More details, if you're curious
diff --git a/docs/quick-visual-tutorials/visual-ibac-istio-authorization-policies.mdx b/docs/quick-visual-tutorials/visual-ibac-istio-authorization-policies.mdx index 92c1568ad..d82d71886 100644 --- a/docs/quick-visual-tutorials/visual-ibac-istio-authorization-policies.mdx +++ b/docs/quick-visual-tutorials/visual-ibac-istio-authorization-policies.mdx @@ -8,15 +8,432 @@ import CodeBlock from "@theme/CodeBlock"; import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -:::info Coming soon +Istio authorization policies are a powerful and flexible tool, but using them to achieve a zero-trust architecture with fine-grained pod-to-pod access control can be difficult to implement and maintain. -This visual tutorial for IBAC with Istio authorization policies is not yet ready. +In this tutorial, we will show you how to roll out Istio authorization policies with intent-based access control (IBAC). +With IBAC, you won't need to manually keep track of pod labels or service accounts. You won't need to manage Istio authorization policies at all — they'll be generated and managed automatically. We'll even show you how to generate policies for all discovered traffic in the cluster with just one command. -In the meantime, you might want to check out some similar tutorials: -* [IBAC with network policies](/quick-visual-tutorials/visual-ibac-network-policies) -* [IBAC with Kafka in Kubernetes](/quick-visual-tutorials/visual-ibac-kafka-k8s). +By the end of this tutorial, each server in the cluster will only allow the incoming calls declared by client services in their client intents files, and block any undeclared (unintended) calls. Call declarations, and the authorization policies they'll generate, will be specific not just down to the server but also to the HTTP path and method. -And for a simple, less visual tutorial, see: -* [Istio AuthorizationPolicy automation with intents](/quick-tutorials/k8s-istio-authorization-policies) +All the capabilities of IBAC for Istio are within Otterize OSS, while the access graph in Otterize Cloud will guide us +visually in these steps and support us in the process of zero trust adoption in our cluster without breaking anything. +You will: +1. Install Otterize OSS in your Kubernetes cluster, integrated to your Otterize Cloud account. +2. Install and configure Istio into your cluster. +3. Deploy, as in previous tutorials, a set of services based on the [Google microservices demo](https://github.com/GoogleCloudPlatform/microservices-demo) +(a simple e-commerce application) to your Kubernetes cluster. +4. View, within Otterize Cloud, the traffic in your cluster. +5. Declare one intent in your cluster just to see how the generated authorization policies affect the cluster. +6. Generate client intents for all traffic in the cluster to achieve zero trust in one command. + +## Prerequisites + +
+
+
+Prepare a Kubernetes cluster
+ +Before you start, you'll need a Kubernetes cluster. Having a cluster with a [CNI](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) isn't required for this tutorial, but is recommended so that your cluster works with other tutorials. + +{@include: ../_common/cluster-setup.md} +
+
+
+Create an Otterize Cloud account
+ +{@include: ../_common/create-account.md} + +
+
+
+Install Otterize OSS
+ +{@include: ../_common/install-otterize-from-cloud.md} + +
+
+
+## Install and configure Istio
+Install the Otterize CLI
+ +{@include: ../_common/install-otterize-cli.md} + +
+
+
+:::tip
+HTTP request paths and methods aren't exported in Envoy's connection metrics by default, but we do want to capture those
+details when creating the network map. That way we not only have better visibility of the calling patterns,
+e.g. in the access graph, but we can also use that information to automatically capture fine-grained intents and
+use them to generate Istio authorization policies.
+:::
+
+Install Istio in the cluster via Helm
+ +{@include: ../_common/install-istio.md} + +
+
+
+## Deploy demo to simulate traffic
+Enhance Istio exported metrics with HTTP methods and request paths
+ +Apply this configuration in the `istio-system` namespace, propagating it to all namespaces covered by the mesh. + +``` +kubectl apply -f https://docs.otterize.com/code-examples/network-mapper/istio-telemetry-enablement.yaml +``` + +```yaml +{@include: ../../static/code-examples/network-mapper/istio-telemetry-enablement.yaml} +``` + +
+
+
+Create a namespace for our demo application and label it for Istio injection
+ +```bash +kubectl create namespace otterize-visual-tutorial-istio +kubectl label namespace otterize-visual-tutorial-istio istio-injection=enabled +``` +
+
+
+## Seeing the access graph
+
+In the Otterize Cloud web app, within the [Clusters tab](https://app.otterize.com/clusters), your cluster should be displaying all three Otterize OSS
+operators — the intents operator, network mapper, and credentials operator — in the green connected state.
+
+
+
+Now, let's head back to the [access graph](https://app.otterize.com/access-graph). If necessary, make sure to select your cluster from the dropdown menu.
+You should see the map for the demo running in your cluster:
+
+
+
+Each service is shown as a node in the access graph, while the dashed lines (edges) connecting the services show access between them, as detected by the network mapper.
+
+The lines are dashed because the client services are missing intent declarations: we've *discovered* their intents to call the servers, but they haven't *declared* those intents.
+
+Otterize can configure several access control mechanisms, such as network policies and Kafka ACLs, and the access graph can take into account their combined state. But for this demo, we're only using Istio authorization policies, so let's adjust the access graph view to only take these Istio policies into account: in the Istio policies section at the top, toggle on "Use in access graph"; and in the sections for network
+policies and Kafka ACLs, toggle off "Use in access graph".
+
+
+
+Finally, let's filter out all but the `otterize-visual-tutorial-istio` namespace, as that's where the functional services are running. Select that namespace from the namespace filter at the top.
+
+## Try out IBAC with shadow mode
+
+Our mission in this tutorial is to achieve zero trust in our cluster, but we don't want to break anything in the process. So we'll start off by rolling out IBAC for just one service: only it will be protected from any unauthorized access.
+
+Even then, one of the biggest challenges in rolling out zero trust is that Istio authorization policies, like network policies and Kafka ACLs, can't let us know what would be blocked *before* we actually block it.
+
+Otterize solves this problem by providing a "shadow mode" enforcement. In shadow mode, Otterize doesn't actually generate
+Istio authorization policies from client intents declarations, so nothing is actually blocked.
+But Otterize still sees any intent declarations that *would* generate policies, so the access graph can preview what access would be blocked or enabled if we were to generate policies.
+
+## Choose a first service to protect
+
+Let's pick one service and manually protect it, before automating the process for the whole cluster.
+We will start with the `recommendationservice`. Find it in the access graph. If you have a large graph, you can always type its name in the search box on the left and select it to bring it into view. You can also zoom in to see it larger:
+
+
+
+Click on the `recommendationservice` to see more details:
+
+
+
+At the bottom of this panel, you can see it as a server (on the left) receiving requests, and as a client (on the right) sending requests.
+
+As a server, the access graph tells you it's currently unprotected. Why?
+- There is no default `allow nothing` authorization policy configured for the cluster, as we informed the graph in the "Istio policies" section at the top right. That's appropriate for our situation: we want to roll out protection one service at a time, without breaking access to the others.
+- The first authorization policy would protect this server, but no such policies would be created for it right now if enforcement were turned on, since no clients have declared their intents to call it. We'll do that in the next step.
+
+At the very bottom of the server section, we can see that this service is called by the `frontend`
+service, which uses the `GET` method to access the `/recommendations` resource. Let's click the dashed line from `frontend`
+to `recommendationservice` to see the details of the access:
+
+
+
+We see that the network mapper *discovered* the intent by the `frontend` to `GET` `/recommendations` on the `recommendationservice`, but the `frontend` did not *declare* it.
+
+(Note also that the `recommendationservice` *as a client* is also not blocked by any authorization policy.)
+
+## Declare your intentions!
+
+As suggested by the access graph, we will now take the intent we just *discovered* and *declare* that the `frontend` service intends to
+call the `recommendationservice` via `GET` requests to the HTTP resource at `/recommendations`:
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/phase-1.yaml}
+```
+
+We expect this will eventually provide secure access: **allowing** the intended access from the `frontend`, while **protecting** the `recommendationservice` from unintended access (since it will now have an authorization policy on it).
+Why eventually? Because we'll still need to go from shadow mode to actual enforcement, after getting reassured in shadow mode that intentional calls won't be blocked.
+
+Apply the above client intents file with:
+```bash
+kubectl apply -n otterize-visual-tutorial-istio -f https://docs.otterize.com/code-examples/ibac-for-istio/phase-1.yaml
+```
+
+Look at the access graph again:
+
+
+
+The green line from `frontend` to `recommendationservice` is no longer dashed, but rather **solid**: the desired access we discovered has now been declared.
+
+Click on that solid `frontend` → `recommendationservice` line:
+Deploy the demo set of services
+ +``` +kubectl apply -n otterize-visual-tutorial-istio -f https://docs.otterize.com/code-examples/ibac-for-istio/demo-app.yaml +``` +
+
+We can see that:
+- The *discovered* intent to access is now also *declared*, and as a result...
+- ...this call will be guaranteed access even after enforcement is turned on: the arrow is now **solid** green.
+
+Click on the `recommendationservice` itself:
+
+
+The access graph shows us:
+- This service is still not currently protected: after all, we're in shadow mode, without enforcement, so there are no authorization policies blocking unintended access.
+- The "Istio policies" tag indicates that specifically it's not currently protected by Istio authorization policies. Had we been using other access controls, you would see the protection status for those too.
+- There is no longer a warning about the `recommendationservice` remaining unprotected once enforcement is turned on.
+- From this server's perspective, all's ready to activate enforcement.
+
+We now have **a green light for turning on enforcement** and protecting this service from any unintended calls without breaking its intended clients.
+
+:::tip Ready to enforce?
+We could certainly turn on enforcement now.
+
+But instead, let's first protect another service, just to show how the access graph would warn us if we're not ready to turn on enforcement.
:::
+
+### Declare more intents
+
+We can see in the access graph that the `recommendationservice` in turn calls the `productcatalogservice`, sending `GET` requests to the resource at `/similar-products`, so let's declare that intent:
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/phase-2.yaml}
+```
+
+Apply this intents file with:
+```bash
+kubectl apply -n otterize-visual-tutorial-istio -f https://docs.otterize.com/code-examples/istio-visual-tutorial/phase-2.yaml
+```
+Look at the access graph again:
+
+
+
+As before, the line from `recommendationservice` → `productcatalogservice` is now solid green line, with no warnings. That's what we expect when we properly declare a discovered intent.
+
+But two other lines, `frontend` → `productcatalogservice` and `checkoutservice` → `productcatalogservice`, have turned orange. And a red warning has shown up on the `productcatalogservice`. Why?
+
+Click on one of those orange lines:
+
+
+- There is no declaration of the discovered `GET /products` calls from the `frontend` to the `productcatalogservice`.
+- This undeclared access is not blocked *now* — because we're still in shadow mode (otherwise the line would have been red).
+- But access *would* be blocked once enforcement is turned on. To prevent that, we're told to declare the intent for this call.
+
+Click on the `productcatalogservice` to read its warnings, and what's there and what's missing:
+
+
+- We can see it's not protected now, again because we're in shadow mode.
+- But we can also see it *would* block some clients once protection is enabled.
+- We can see that the `recommendationservice` will be allowed to `GET /similar-products`, but no other clients are guaranteed access.
+- And there is an explicit warning to apply the missing intents from **all** the clients of the `productcatalogservice` before turning on enforcement.
+
+Let's declare those intents from the `frontend` and `checkoutservice` clients:
+
+
+
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/intents/frontend.yaml}
+```
+
+
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/intents/checkoutservice.yaml}
+```
+
+
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/intents/recommendationservice.yaml}
+```
+
+
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/intents/cartservice.yaml}
+```
+
+
+
+```yaml
+{@include: ../../static/code-examples/ibac-for-istio/intents/loadgenerator.yaml}
+```
+
+
+
+
+Look at the access graph again:
+
+
+
+The graph confirms that all services would be protected, and no intended calls would be blocked, once we apply protection.
+
+:::tip
+In essence, in one shot, we've declared that all the traffic in the environment where the mapper was running is all the intended traffic: all these calls, and no other calls, should be allowed.
+:::
+
+
+## Enable enforcement
+With the confidence we've gained, let's enable enforcement (via Istio authorization policies) by upgrading your Otterize installation to remove the `intentsOperator.operator.enableEnforcement=false` flag.
+
+At the top of the access graph, click the **Configure cluster** button; or in the clusters page, click on the **Connection guide →** link for your cluster.
+
+Then run the Helm commands shown there, and specifically follow the instructions to install Otterize with enforcement on (not in shadow mode). Namely, omit the following flag in the Helm command:
+
+`--set intentsOperator.operator.enableEnforcement=false`
+
+Let's look at the access graph again:
+
+
+
+Note that all of the servers (the server sides of the services) are shown in green, as protected. And no client call attempts (discovered by the network mapper) are being blocked. This is what a service-to-service zero-trust architecture looks like.
+
+:::tip How would blocked access attempts look now?
+From now on, if a client attempts a server call that wasn't covered by one of the declared intents, that would be discovered by the network mapper and show up as (new) discovered intents. Remember that the network mapper discovers attempted access, not just successful access. In this case, a red line would appear from that client to that server, and a red warning would show up on the server and client, saying: calls from that client are being blocked.
+
+That may be because:
+- The calls were legitimate, but were missed when intents were generated because they didn't happen when the network mapper was building its map from which the intents were bootstrapped. In that case, you may choose to generate all the intents again, or or just create and apply the new ones manually.
+- Or... the client maliciously called this server, but is being blocked by the authorization policies. IBAC has saved the day!
+:::
+
+If you are curious, have a look at the intents files generated by this single command:
+ +
+
+
+## What's next
+
+- Learn how to [roll out IBAC with Kubernetes network policies](/quick-visual-tutorials/visual-ibac-network-policies), automatically generating and updating network policies.
+- Learn how to [roll out secure access for Kafka in Kubernetes](/quick-visual-tutorials/visual-ibac-kafka-k8s), automating both mTLS for client authentication and the ACLs built into Kafka.
+
+## Teardown
+
+To remove the deployed demo run:
+
+```bash
+kubectl delete -n otterize-vizual-tutorial-istio -f https://docs.otterize.com/code-examples/ibac-for-istio/all.yaml
+kubectl delete -n otterize-vizual-tutorial-istio -f https://docs.otterize.com/code-examples/ibac-for-istio/demo-app.yaml
+```
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/all.yaml b/static/code-examples/ibac-for-istio/all.yaml
index bd60143d4..a82eba2ce 100644
--- a/static/code-examples/ibac-for-istio/all.yaml
+++ b/static/code-examples/ibac-for-istio/all.yaml
@@ -1,113 +1,117 @@
-apiVersion: v1
-kind: Namespace
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
metadata:
- name: otterize-tutorial-istio
- labels:
- istio-injection: enabled
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: client
- namespace: otterize-tutorial-istio
+ name: cartservice
+ namespace: otterize-visual-tutorial-istio
spec:
- selector:
- matchLabels:
- app: client
- template:
- metadata:
- labels:
- app: client
- spec:
- serviceAccountName: client-service-account
- containers:
- - name: client
- image: alpine/curl
- command: [ "/bin/sh", "-c", "--" ]
- args: [ "while true; do echo \"Calling server...\"; if ! timeout 2 curl -si nginx-service:8080/client-path; then echo \"curl timed out\"; fi; sleep 2; done" ]
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: client-service-account
- namespace: otterize-tutorial-istio
- labels:
- app: client
+ service:
+ name: cartservice
+ calls:
+ - name: redis-cart
+ type: http
+ resources:
+ - path: /items
+ methods:
+ - GET
+ - POST
---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
metadata:
- name: other-client
- namespace: otterize-tutorial-istio
+ name: checkoutservice
+ namespace: otterize-visual-tutorial-istio
spec:
- selector:
- matchLabels:
- app: other-client
- template:
- metadata:
- labels:
- app: other-client
- spec:
- serviceAccountName: other-client-service-account
- containers:
- - name: other-client
- image: alpine/curl
- command: [ "/bin/sh", "-c", "--" ]
- args: [ "while true; do echo \"Calling server...\"; if ! timeout 2 curl -si nginx-service:8080/other-client-path; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ service:
+ name: checkoutservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - POST
---
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
metadata:
- name: other-client-service-account
- namespace: otterize-tutorial-istio
- labels:
- app: other-client
+ name: frontend
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: frontend
+ calls:
+ - name: adservice
+ type: http
+ resources:
+ - path: /ads
+ methods:
+ - GET
+ - name: cartservice
+ type: http
+ resources:
+ - path: /items
+ methods:
+ - GET
+ - POST
+ - name: checkoutservice
+ type: http
+ resources:
+ - path: /checkout
+ methods:
+ - POST
+ - name: currencyservice
+ type: http
+ resources:
+ - path: /currency
+ methods:
+ - GET
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - GET
+ - name: recommendationservice
+ type: http
+ resources:
+ - path: /recommendations
+ methods:
+ - GET
+ - name: shippingservice
+ type: http
+ resources:
+ - path: /shipping
+ methods:
+ - POST
---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
metadata:
- name: nginx
- namespace: otterize-tutorial-istio
+ name: loadgenerator
+ namespace: otterize-visual-tutorial-istio
spec:
- selector:
- matchLabels:
- app: nginx
- replicas: 1
- template:
- metadata:
- labels:
- app: nginx
- spec:
- containers:
- - name: nginx
- image: nginx:1.14.2
- command: ["/bin/sh", "-c"]
- args:
- - |
- echo 'events {}' > /etc/nginx/nginx.conf;
- echo 'http {' >> /etc/nginx/nginx.conf;
- echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
- echo ' server {' >> /etc/nginx/nginx.conf;
- echo ' listen 80;' >> /etc/nginx/nginx.conf;
- echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
- echo ' location /client-path { return 200 "hello from /client-path\n"; }' >> /etc/nginx/nginx.conf;
- echo ' location /other-client-path { return 200 "hello from /other-client-path\n"; }' >> /etc/nginx/nginx.conf;
- echo ' }' >> /etc/nginx/nginx.conf;
- echo '}' >> /etc/nginx/nginx.conf;
- nginx -g "daemon off;"
- ports:
- - containerPort: 80
+ service:
+ name: loadgenerator
+ calls:
+ - name: frontend
+ type: http
+ resources:
+ - path: /
+ methods:
+ - GET
---
-apiVersion: v1
-kind: Service
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
metadata:
- name: nginx-service
- namespace: otterize-tutorial-istio
+ name: recommendationservice
+ namespace: otterize-visual-tutorial-istio
spec:
- selector:
- app: nginx
- ports:
- - protocol: TCP
- port: 8080
- targetPort: 80
----
+ service:
+ name: recommendationservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /similar-products
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/allow-nothing.yaml b/static/code-examples/ibac-for-istio/allow-nothing.yaml
index 971a2b0e6..38d35fd48 100644
--- a/static/code-examples/ibac-for-istio/allow-nothing.yaml
+++ b/static/code-examples/ibac-for-istio/allow-nothing.yaml
@@ -2,6 +2,6 @@ apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
- namespace: otterize-tutorial-istio
+ namespace: otterize-visual-tutorial-istio
spec:
{}
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/demo-app.yaml b/static/code-examples/ibac-for-istio/demo-app.yaml
new file mode 100644
index 000000000..e663641c7
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/demo-app.yaml
@@ -0,0 +1,593 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: adservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: adservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: adservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: adservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: adservice
+ spec:
+ serviceAccountName: adservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /ads { return 200 "adservice answer for path /ads\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: adservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: adservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cartservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: cartservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cartservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: cartservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cartservice
+ spec:
+ serviceAccountName: cartservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /items { return 200 "cartservice answer for path /items\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+ - name: cartservice-post-redis-cart
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling redis-cart...\"; if ! timeout 2 curl -X POST -si redis-cart-service:8080/items; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: cartservice-call-redis-cart
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling redis-cart...\"; if ! timeout 2 curl -si redis-cart-service:8080/items; then echo \"curl timed out\"; fi; sleep 2; done" ]
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cartservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: cartservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: checkoutservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: checkoutservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: checkoutservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: checkoutservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: checkoutservice
+ spec:
+ serviceAccountName: checkoutservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /checkout { return 200 "checkoutservice answer for path /checkout\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+ - name: checkoutservice-post-productcatalogservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling productcatalogservice...\"; if ! timeout 2 curl -X POST -si productcatalogservice-service:8080/products; then echo \"curl timed out\"; fi; sleep 2; done" ]
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: checkoutservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: checkoutservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: currencyservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: currencyservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: currencyservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: currencyservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: currencyservice
+ spec:
+ serviceAccountName: currencyservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /currency { return 200 "currencyservice answer for path /currency\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: currencyservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: currencyservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: frontend-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: frontend
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: frontend
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: frontend
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: frontend
+ spec:
+ serviceAccountName: frontend-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location / { return 200 "frontend answer for path /\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+ - name: frontend-call-adservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling adservice...\"; if ! timeout 2 curl -si adservice-service:8080/ads; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-call-cartservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling cartservice...\"; if ! timeout 2 curl -si cartservice-service:8080/items; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-post-cartservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling cartservice...\"; if ! timeout 2 curl -X POST -si cartservice-service:8080/items; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-call-currencyservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling currencyservice...\"; if ! timeout 2 curl -si currencyservice-service:8080/currency; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-call-productcatalogservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling productcatalogservice...\"; if ! timeout 2 curl -si productcatalogservice-service:8080/products; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-call-recommendationservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling recommendationservice...\"; if ! timeout 2 curl -si recommendationservice-service:8080/recommendations; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-post-shippingservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling shippingservice...\"; if ! timeout 2 curl -X POST -si shippingservice-service:8080/shipping; then echo \"curl timed out\"; fi; sleep 2; done" ]
+ - name: frontend-post-checkoutservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling checkoutservice...\"; if ! timeout 2 curl -X POST -si checkoutservice-service:8080/checkout; then echo \"curl timed out\"; fi; sleep 2; done" ]
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: frontend-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: frontend
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: loadgenerator-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: loadgenerator
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: loadgenerator
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: loadgenerator
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: loadgenerator
+ spec:
+ serviceAccountName: loadgenerator-service-account
+ containers:
+ - name: loadgenerator-call-frontend
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling frontend...\"; if ! timeout 2 curl -si frontend-service:8080/; then echo \"curl timed out\"; fi; sleep 2; done" ]
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: productcatalogservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: productcatalogservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: productcatalogservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: productcatalogservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: productcatalogservice
+ spec:
+ serviceAccountName: productcatalogservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /products { return 200 "productcatalogservice answer for path /products\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' location /similar-products { return 200 "productcatalogservice answer for path /similar-products\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: productcatalogservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: productcatalogservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: recommendationservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: recommendationservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: recommendationservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: recommendationservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: recommendationservice
+ spec:
+ serviceAccountName: recommendationservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /recommendations { return 200 "recommendationservice answer for path /recommendations\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+ - name: recommendationservice-call-productcatalogservice
+ image: alpine/curl
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do echo \"Calling productcatalogservice...\"; if ! timeout 2 curl -si productcatalogservice-service:8080/similar-products; then echo \"curl timed out\"; fi; sleep 2; done" ]
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: recommendationservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: recommendationservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: redis-cart-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: redis-cart
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: redis-cart
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: redis-cart
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: redis-cart
+ spec:
+ serviceAccountName: redis-cart-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /items { return 200 "redis-cart answer for path /items\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: redis-cart-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: redis-cart
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: shippingservice-service-account
+ namespace: otterize-visual-tutorial-istio
+ labels:
+ app: shippingservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: shippingservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ matchLabels:
+ app: shippingservice
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: shippingservice
+ spec:
+ serviceAccountName: shippingservice-service-account
+ containers:
+ - name: nginx
+ image: nginx:1.14.2
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ echo 'events {}' > /etc/nginx/nginx.conf;
+ echo 'http {' >> /etc/nginx/nginx.conf;
+ echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
+ echo ' server {' >> /etc/nginx/nginx.conf;
+ echo ' listen 80;' >> /etc/nginx/nginx.conf;
+ echo ' server_name localhost;' >> /etc/nginx/nginx.conf;
+ echo ' location /shipping { return 200 "shippingservice answer for path /shipping\n"; }' >> /etc/nginx/nginx.conf;
+ echo ' }' >> /etc/nginx/nginx.conf;
+ echo '}' >> /etc/nginx/nginx.conf;
+ nginx -g "daemon off;"
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: shippingservice-service
+ namespace: otterize-visual-tutorial-istio
+spec:
+ selector:
+ app: shippingservice
+ ports:
+ - protocol: TCP
+ port: 8080
+ targetPort: 80
+---
diff --git a/static/code-examples/ibac-for-istio/intents/cartservice.yaml b/static/code-examples/ibac-for-istio/intents/cartservice.yaml
new file mode 100644
index 000000000..06ea2e28a
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/intents/cartservice.yaml
@@ -0,0 +1,16 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: cartservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: cartservice
+ calls:
+ - name: redis-cart
+ type: http
+ resources:
+ - path: /items
+ methods:
+ - GET
+ - POST
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/intents/checkoutservice.yaml b/static/code-examples/ibac-for-istio/intents/checkoutservice.yaml
new file mode 100644
index 000000000..66fcbe131
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/intents/checkoutservice.yaml
@@ -0,0 +1,15 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: checkoutservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: checkoutservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - POST
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/intents/frontend.yaml b/static/code-examples/ibac-for-istio/intents/frontend.yaml
new file mode 100644
index 000000000..331c83a46
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/intents/frontend.yaml
@@ -0,0 +1,52 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: frontend
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: frontend
+ calls:
+ - name: adservice
+ type: http
+ resources:
+ - path: /ads
+ methods:
+ - GET
+ - name: cartservice
+ type: http
+ resources:
+ - path: /items
+ methods:
+ - POST
+ - GET
+ - name: checkoutservice
+ type: http
+ resources:
+ - path: /checkout
+ methods:
+ - POST
+ - name: currencyservice
+ type: http
+ resources:
+ - path: /currency
+ methods:
+ - GET
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - GET
+ - name: recommendationservice
+ type: http
+ resources:
+ - path: /recommendations
+ methods:
+ - GET
+ - name: shippingservice
+ type: http
+ resources:
+ - path: /shipping
+ methods:
+ - POST
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/intents/loadgenerator.yaml b/static/code-examples/ibac-for-istio/intents/loadgenerator.yaml
new file mode 100644
index 000000000..58cf08519
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/intents/loadgenerator.yaml
@@ -0,0 +1,15 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: loadgenerator
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: loadgenerator
+ calls:
+ - name: frontend
+ type: http
+ resources:
+ - path: /
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/intents/recommendationservice.yaml b/static/code-examples/ibac-for-istio/intents/recommendationservice.yaml
new file mode 100644
index 000000000..0d9490b5c
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/intents/recommendationservice.yaml
@@ -0,0 +1,15 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: recommendationservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: recommendationservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /similar-products
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/phase-1.yaml b/static/code-examples/ibac-for-istio/phase-1.yaml
new file mode 100644
index 000000000..40e61f4b0
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/phase-1.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: frontend
+spec:
+ service:
+ name: frontend
+ calls:
+ - name: recommendationservice
+ type: http
+ resources:
+ - path: /recommendations
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/phase-2.yaml b/static/code-examples/ibac-for-istio/phase-2.yaml
new file mode 100644
index 000000000..19fadde07
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/phase-2.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: recommendationservice
+spec:
+ service:
+ name: recommendationservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /similar-products
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/phase-3-checkout.yaml b/static/code-examples/ibac-for-istio/phase-3-checkout.yaml
new file mode 100644
index 000000000..1a24e2497
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/phase-3-checkout.yaml
@@ -0,0 +1,15 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: checkoutservice
+ namespace: otterize-visual-tutorial-istio
+spec:
+ service:
+ name: checkoutservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - POST
diff --git a/static/code-examples/ibac-for-istio/phase-3-frontend.yaml b/static/code-examples/ibac-for-istio/phase-3-frontend.yaml
new file mode 100644
index 000000000..b7b147df4
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/phase-3-frontend.yaml
@@ -0,0 +1,20 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: frontend
+spec:
+ service:
+ name: frontend
+ calls:
+ - name: recommendationservice
+ type: http
+ resources:
+ - path: /recommendations
+ methods:
+ - GET
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - GET
\ No newline at end of file
diff --git a/static/code-examples/ibac-for-istio/phase-3.yaml b/static/code-examples/ibac-for-istio/phase-3.yaml
new file mode 100644
index 000000000..8dfb11a64
--- /dev/null
+++ b/static/code-examples/ibac-for-istio/phase-3.yaml
@@ -0,0 +1,35 @@
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: frontend
+spec:
+ service:
+ name: frontend
+ calls:
+ - name: recommendationservice
+ type: http
+ resources:
+ - path: /recommendations
+ methods:
+ - GET
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - GET
+---
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
+metadata:
+ name: checkoutservice
+spec:
+ service:
+ name: checkoutservice
+ calls:
+ - name: productcatalogservice
+ type: http
+ resources:
+ - path: /products
+ methods:
+ - POST
\ No newline at end of file
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/access-graph-panel.png b/static/img/quick-tutorials/istio-visual-tutorial/access-graph-panel.png
new file mode 100644
index 000000000..c119686d9
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/access-graph-panel.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/cluster-connected.png b/static/img/quick-tutorials/istio-visual-tutorial/cluster-connected.png
new file mode 100644
index 000000000..80e40a3f8
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/cluster-connected.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/frontend-productactalogservice-missing-intent.png b/static/img/quick-tutorials/istio-visual-tutorial/frontend-productactalogservice-missing-intent.png
new file mode 100644
index 000000000..c03a77895
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/frontend-productactalogservice-missing-intent.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-applied.png b/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-applied.png
new file mode 100644
index 000000000..04c02c694
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-applied.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-phase-0.png b/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-phase-0.png
new file mode 100644
index 000000000..a81b8140c
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/frontend-recommendation-phase-0.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-0.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-0.png
new file mode 100644
index 000000000..8388e6fc7
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-0.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-1.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-1.png
new file mode 100644
index 000000000..678b3e72d
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-1.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-2.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-2.png
new file mode 100644
index 000000000..b6c664e5a
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-2.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-3.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-3.png
new file mode 100644
index 000000000..f1c923ac9
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-3.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-4.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-4.png
new file mode 100644
index 000000000..6589f1970
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-4.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/phase-5.png b/static/img/quick-tutorials/istio-visual-tutorial/phase-5.png
new file mode 100644
index 000000000..f3aa2be33
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/phase-5.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-access-status.png b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-access-status.png
new file mode 100644
index 000000000..ebe1d98cb
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-access-status.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-all-green.png b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-all-green.png
new file mode 100644
index 000000000..29902ba40
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-service-all-green.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-would-block.png b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-would-block.png
new file mode 100644
index 000000000..c657b217e
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/productcatalog-would-block.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/recommendation-access-state.png b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-access-state.png
new file mode 100644
index 000000000..870852f65
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-access-state.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/recommendation-graph-phase-0.png b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-graph-phase-0.png
new file mode 100644
index 000000000..8ab32e384
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-graph-phase-0.png differ
diff --git a/static/img/quick-tutorials/istio-visual-tutorial/recommendation-service-phase-0.png b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-service-phase-0.png
new file mode 100644
index 000000000..a8c19783f
Binary files /dev/null and b/static/img/quick-tutorials/istio-visual-tutorial/recommendation-service-phase-0.png differ