-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: R-Lawton <[email protected]>
- Loading branch information
Showing
1 changed file
with
31 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ This guide walks you through using Kuadrant to secure, protect, and connect an A | |
- AWS/Azure or GCP with DNS capabilities. | ||
|
||
|
||
### Set your environment variables | ||
### Set the environment variables | ||
|
||
Set the following environment variables used for convenience in this guide: | ||
|
||
|
@@ -32,7 +32,7 @@ export [email protected] # Email address to associate with the exam | |
|
||
The DNS provider declares credentials to access the zone(s) that Kuadrant can use to set up DNS configuration. Ensure that this credential only has access to the zones you want Kuadrant to manage via `DNSPolicy` | ||
|
||
Create the namespace the Gateway will be deployed in | ||
Create the namespace the Gateway will be deployed in: | ||
|
||
```bash | ||
kubectl create ns ${KUADRANT_GATEWAY_NS} | ||
|
@@ -47,7 +47,7 @@ kubectl -n ${KUADRANT_GATEWAY_NS} create secret generic aws-credentials \ | |
--from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY | ||
``` | ||
|
||
Before adding a TLS issuer, create the secret credentials in the cert-manager namespace | ||
Before adding a TLS issuer, create the secret credentials in the cert-manager namespace: | ||
|
||
```bash | ||
kubectl -n cert-manager create secret generic aws-credentials \ | ||
|
@@ -58,14 +58,14 @@ kubectl -n cert-manager create secret generic aws-credentials \ | |
|
||
### Deploy the Toystore app | ||
|
||
Create the namespace for the Toystore application. | ||
Create the namespace for the Toystore application: | ||
|
||
```bash | ||
|
||
kubectl create ns ${KUADRANT_DEVELOPER_NS} | ||
``` | ||
|
||
Deploy the Toystore app to the developer namespace | ||
Deploy the Toystore app to the developer namespace: | ||
|
||
```bash | ||
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS} | ||
|
@@ -101,7 +101,8 @@ spec: | |
value: "/cars" | ||
EOF | ||
``` | ||
The status of the HTTPRoute will not be accepted or enforced, it will be unknown as we haven't created the Gateway yet | ||
The status of the HTTPRoute will not be accepted or enforced, it will be unknown as the Gateway hasn't been created yet: | ||
|
||
```bash | ||
kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}' | ||
|
||
|
@@ -161,7 +162,7 @@ spec: | |
listeners: | ||
- allowedRoutes: | ||
namespaces: | ||
from: All | ||
from: All | ||
hostname: "*.${KUADRANT_ZONE_ROOT_DOMAIN}" | ||
name: api | ||
port: 443 | ||
|
@@ -175,13 +176,14 @@ spec: | |
EOF | ||
``` | ||
|
||
Check the status of your Gateway ensuring the gateway is Accepted and Programmed: | ||
|
||
Check the status of the `Gateway` ensuring the gateway is Accepted and Programmed: | ||
|
||
```bash | ||
kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Programmed")].message}' | ||
``` | ||
|
||
Check the status of your listener you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration. This will be fixed in the next step with the TLS Policy | ||
Check the status of the listener, you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration. This will be fixed in the next step with the `TLSPolicy`: | ||
|
||
```bash | ||
kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.listeners[0].conditions[?(@.type=="Programmed")].message}' | ||
|
@@ -208,17 +210,17 @@ spec: | |
EOF | ||
``` | ||
|
||
Check that your TLS policy has an accepted and enforced status. | ||
Check that the `TLSpolicy` has an Accepted and Enforced status: | ||
|
||
```bash | ||
kubectl get tlspolicy ${KUADRANT_GATEWAY_NAME}-tls -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}' | ||
``` | ||
|
||
### Secure and protect the Gateway with Auth, Rate limit, and DNS policies. | ||
|
||
While the Gateway is now deployed, it currently has exposed endpoints. The next steps will be defining an `AuthPolicy` to set up a default `403` response for any unprotected endpoints, as well as a `RateLimitPolicy` to set up a default unrealistic low global limit to further protect any exposed endpoints. | ||
While the `Gateway` is now deployed, it currently has exposed endpoints. The next steps will be defining an `AuthPolicy` to set up a default `403` response for any unprotected endpoints, as well as a `RateLimitPolicy` to set up a default unrealistic low global limit to further protect any exposed endpoints. | ||
|
||
### Set the deny all Gateway Auth policy | ||
### Set the `Deny all` Gateway AuthPolicy | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
|
@@ -252,14 +254,14 @@ spec: | |
EOF | ||
``` | ||
|
||
Check that your auth policy has accepted and enforced status | ||
Check that the `AuthPolicy` has Accepted and Enforced status: | ||
|
||
```bash | ||
kubectl get authpolicy ${KUADRANT_GATEWAY_NAME}-auth -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}' | ||
|
||
``` | ||
|
||
### Deploy the low default Gateway Rate limit policy | ||
### Deploy the `low limit` Gateway RateLimitPolicy | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
|
@@ -282,13 +284,13 @@ spec: | |
EOF | ||
``` | ||
|
||
Check that your rate limit policy has accepted and enforced status | ||
Check that the `RateLimitPolicy` has Accepted and Enforced status: | ||
|
||
```bash | ||
kubectl get ratelimitpolicy ${KUADRANT_GATEWAY_NAME}-rlp -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}' | ||
``` | ||
|
||
### Create the gateway DNS policy | ||
### Create the Gateway DNSPolicy | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
|
@@ -311,21 +313,21 @@ spec: | |
EOF | ||
``` | ||
|
||
Check that the `DNSPolicy` has been accepted and enforced. | ||
Check that the `DNSPolicy` has been Accepted and Enforced: | ||
|
||
```bash | ||
kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}' | ||
``` | ||
|
||
### Test the default and deny all rate limit policies | ||
### Test the `low limit` and deny all policies | ||
|
||
```bash | ||
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done | ||
``` | ||
|
||
### (Optional) Configure metrics to be scraped from the Gateway instance | ||
|
||
If prometheus is installed on the cluster, set up a PodMonitor to configure it to scrape metrics directly from the Gateway pod. | ||
If Prometheus is installed on the cluster, set up a PodMonitor to configure it to scrape metrics directly from the Gateway pod. | ||
This must be done in the namespace where the Gateway is running. For a list of the metrics you'll get see the Kuadrant [docs](https://docs.kuadrant.io/0.11.0/kuadrant-operator/doc/observability/metrics/) | ||
|
||
```bash | ||
|
@@ -384,7 +386,7 @@ EOF | |
|
||
### Set up API key auth flow | ||
|
||
Set up an example API key for new users | ||
Set up an example API key for the new users: | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
|
@@ -402,6 +404,8 @@ type: Opaque | |
EOF | ||
``` | ||
|
||
Create a new AuthPolicy in a different namespace that overrides the `Deny all` created earlier: | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
apiVersion: kuadrant.io/v1 | ||
|
@@ -435,9 +439,9 @@ spec: | |
EOF | ||
``` | ||
|
||
### Override default low rate limiting for specific users | ||
### Override `low limit` RateLimitPolicy for specific users | ||
|
||
Create a new Rate limit policy in a different namespace to override the default RLP created earlier | ||
Create a new `RateLimitPolicy` in a different namespace to override the default `RateLimitPolicy` created earlier: | ||
|
||
```bash | ||
kubectl apply -f - <<EOF | ||
|
@@ -469,32 +473,32 @@ spec: | |
EOF | ||
``` | ||
|
||
The rate limit policy should be accepted and enforced: | ||
The `RateLimitPolicy` should be Accepted and Enforced: | ||
|
||
```bash | ||
kubectl get ratelimitpolicy -n ${KUADRANT_DEVELOPER_NS} toystore-rlp -o=jsonpath='{.status.conditions}' | ||
``` | ||
|
||
Check the status of the `HTTRoute`, is now affected by the `RateLimitPolicy` in the same namespace: | ||
Check the status of the `HTTPRoute`, is now affected by the `RateLimitPolicy` in the same namespace: | ||
|
||
```bash | ||
kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.parents[0].conditions[?(@.type=="kuadrant.io/RateLimitPolicyAffected")].message}' | ||
``` | ||
|
||
### Test the new Rate limit and Auth policy | ||
|
||
#### Send requests as alice | ||
#### Send requests as Alice: | ||
|
||
```bash | ||
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done | ||
``` | ||
|
||
#### Send requests as bob as follows: | ||
#### Send requests as Bob: | ||
|
||
```bash | ||
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done | ||
``` | ||
|
||
## Conclusion | ||
|
||
To learn more about Kuadrant, visit <https://docs.kuadrant.io>. | ||
To learn more about Kuadrant and see more how to guides, visit Kuadrant [documentation](https://docs.kuadrant.io) |