Skip to content

Commit

Permalink
spelling and grammer
Browse files Browse the repository at this point in the history
Signed-off-by: R-Lawton <[email protected]>
  • Loading branch information
R-Lawton committed Dec 3, 2024
1 parent a8cdfd4 commit c7cae10
Showing 1 changed file with 31 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ This guide walks you through using Kuadrant to secure, protect, and connect an A
- AWS/Azure or GCP with DNS capabilities.


### Set your environment variables
### Set the environment variables

Set the following environment variables used for convenience in this guide:

Expand All @@ -32,7 +32,7 @@ export [email protected] # Email address to associate with the exam

The DNS provider declares credentials to access the zone(s) that Kuadrant can use to set up DNS configuration. Ensure that this credential only has access to the zones you want Kuadrant to manage via `DNSPolicy`

Create the namespace the Gateway will be deployed in
Create the namespace the Gateway will be deployed in:

```bash
kubectl create ns ${KUADRANT_GATEWAY_NS}
Expand All @@ -47,7 +47,7 @@ kubectl -n ${KUADRANT_GATEWAY_NS} create secret generic aws-credentials \
--from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY
```

Before adding a TLS issuer, create the secret credentials in the cert-manager namespace
Before adding a TLS issuer, create the secret credentials in the cert-manager namespace:

```bash
kubectl -n cert-manager create secret generic aws-credentials \
Expand All @@ -58,14 +58,14 @@ kubectl -n cert-manager create secret generic aws-credentials \

### Deploy the Toystore app

Create the namespace for the Toystore application.
Create the namespace for the Toystore application:

```bash

kubectl create ns ${KUADRANT_DEVELOPER_NS}
```

Deploy the Toystore app to the developer namespace
Deploy the Toystore app to the developer namespace:

```bash
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS}
Expand Down Expand Up @@ -101,7 +101,8 @@ spec:
value: "/cars"
EOF
```
The status of the HTTPRoute will not be accepted or enforced, it will be unknown as we haven't created the Gateway yet
The status of the HTTPRoute will not be accepted or enforced, it will be unknown as the Gateway hasn't been created yet:

```bash
kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'

Expand Down Expand Up @@ -161,7 +162,7 @@ spec:
listeners:
- allowedRoutes:
namespaces:
from: All
from: All
hostname: "*.${KUADRANT_ZONE_ROOT_DOMAIN}"
name: api
port: 443
Expand All @@ -175,13 +176,14 @@ spec:
EOF
```

Check the status of your Gateway ensuring the gateway is Accepted and Programmed:

Check the status of the `Gateway` ensuring the gateway is Accepted and Programmed:

```bash
kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Programmed")].message}'
```

Check the status of your listener you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration. This will be fixed in the next step with the TLS Policy
Check the status of the listener, you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration. This will be fixed in the next step with the `TLSPolicy`:

```bash
kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.listeners[0].conditions[?(@.type=="Programmed")].message}'
Expand All @@ -208,17 +210,17 @@ spec:
EOF
```

Check that your TLS policy has an accepted and enforced status.
Check that the `TLSpolicy` has an Accepted and Enforced status:

```bash
kubectl get tlspolicy ${KUADRANT_GATEWAY_NAME}-tls -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
```

### Secure and protect the Gateway with Auth, Rate limit, and DNS policies.

While the Gateway is now deployed, it currently has exposed endpoints. The next steps will be defining an `AuthPolicy` to set up a default `403` response for any unprotected endpoints, as well as a `RateLimitPolicy` to set up a default unrealistic low global limit to further protect any exposed endpoints.
While the `Gateway` is now deployed, it currently has exposed endpoints. The next steps will be defining an `AuthPolicy` to set up a default `403` response for any unprotected endpoints, as well as a `RateLimitPolicy` to set up a default unrealistic low global limit to further protect any exposed endpoints.

### Set the deny all Gateway Auth policy
### Set the `Deny all` Gateway AuthPolicy

```bash
kubectl apply -f - <<EOF
Expand Down Expand Up @@ -252,14 +254,14 @@ spec:
EOF
```

Check that your auth policy has accepted and enforced status
Check that the `AuthPolicy` has Accepted and Enforced status:

```bash
kubectl get authpolicy ${KUADRANT_GATEWAY_NAME}-auth -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'

```

### Deploy the low default Gateway Rate limit policy
### Deploy the `low limit` Gateway RateLimitPolicy

```bash
kubectl apply -f - <<EOF
Expand All @@ -282,13 +284,13 @@ spec:
EOF
```

Check that your rate limit policy has accepted and enforced status
Check that the `RateLimitPolicy` has Accepted and Enforced status:

```bash
kubectl get ratelimitpolicy ${KUADRANT_GATEWAY_NAME}-rlp -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
```

### Create the gateway DNS policy
### Create the Gateway DNSPolicy

```bash
kubectl apply -f - <<EOF
Expand All @@ -311,21 +313,21 @@ spec:
EOF
```

Check that the `DNSPolicy` has been accepted and enforced.
Check that the `DNSPolicy` has been Accepted and Enforced:

```bash
kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
```

### Test the default and deny all rate limit policies
### Test the `low limit` and deny all policies

```bash
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
```

### (Optional) Configure metrics to be scraped from the Gateway instance

If prometheus is installed on the cluster, set up a PodMonitor to configure it to scrape metrics directly from the Gateway pod.
If Prometheus is installed on the cluster, set up a PodMonitor to configure it to scrape metrics directly from the Gateway pod.
This must be done in the namespace where the Gateway is running. For a list of the metrics you'll get see the Kuadrant [docs](https://docs.kuadrant.io/0.11.0/kuadrant-operator/doc/observability/metrics/)

```bash
Expand Down Expand Up @@ -384,7 +386,7 @@ EOF

### Set up API key auth flow

Set up an example API key for new users
Set up an example API key for the new users:

```bash
kubectl apply -f - <<EOF
Expand All @@ -402,6 +404,8 @@ type: Opaque
EOF
```

Create a new AuthPolicy in a different namespace that overrides the `Deny all` created earlier:

```bash
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
Expand Down Expand Up @@ -435,9 +439,9 @@ spec:
EOF
```

### Override default low rate limiting for specific users
### Override `low limit` RateLimitPolicy for specific users

Create a new Rate limit policy in a different namespace to override the default RLP created earlier
Create a new `RateLimitPolicy` in a different namespace to override the default `RateLimitPolicy` created earlier:

```bash
kubectl apply -f - <<EOF
Expand Down Expand Up @@ -469,32 +473,32 @@ spec:
EOF
```

The rate limit policy should be accepted and enforced:
The `RateLimitPolicy` should be Accepted and Enforced:

```bash
kubectl get ratelimitpolicy -n ${KUADRANT_DEVELOPER_NS} toystore-rlp -o=jsonpath='{.status.conditions}'
```

Check the status of the `HTTRoute`, is now affected by the `RateLimitPolicy` in the same namespace:
Check the status of the `HTTPRoute`, is now affected by the `RateLimitPolicy` in the same namespace:

```bash
kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.parents[0].conditions[?(@.type=="kuadrant.io/RateLimitPolicyAffected")].message}'
```

### Test the new Rate limit and Auth policy

#### Send requests as alice
#### Send requests as Alice:

```bash
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
```

#### Send requests as bob as follows:
#### Send requests as Bob:

```bash
while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
```

## Conclusion

To learn more about Kuadrant, visit <https://docs.kuadrant.io>.
To learn more about Kuadrant and see more how to guides, visit Kuadrant [documentation](https://docs.kuadrant.io)

0 comments on commit c7cae10

Please sign in to comment.