tcdowney
commented
4 years ago I wonder if we can add a couple tests to sanity check some of these policies. E.g. maybe non-istio-system workloads fail to hit protected Istio control plane components.
Closed XanderStrike closed 4 years ago
tcdowney
commented
4 years ago I wonder if we can add a couple tests to sanity check some of these policies. E.g. maybe non-istio-system workloads fail to hit protected Istio control plane components.
mike1808
commented
4 years ago I agree with @tcdowney . E.g. for whatever reason Istio decides to change these ports and we upgrade our Istio version.
dolfolife
commented
4 years ago I do not find any documentation of what "15433" port is inside the Istio system. @XanderStrike where can I find this information?
mike1808
commented
4 years ago @rodolfo2488 I don't see 15433 used. Did you mean 15443? https://istio.io/docs/ops/deployment/requirements/#ports-used-by-istio
tcdowney
commented
4 years ago @mike1808 yup, Dolfo corrected it in this commit: https://github.com/cloudfoundry/cf-k8s-networking/pull/31/commits/c9cb6d26a9f565deb5304f516a593cb0c066c68e
This introduces network policy to prevent unauthorized apps from reaching our istio components.