Skip to content

Commit

Permalink
docs: minor corrections
Browse files Browse the repository at this point in the history
  • Loading branch information
burgerdev committed Oct 17, 2024
1 parent 75131a1 commit 920014b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion docs/docs/deployment.md
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,7 @@ echo $lbip
By default, mesh certificates are issued with a wildcard DNS entry. The web frontend is accessed
via load balancer IP in this demo. Tools like curl check the certificate for IP entries in the SAN field.
Validation fails since the certificate contains no IP entries as a subject alternative name (SAN).
For example, a connection attempt using the curl and the mesh CA certificate with throw the following error:
For example, attempting to connect with curl and the mesh CA certificate will throw the following error:

```sh
$ curl --cacert ./verify/mesh-ca.pem "https://${frontendIP}:443"
Expand Down
5 changes: 3 additions & 2 deletions docs/docs/features-limitations.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@ This section lists planned features and current limitations of Contrast.
- **Coverage**: While the enforcement of workload policies generally functions well, [there are scenarios not yet fully covered](https://github.com/microsoft/kata-containers/releases/tag/3.2.0.azl0.genpolicy). It's crucial to review deployments specifically for these edge cases.
- **Order of events**: The current policy evaluation mechanism on API requests isn't stateful, so it can't ensure a prescribed order of events. Consequently, there's no guaranteed enforcement that the [service mesh sidecar](components/service-mesh.md) container runs *before* the workload container. This order ensures that all traffic between pods is securely encapsulated within TLS connections.
- **Absence of events**: Policies can't ensure certain events have happened. A container, such as the [service mesh sidecar](components/service-mesh.md), can be omitted entirely. Environment variables may be missing.
- **Volume integrity checks**: While persistent volumes aren't supported yet, integrity checks don't currently cover other objects such as `ConfigMaps` and `Secrets`.
- **Volume integrity checks**: Integrity checks don't cover any volume mounts, such as `ConfigMaps` and `Secrets`.

:::warning
The policy limitations, in particular the missing guarantee that our service mesh sidecar has been started before the workload container affects the service mesh implementation of Contrast. Currently, this requires inspecting the iptables rules on startup or terminating TLS connections in the workload directly.
The policy limitations, in particular the missing guarantee that our service mesh sidecar has been started before the workload container, affect the service mesh implementation of Contrast.
Currently, this requires inspecting the iptables rules on startup or terminating TLS connections in the workload directly.
:::

## Tooling integration
Expand Down

0 comments on commit 920014b

Please sign in to comment.