diff --git a/content/en/blog/2017/0.1-auth/index.md b/content/en/blog/2017/0.1-auth/index.md index 706671ec4419a..9849e77857cd0 100644 --- a/content/en/blog/2017/0.1-auth/index.md +++ b/content/en/blog/2017/0.1-auth/index.md @@ -57,7 +57,7 @@ Istio authentication uses [Kubernetes service accounts](https://kubernetes.io/do ### Communication security -Service-to-service communication is tunneled through high performance client side and server side [Envoy](https://envoyproxy.github.io/envoy/) proxies. The communication between the proxies is secured using mutual TLS. The benefit of using mutual TLS is that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. Istio authentication also introduces the concept of Secure Naming to protect from a server spoofing attacks - the client side proxy verifies that the authenticated server's service account is allowed to run the named service. +Service-to-service communication is tunneled through high performance client side and server side {{}}Envoy{{}} proxies. The communication between the proxies is secured using mutual TLS. The benefit of using mutual TLS is that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. Istio authentication also introduces the concept of Secure Naming to protect from a server spoofing attacks - the client side proxy verifies that the authenticated server's service account is allowed to run the named service. ### Key management and distribution diff --git a/content/en/blog/2017/0.1-using-network-policy/index.md b/content/en/blog/2017/0.1-using-network-policy/index.md index f7fb51dc23a2a..772277b8db0dc 100644 --- a/content/en/blog/2017/0.1-using-network-policy/index.md +++ b/content/en/blog/2017/0.1-using-network-policy/index.md @@ -29,8 +29,8 @@ In contrast, operating at the network layer has the advantage of being universal ## Implementation -The Istio’s proxy is based on [Envoy](https://github.com/envoyproxy/envoy), which is implemented as a user space daemon in the data plane that -interacts with the network layer using standard sockets. This gives it a large amount of flexibility in processing, and allows it to be +Istio’s proxy is based on {{}}Envoy{{}}, which is implemented as a user space daemon in the data plane that +interacts with the network layer using standard sockets. This gives it a large amount of flexibility in processing, and allows it to be distributed (and upgraded!) in a container. Network Policy data plane is typically implemented in kernel space (e.g. using iptables, eBPF filters, or even custom kernel modules). Being in kernel space diff --git a/content/en/news/releases/0.x/announcing-0.1/index.md b/content/en/news/releases/0.x/announcing-0.1/index.md index 2d889aac78433..3e85d116c41ba 100644 --- a/content/en/news/releases/0.x/announcing-0.1/index.md +++ b/content/en/news/releases/0.x/announcing-0.1/index.md @@ -16,7 +16,7 @@ aliases: --- Google, IBM, and Lyft are proud to announce the first public release of [Istio](/): an open source project that provides a uniform way to connect, secure, manage and monitor microservices. Our current release is targeted at the [Kubernetes](https://kubernetes.io/) environment; we intend to add support for other environments such as virtual machines and Cloud Foundry in the coming months. -Istio adds traffic management to microservices and creates a basis for value-add capabilities like security, monitoring, routing, connectivity management and policy. The software is built using the battle-tested [Envoy](https://envoyproxy.github.io/envoy/) proxy from Lyft, and gives visibility and control over traffic *without requiring any changes to application code*. Istio gives CIOs a powerful tool to enforce security, policy and compliance requirements across the enterprise. +Istio adds traffic management to microservices and creates a basis for value-add capabilities like security, monitoring, routing, connectivity management and policy. The software is built using the battle-tested {{}}Envoy{{}} proxy from Lyft, and gives visibility and control over traffic *without requiring any changes to application code*. Istio gives CIOs a powerful tool to enforce security, policy and compliance requirements across the enterprise. ## Background diff --git a/content/zh/blog/2017/0.1-auth/index.md b/content/zh/blog/2017/0.1-auth/index.md index 07f01e1136515..851c94568c246 100644 --- a/content/zh/blog/2017/0.1-auth/index.md +++ b/content/zh/blog/2017/0.1-auth/index.md @@ -55,7 +55,7 @@ Istio Auth 使用了 [Kubernetes 服务帐户](https://kubernetes.io/zh-cn/docs/ ### 通信安全{#communication-security} -服务间通信基于高性能客户端和服务器端 [Envoy](https://envoyproxy.github.io/envoy/) 代理的传输隧道。代理之间的通信使用双向 TLS 来进行保护。使用双向 TLS 的好处是服务身份不会被替换为从源窃取或重放攻击的令牌。Istio Auth 还引入了安全命名的概念,以防止服务器欺骗攻击 - 客户端代理验证允许验证特定服务的授权的服务帐户。 +服务间通信基于高性能客户端和服务器端 {{}}Envoy{{}} 代理的传输隧道。代理之间的通信使用双向 TLS 来进行保护。使用双向 TLS 的好处是服务身份不会被替换为从源窃取或重放攻击的令牌。Istio Auth 还引入了安全命名的概念,以防止服务器欺骗攻击 - 客户端代理验证允许验证特定服务的授权的服务帐户。 ### 密钥管理和分配{#key-management-and-distribution} diff --git a/content/zh/blog/2017/0.1-using-network-policy/index.md b/content/zh/blog/2017/0.1-using-network-policy/index.md index 685bb140d03a7..c16a016b19637 100644 --- a/content/zh/blog/2017/0.1-using-network-policy/index.md +++ b/content/zh/blog/2017/0.1-using-network-policy/index.md @@ -29,7 +29,7 @@ target_release: 0.1 ## 实现{#implementation} -Istio 的代理基于 [Envoy](https://github.com/envoyproxy/envoy),它作为数据平面的用户空间守护进程实现的,使用标准套接字与网络层交互。这使它在处理方面具有很大的灵活性,并允许它在容器中分发(和升级!)。 +Istio 的代理基于 {{}}Envoy{{}},它作为数据平面的用户空间守护进程实现的,使用标准套接字与网络层交互。这使它在处理方面具有很大的灵活性,并允许它在容器中分发(和升级!)。 网络策略数据平面通常在内核空间中实现(例如:使用 iptables 、eBPF 过滤器、或甚至自定义内核模块)。在内核空间使它们性能很好,但不像 Envoy 代理那样灵活。 diff --git a/content/zh/news/releases/0.x/announcing-0.1/index.md b/content/zh/news/releases/0.x/announcing-0.1/index.md index ffb268a96e2e1..135635de666f6 100644 --- a/content/zh/news/releases/0.x/announcing-0.1/index.md +++ b/content/zh/news/releases/0.x/announcing-0.1/index.md @@ -16,7 +16,7 @@ aliases: --- Google、IBM 和 Lyft 骄傲的宣布了 [Istio](/zh) 的首个公开版本。Istio 是一个以统一方式对微服务实施连接、管理、监控以及安全增强的开源项目。当前版本专注于支持 [Kubernetes](https://kubernetes.io/zh-cn/) 环境,我们计划在接下来的几个月添加诸如虚拟机和 Cloud Foundry 等环境的支持。 -Istio 为微服务添加了流量管理能力,同时为比如安全、监控、路由、连接管理和策略等附加能力打下了基础。此软件构建于来自 Lyft 的经过实战检验的 [Envoy](https://envoyproxy.github.io/envoy/) 代理之上,能在 *无需改动任何应用代码* 的情况下赋予对应用流量的可见性和控制能力。Istio 为 CIO 们提供了一个在企业内加强安全、策略和合规性的强有力的工具。 +Istio 为微服务添加了流量管理能力,同时为比如安全、监控、路由、连接管理和策略等附加能力打下了基础。此软件构建于来自 Lyft 的经过实战检验的 {{}}Envoy{{}} 代理之上,能在 *无需改动任何应用代码* 的情况下赋予对应用流量的可见性和控制能力。Istio 为 CIO 们提供了一个在企业内加强安全、策略和合规性的强有力的工具。 ## 背景{#background}