# Copyright Istio Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Example configurations for deploying a proxy server for remote istioctl ps command. apiVersion: v1 kind: Service metadata: name: istioctl-proxy labels: app: istioctl-proxy spec: ports: - name: https port: 9090 targetPort: 9090 selector: app: istioctl-proxy --- apiVersion: v1 kind: ServiceAccount metadata: name: istioctl-proxy --- apiVersion: v1 kind: Secret metadata: name: jwt-cert-key-secret # command to generate certificate # use the generated server.crt, server.key by following https://github.com/istio/istio/blob/master/samples/jwt-server/testdata/README.MD stringData: server.crt: | -----BEGIN CERTIFICATE----- MIIDjzCCAnegAwIBAgIUfIuuQDfWakIpZ7bZAuuLUWhSm2AwDQYJKoZIhvcNAQEL BQAwRjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMRMwEQYDVQQKDApBY21lLCBJ bmMuMRUwEwYDVQQDDAxBY21lIFJvb3QgQ0EwHhcNMjExMTE3MDQ0NDE2WhcNMzEx MTE1MDQ0NDE2WjA/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQVoxEzARBgNVBAoM CkFjbWUsIEluYy4xDjAMBgNVBAMMBSouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAv3qsDI+3Fc65EuuPnKG4BN0dLZZy+wFNxruszYRg0foP9kUQ rUUv12uu/y2Rguf09y9mXXzGc51kwU5TIhVarYPBIa46MLMBBroF908VX9ng4Q9M ta+rU10e9xugRRnCDf1ZMlQJB/7pmnF21vw6gdmRt7vMLKiHQuN9BI+042Z/NiiF T7xCDDz+HvhGnn+vDv53h6LPzwNM2zGLSIPaV5xkYs0fYvs5Y2pUGonrra5hGoRq JzOZ3SNfKtaQ3AXrf/+kikJGFA/GmzZuhW26Nygl/kYgx7l+g3uTXOz0hN434nF6 Cc7EyuvD37lAsgw1w48poTnDUijV5Cx6yA8FHQIDAQABo3wwejB4BgNVHREEcTBv ggpqd3Qtc2VydmVygglsb2NhbGhvc3SCF2p3dC1zZXJ2ZXIuaXN0aW8tc3lzdGVt ghJqd3Qtc2VydmVyLmRlZmF1bHSCKWp3dC1zZXJ2ZXIuaXN0aW8tc3lzdGVtLnN2 Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQC26tlBXaF+chVS3f8w Tv1D1lgXgJ/ROozqlSMe5BGDuOgsVtWQeqpMIXxEx8w6fXUF0TaMYxp3sC4D3Ql9 W+PALf9Zpy+vv6vxoKkrnKiXvOiuYkLJhaVDkzvj6j6yMjxUk5a9ehDZ0gKwXf+m Ei35D8xKtPdz/FaB7qgN2mu7V47oFizon7jLLqAvlWIIQ7Pku+XfjraDPtjxUj4u 5qSrIfSWAeuJSEsSlGPyYJCFvqFNQYW0y8y7fCCQo7FObHfBmpp7kG2BViuLxebW zfi4K3gDCpR8lWiNEjm4NamQ07OpCtmLZfaueZH/vSXXVVbs6VCsb6nJqJrGDc5t K/xK -----END CERTIFICATE----- server.key: | -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC/eqwMj7cVzrkS 64+cobgE3R0tlnL7AU3Gu6zNhGDR+g/2RRCtRS/Xa67/LZGC5/T3L2ZdfMZznWTB TlMiFVqtg8EhrjowswEGugX3TxVf2eDhD0y1r6tTXR73G6BFGcIN/VkyVAkH/uma cXbW/DqB2ZG3u8wsqIdC430Ej7TjZn82KIVPvEIMPP4e+Eaef68O/neHos/PA0zb MYtIg9pXnGRizR9i+zljalQaieutrmEahGonM5ndI18q1pDcBet//6SKQkYUD8ab Nm6Fbbo3KCX+RiDHuX6De5Nc7PSE3jficXoJzsTK68PfuUCyDDXDjymhOcNSKNXk LHrIDwUdAgMBAAECggEAPtk99ZWKa58BwkMNTUULiJUnCZqTPO4NoEhjjMWBngot CRFcSvMlo9iVhO5pD4WhMy0ctVzKKpKjyosx4EMQE1nmn253bRqkIJgYczdC9cYm +NgzvoLdgixTiJpJvcSZnEvm5g0NNdGmzWmmryP09D/8g0kh2Bqs4viWRVQB9I1T eKbPOwatlDBiqitHDPQ7ZAGBvXfHbRc8PePQ2biJJWN/JzOrhBMG9tKpAqduQgbW u/DR06JI5Gpp9LiOXcThDbSB/XLdwxLY64MAU4ihWRsQ2k+FNrnuOLDM3YNCrWF5 MRKRVrUhAwDs3V4my4uVu65QjDWURTg7mnbzzwKAgQKBgQDopj9ZKuNXw5T7Yuj2 BnYDd4h9gz2BAtQR0ACXoeFhRipmfX3TZdrfklbE5IryRZObSGBxMw/Jf+jseyT3 9nhE8dRrR2yxvlN/SMNP+uW3wziSRriGM8+WB2mkBEhxPrbIPyAQFupkeE6iuY0c 14cNiKRXPrz4lE5tBZPCECEtIQKBgQDSspYwXuakP6jeiZOym1rRfj58Xi6Hfra3 4e4elTsgj+iKvw/5vqn+/axqmZzymxY6vOECSlxKDee+inxHvZxr9de7DXv8rr8x w+nna/hnKUzqiplbDEQCqMH0US3k9fbNX/AknGccYQO9kiYj23Gi6cnRZAVrm7oy MEQIFgB8fQKBgHPLQx5zbUIic4WHnmHNp3FkTkgCSVtr9/eBqrnN9ap/zNzEOxs7 x+udH5jSE6IwJR6VsILHImVtR5ZkWGsefo/6OXrHyv7QtyhUI/or66hB/2c20eLh 6MFIoTjkdNYAm+MhIClB7pnhE2qEpgqj73E6AGn4LQAgeMRkkT1237xhAoGAJoPW yIjQiH3KlMN5aFDVzS3SplFhGAulwv9d0+FbqZwk2hgLB5A+6wncFrB17DNFYP9d 8lk9fZwFHOObzFFw4ptSEDNq0snu0V4Kx+8IvXLjSIyFdAtN81599fdQ+GWt8+Tx tP+SKbHiSSkKJ8vZffpWlhw+kWkqJDqGdSPwetECgYBzekGqr0MrrnK1nsXwd1pe Y+KypdjOfu7SI9I1ujosSTo3XZ9+EJo2vJYy1acCLFrp1s8eaUhc/NTT57R/EIOL 8mpQUbVH8l8h6gRs6izoPFhtOKJZgkPrx7OCs08CCmYIr9qUvWFhcnsxnW7B5hic LEAqdR15WVMSx/Fw8dACEw== -----END PRIVATE KEY----- --- apiVersion: apps/v1 kind: Deployment metadata: name: istioctl-proxy spec: replicas: 1 selector: matchLabels: app: istioctl-proxy template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: istioctl-proxy spec: serviceAccountName: istioctl-proxy containers: - image: docker.io/istio/istioctl-proxy:0.1 imagePullPolicy: IfNotPresent name: istioctl-proxy volumeMounts: - name: certkeysecretresource mountPath: "/etc/certs" readOnly: true args: ["-port", "9090", "-cert", "/etc/certs/server.crt", "-key", "/etc/certs/server.key"] env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - containerPort: 9090 volumes: - name: certkeysecretresource secret: secretName: jwt-cert-key-secret defaultMode: 0400 --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istioctl-proxy-role rules: - apiGroups: [""] resources: - pods - pods/portforward verbs: ["get", "list", "create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istioctl-proxy-role subjects: - kind: ServiceAccount name: istioctl-proxy roleRef: kind: Role name: istioctl-proxy-role apiGroup: rbac.authorization.k8s.io ---