Azure Insights: Istio; Kubernetes Service; Resource Graph; PowerShell; Docker container images

May 17 2020

Microsoft Azure pros share their insights on Istio on Kubernetes Service, Resource Graph, and using PowerShell and Docker container images.

Changing over from Istio CNI to Kubernetes Service

Daniel Neumann, writing on Daniel's Tech Blog discussed the value of switching to the Istio CNI plugin with Azure Kubernetes Service. Istio and services like it use an init container to control iptables rules to redirect network traffic to or from a proxy container. For users also leveraging PSPS or Gatekeeper, they may need to define exceptions and apply them to all namespaces, with the Istio proxy enabled. He wrote:

As a cluster admin you just deploy Istio with the CNI plugin enabled. Then you only have one running Istio CNI pod per node as the Istio CNI plugin operates as a DaemonSet. Setting up the network traffic redirection is now handled by the Istio CNI plugin. So, you only need to exclude the istio-system namespace from Gatekeeper or define a separate PSP for it instead of lowering your security restrictions. This in the end reduces the security risk and makes your application deployments more secure.

Neumann showed how to add additional lines to a YAML template, based on Istio documentation, as well as how to apply the changes.

Enhancing visibility with Azure Resource Graph

About MSDW Reporter

More about MSDW Reporter