►
Description
In this demo, Lin will repeat the same test scenario as described in the "Could network cache-based identity be mistaken" video on Istio. Will Istio be able to enforce the security policies?
For more details, check out the blog: https://thenewstack.io/my-istiod-pod-cant-communicate-with-the-kubernetes-api-server
A
Hey
guys,
len,
here
a
couple
of
days
ago,
I
published
a
video
on
how
network
cash-based
identity
could
potentially
be
mistaken.
In
that
example,
I
showed
when
cillian
pot
couldn't
communicate
with
the
kubernetes
api
server
today
we're
going
to
go
through
the
same
scenario
with
the
istio
control
plan.
Are
you
ready
for
this?
Let's
get
started.
A
A
A
A
A
And
hollow
version,
hollow
version
2
allows
sleep
version,
2
to
call
hollow
version.
2.,
going
back
to
the
terminal,
I'm
going
to
check
how
sleep
cost
hello
world,
as
you
can
see,
version
one
to
version.
One
is
success.
Version
two
to
version
two
is
success
version
one
to
version
two
was
version.
Two
two
version,
one
is
connection
fail.
This
is
because
silly
network
policy
recognize
they
are
not
allowed.
So
this
works
perfectly
in
the
perfect
world.
A
A
Let's
review
our
test
script,
we're
going
to
capture
the
sleek
version,
one's
ip
address
and
then
we're
going
to
scale
sleep
version
1
to
0
and
the
sleep
version
2
to
15,
and
then
we're
going
to
try
to
find
that
particular
sleep
version
2
pod
that
has
the
same
ip
as
one
of
the
sleep
version,
one
part
and
then
we're
going
to
curve
from
that
sleep
version
to
pod
to
hollow
version.
One
let's
go
ahead,
run
the
test.
A
Bring
up
our
k9s
window
and
now
we're
seeing
a
bunch
of
sleeve
version,
2,
pop-up
and
sleep
version.
1
is
scaled
down
to
0,
just
as
we
ask
the
system
to
do
now,
we're
rolling
restart
the
sleep
version,
two
part
to
hoping
to
get
a
match
of
the
winner
soon
that
meets
the
condition
of
reusing
one
of
the
sleeve
version
one's
part,
ip.
A
Checking
onto
one
of
the
sleeve
version,
2
pod,
we
can
see
the
pod
is
taking
up
longer
than
usual
to
come
up.
This
is
because
one
of
the
issue
d
couldn't
serve
as
the
certificate
authority
to
create
to
fulfill
the
certificate.
Signing
requests-
oh
it
did
come
up
so
onward
is
ready
now
and
looks
like
everything
is
up.
Let's
go
back,
oh,
we
have
a
winner
too.
A
A
all
right.
Let's
recap
what
you
have
seen
on
the
vm
where
hello
version
one
part
runs.
We
introduced
an
error
scenario.
Well,
it
could
not
talk
to
the
kubernetes
api
server.
There's
one
ceiling
pod
running
on
the
vm
there's.
Also
one
hdld
pod
running
on
that
vm
psyllium
network
policy
layer
4
could
not
be
enforced
because
the
identity
of
our
sleep
version-
2
pod,
was
mistaken.