Skip to content

[Refactor] istio.io security concept page - Authz #10164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[Refactor] istio.io security concept page - Authz #10164

wants to merge 1 commit into from

Conversation

xulingqing
Copy link
Member

@xulingqing xulingqing commented Aug 9, 2021
edited
Loading

Preview Link: https://deploy-preview-10164--preliminary-istio.netlify.app/latest/docs/concepts/security/#authorization

Main Changes:

  1. Merge Authorization architecture to Authorization introduction part
  2. Change Implicit enablement to Policy Precedence with brief introduction
  3. Merge Policy Target Value matching Exclusion matching as a Policy Matching section with concept rewrite
  4. Move the 4 practices of allow-all policy, Custom conditions, unauthenticated identity, authz on plain TCP protocols to operation/config/security
  5. deleted TCP protocal added a TCP task in Authz(/docs/tasks/security/authorization/authz-tcp/)
  6. Value Matching (exact, prefix, suffix, exclusion)move to /docs/ops/configuration/security/security-policy-examples/
  • Configuration Infrastructure
  • Docs
  • Installation
  • Networking
  • Performance and Scalability
  • Policies and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Aug 9, 2021
@google-cla google-cla bot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Aug 9, 2021
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Aug 9, 2021
@istio-testing
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 9, 2021
@xulingqing xulingqing mentioned this pull request Aug 9, 2021
Open
@xulingqing xulingqing changed the title refactor istio.io security page Authz part refactor istio.io security concept page - Authz Aug 9, 2021
@xulingqing xulingqing self-assigned this Aug 10, 2021
yangminzhu
yangminzhu reviewed Aug 11, 2021
View reviewed changes
Copy link
Contributor

@yangminzhu yangminzhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I

content/en/docs/concepts/security/index.md

#### Value matching
In the [Security Policy Examples](docs/ops/configuration/security/security-policy-examples/), we introduce more policy use cases like:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should make sure the new content is ready when deleting it from the concept page. You could do it in a single PR that adds the new content in example/task/reference page while deleting it from concept page.

Otherwise there is chance that some contents are removed in this PR but forget to be added in other places, and more importantly, separating the change will make it harder to review and compare the newly added content to the old one, and it puts the preminary.istio.io in an incomplete status until all changes are merged.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your suggestion. Yes, the changes to the authz part will be in the same PR. But let's first have consensus of how will the concept page look like. The concept page changes will be finished in the 1st commit, and I will commit the tasks/reference changes in this PR as a different commit.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once we reach agreement on the concept page, @justinpettit will work with me on finding a section that fits for the delete content. In this way, we can greatly reduce moving the content around. Thanks~

@xulingqing xulingqing changed the title refactor istio.io security concept page - Authz [Refactor] istio.io security concept page - Authz Aug 16, 2021
@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Dec 7, 2022
@istio-testing
Copy link
Contributor

@xulingqing: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@istio-testing
Copy link
Contributor

@xulingqing: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
doc.test.profile_none_istio.io 8733eb9 link true /test doc.test.profile_none
doc.test.profile_demo_istio.io 8733eb9 link true /test doc.test.profile_demo
doc.test.profile_default_istio.io 8733eb9 link true /test doc.test.profile_default
doc.test.multicluster_istio.io 8733eb9 link true /test doc.test.multicluster
doc.test.profile_minimal_istio.io 8733eb9 link true /test doc.test.profile_minimal
doc.test.profile-default_istio.io 8733eb9 link true /test doc.test.profile-default
doc.test.profile-none_istio.io 8733eb9 link true /test doc.test.profile-none
doc.test.profile-demo_istio.io 8733eb9 link true /test doc.test.profile-demo
doc.test.profile-minimal_istio.io 8733eb9 link true /test doc.test.profile-minimal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

craigbox
craigbox reviewed Nov 9, 2023
View reviewed changes
Copy link
Contributor

@craigbox craigbox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xulingqing and @justinpettit, any interest in finishing this off?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craigbox craigbox craigbox left review comments

@yangminzhu yangminzhu yangminzhu left review comments

@justinpettit justinpettit Awaiting requested review from justinpettit

@myidpt myidpt Awaiting requested review from myidpt

At least 1 approving review is required to merge this pull request.

Assignees

@xulingqing xulingqing

Labels
area/security cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. kind/docs needs-rebase Indicates a PR needs to be rebased before being merged size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xulingqing @istio-testing @craigbox @yangminzhu @istio-policy-bot