Merge branch 'june' of https://github.com/szihai/istio-workshop into june

andy.shi · andy.shi · commit 14d598b824c1 · 2018-07-11T16:30:24.000-07:00
diff --git a/exercise-1/README.md b/exercise-1/README.md
@@ -1,6 +1,35 @@
 # Exercise 1 - Accessing a Kubernetes cluster 
 
-This is the section to configure your kubectl CLI to point to your Kubernetes cluster. Will update with more specific information.
+This is the section to configure your kubectl CLI to point to your Kubernetes cluster. For the convienence we will use Minikube here.
+
+### Install Minikube on Mac
+
+The following are the quick steps to install Minikube on Mac if you have homebrew installed:
+
+```
+brew cask install virtualbox
+
+brew cask install minikube
+```
+
+Make sure the minikube has at least 4G of memory(more is better). Otherwise it will not be sufficient to run Istio.
+
+```
+minikube start 
+    --extra-config=controller-manager.cluster-signing-cert-file="/var/lib/localkube/certs/ca.crt" 
+    --extra-config=controller-manager.cluster-signing-key-file="/var/lib/localkube/certs/ca.key" 
+    --extra-config=apiserver.admission-control="NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" 
+    --kubernetes-version=v1.10.0
+ ```
+
+### Else
+
+In case the first approach doesn't work, here are the full references to set up Minikube:
+- [Install Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/)
+- [Minikube release](https://github.com/kubernetes/minikube/releases)
+- [Vbox download](https://www.virtualbox.org/wiki/Downloads)
+- [Set up Minikube](https://kubernetes.io/docs/setup/minikube/)
+
 
 ### Clone the lab repo
 
diff --git a/exercise-6/README.md b/exercise-6/README.md
@@ -29,6 +29,39 @@ image: docker.io/istio/proxy######
 imagePullPolicy: IfNotPresent
 name: istio-proxy
 ```
+#### Automatic sidecar injection
+
+Istio sidecars can also be automatically injected into a pod at creation time using a feature in Kubernetes called a mutating webhook admission controller.   Note that unlike manual injection, automatic injection occurs at the pod-level. You won't see any change to the deployment itself. Instead you'll want to check individual pods (via kubectl describe) to see the injected proxy.
+
+An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. Admission controllers may be “validating”, “mutating”, or both. Mutating controllers may modify the objects they admit; validating controllers may not.
+
+The admission control process proceeds in two phases. In the first phase, mutating admission controllers are run. In the second phase, validating admission controllers are run.
+
+MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.  
+
+For Istio the webhook is the sidecar injector webhook deployment called "istio-sidecar-injector".  It will modify a pod before it is started to inject an istio init container and istio proxy container.
+
+#### Using the Sidecar Injector
+
+By default, Istio is configured to apply a sidecar injector to namespaces with the label/value of `istio-injection=enabled`.
+
+Label the default namespace with `istio-injection` label set to `enabled`.
+
+```sh
+kubectl label namespace default istio-injection=enabled
+```
+
+Check that the label is applied.
+
+```sh
+kubectl get namespace -L istio-injection
+
+NAME           STATUS    AGE       ISTIO-INJECTION
+default        Active    1h        enabled
+istio-system   Active    1h        
+kube-public    Active    1h        
+kube-system    Active    1h
+```
 
 ### Deploy Guestbook services
 
diff --git a/exercise-7/README.md b/exercise-7/README.md
@@ -1,5 +1,7 @@
 ## Exercise 7 - Istio Ingress Controller
 
+**NOTE: If you are using Minikube, this section may not work. However there are other approaches to access the service such as using [telepresence](https://www.telepresence.io/).**
+
 The components deployed on the service mesh by default are not exposed outside the cluster. External access to individual services so far has been provided by creating an external load balancer on each service.
 
 Traditionally in Kubernetes, you would use an Ingress to configure a L7 proxy. However, Istio provides a much richer set of proxy configurations that are not well-defined in Kubernetes Ingress.
