egress-access-logger + namespace: istio-system +spec: + compiledAdapter: stdio + params: + severity_levels: + info: 0 # output log level as info + outputAsJson: true +--- +# Rule to handle access to *.wikipedia.org +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: handle-wikipedia-access + namespace: istio-system +spec: + match: source.labels["app"] == "istio-egressgateway-with-sni-proxy" && destination.labels["app"] == "" && connection.event == "open" + actions: + - handler: egress-access-logger + instances: [ egress-access ] diff --git a/tests/e2e/tests/mixer/mixer_test.go b/tests/e2e/tests/mixer/mixer_test.go index 82aec6c2347e..251b9c0bc1d9 100644 --- a/tests/e2e/tests/mixer/mixer_test.go +++ b/tests/e2e/tests/mixer/mixer_test.go @@ -93,7 +93,7 @@ var ( rateLimitRule = "mixer-rule-ratings-ratelimit" denialRule = "mixer-rule-ratings-denial" ingressDenialRule = "mixer-rule-ingress-denial" - newTelemetryRule = "mixer-rule-additional-telemetry" + newTelemetryRule = "../telemetry/metrics" kubeenvTelemetryRule = "mixer-rule-kubernetesenv-telemetry" destinationRuleAll = "destination-rule-all" routeAllRule = "virtual-service-all-v1"