#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First

#IstioCon How HP set up secure and wise platform with Istio John Zheng/ john.zheng@hp.com #IstioCon Agenda ➢ HP Horizon platform design with Istio ➢ Secure Platform ➢ Wise Platform ➢ Excellent Excellent Observability Istio(envoy) can generate access logs for service traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log •

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure

Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

config 命令，而不是直接修改这些文件。oc config 命令 包括很多有用的子命令来实现这一目的： 表 表 2.1. CLI 配置子命令 配置子命令 子命令 子命令 使用方法 使用方法 set- cluster 在 CLI 配置文件中设置集群条目。如果引用的 cluster nickname 已存在，则指定的信息将合并到其 中。 Using project "joe-project" server "https://openshift1.example.com:8443". $ oc login -u system:admin -n default $ oc config set-cluster [--server=] [--certificate-authority=] fy=true] 第 第 2 章 章 OPENSHIFT CLI (OC) 17 set- context 在 CLI 配置文件中设置上下文条目。如果引用的上下文 nickname 已存在，则指定的信息将合并在. use- context 使用指定上下文 nickname 设置当前上下文。 set 在 CLI 配置文件中设置单个值。 是一个以点分隔的名称，每个令牌代表属性名称或映射

config 命令，而不是直接修改这些文件。oc config 命令 包括很多有用的子命令来实现这一目的： 表 表 2.1. CLI 配置子命令 配置子命令 子命令 子命令 使用方法 使用方法 set- cluster 在 CLI 配置文件中设置集群条目。如果引用的 cluster nickname 已存在，则指定的信息将合并到其 中。 Using project "joe-project" server "https://openshift1.example.com:8443". $ oc login -u system:admin -n default $ oc config set-cluster [--server=] [--certificate-authority=] fy=true] 第 第 2 章 章 OPENSHIFT CLI (OC) 17 set- context 在 CLI 配置文件中设置上下文条目。如果引用的上下文 nickname 已存在，则指定的信息将合并在. use- context 使用指定上下文 nickname 设置当前上下文。 set 在 CLI 配置文件中设置单个值。 是一个以点分隔的名称，每个令牌代表属性名称或映射

that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--anonymous-auth=false").string' Returned

包括很多有用的子命令来实现这一目的： 表 表 2.2. CLI 配置子命令 配置子命令 子命令 子命令 使用方法 使用方法 set- cluster 在 CLI 配置文件中设置集群条目。如果引用的 cluster nickname 已存在，则指定的信息将合并到其 中。 set- context 在 CLI 配置文件中设置上下文条目。如果引用的上下文 nickname 已存在，则指定的信息将合并在 server "https://openshift1.example.com:8443". $ oc login -u system:admin -n default $ oc config set-cluster [--server=] [--certificate-authority=] icate/authority>] [--api-version=] [--insecure-skip-tls-verify=true] $ oc config set-context [--cluster=] [--user=] [--namespace=]

components are JVM-based applications. So, the JRE needs to be pre-installed and the JAVA_HOME is correctly set to each component. Component Role Version Remarks Java JRE 8/11/17 Officially released against JDK8 kyuubi-env.sh file is used to set system environment variables to the kyuubi server process and engine processes it creates. The kyuubi-defaults.conf file is used to set system properties to the kyuubi connection, another engine will be started. This may change depending on the engine share level you set. Close Connections Close the session between beeline and Kyuubi server by executing !quit, for example