Deploy an application in a service mesh in Ambient Mesh mode - Alibaba Cloud Service Mesh

This topic describes how to quickly deploy an application in a service mesh in Ambient Mesh mode.

Prerequisites

The sample code is deployed. For more information, see Preparations.
You have downloaded the Service Mesh (ASM) debugging tool, istioctl, based on your operating system and platform. The istioctl version is compatible with the version of your ASM instance. For more information, visit Istio repository on GitHub.

Important

When you perform the operations mentioned in this topic, you may need to switch between Kubernetes contexts repeatedly to perform operations on the clusters on the data plane and control plane. To avoid misoperations, make sure that the current context is correct each time you switch between contexts. You can use kubectx to simplify context switching. For more information, see kubectx. You can also enable the feature of using the Kubernetes API of clusters on the data plane to access Istio resources and then use the Kubernetes API of clusters on the data plane to directly perform operations on the clusters on the control plane.

Step 1: Enable an authorization policy

After you deploy an application in the ASM instance in Ambient Mesh mode, you can use Layer 4 authorization policies to secure access to the application. For example, you can control access to the application based on the identities of client workloads.

Note

Layer 4 authorization policies for ASM instances of V1.22 are being tested by using canary releases. Layer 4 authorization policies for ASM instances of V1.21 and earlier can be used normally. To use Layer 4 authorization policies for ASM instances of V1.22, submit a ticket.

Layer 4 authorization policies

Create a productpage-viewer.yaml file that contains the following content.

The YAML file is used to define authorization policies to explicitly allow the service accounts of the sleep application and the gateway to call the productpage service.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/default/sa/sleep
       - cluster.local/ns/istio-system/sa/istio-ingressgateway

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to deploy the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```

Verify whether the authorization policy takes effect.

Run the following command:

kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"

Expected output:

<title>Simple Bookstore App</title>

Run the following command:

kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

Expected output:

<title>Simple Bookstore App</title>

Run the following command:

kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

Expected output:

command terminated with exit code 56

The preceding output indicates that the authorization policy takes effect.

Layer 7 authorization policies

For ASM instances of V1.21 and earlier

You can use the Kubernetes Gateway API to deploy a waypoint proxy for the bookinfo-productpage service account. This waypoint proxy is used for the productpage service. Traffic destined for the productpage service is routed by this Layer 7 proxy.

Run the following command to deploy a waypoint proxy for the bookinfo-productpage service account:
```
istioctl x waypoint apply --service-account bookinfo-productpage
```

Run the following command to view the status of the waypoint proxy for the productpage service:

kubectl get gtw bookinfo-productpage -o yaml

Expand to view the expected output

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  annotations:
    gateway.istio.io/controller-version: "5"
    istio.io/for-service-account: bookinfo-productpage
  creationTimestamp: "2023-08-10T08:35:51Z"
  generation: 1
  name: bookinfo-productpage
  namespace: default
  resourceVersion: "7828921"
  uid: c085b788-a8fa-4a2c-8376-18d08689****
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: mesh
    port: 15008
    protocol: HBONE
status:
  conditions:
  - lastTransitionTime: "2023-08-10T08:35:51Z"
    message: Handled by Istio controller
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted

Modify the authorization policy.

Copy the following content to the productpage-viewer.yaml file. This will explicitly allow the service accounts of the sleep application and the gateway to access the productpage service by using GET requests, while other operations are not allowed.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     istio.io/gateway-name: bookinfo-productpage
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/default/sa/sleep
       - cluster.local/ns/istio-system/sa/istio-ingressgateway
   to:
   - operation:
       methods: ["GET"]

Run the following command to redeploy the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```

Verify whether the authorization policy takes effect.

Run the following command:

kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" -X DELETE

Expected output:

 RBAC: access denied

Run the following command:

kubectl exec deploy/notsleep -- curl -s http://productpage:9080/

Expected output:

  RBAC: access denied

Run the following command:

kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

Expected output:

 <title>Simple Bookstore App</title>

The preceding output indicates that the authorization policy takes effect.

For ASM instances of V1.22 and later

To use Layer 7 capabilities in Ambient Mesh mode, you must first enable a waypoint proxy for the specified service or workload.

How do I enable a waypoint proxy for the specified service or workload?

ASM instances of V1.22 provide a new method of configuring waypoint proxies. You can use this method to flexibly enable waypoint proxies in different scopes. The configurations consist of two parts:

First, you need to create a waypoint proxy and use labels to specify the traffic for which the waypoint proxy takes effect.
```
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  labels:
    istio.io/waypoint-for: service
  name: waypoint
  namespace: default
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
```
1. The gatewayClassName field of this gateway is istio-waypoint, which indicates that a waypoint proxy is created.
2. This gateway has a special label istio.io/waypoint-for: service, which indicates that this waypoint proxy is dedicated for the traffic of the service. In addition to service, you can also set the istio.io/waypoint-for field to workload (dedicated to pods) or all (service and workload).

Specify which traffic will be processed by the waypoint proxy. You need to add the istio.io/use-waypoint label to the service, namespace, or pod and set the value of this label to the name of the waypoint proxy that you want to use.

apiVersion: v1
kind: Service
metadata:
  labels:
    app: httpbin
    service: httpbin
    istio.io/use-waypoint: waypoint
  name: httpbin
  namespace: default
spec:
  ports:
  - name: http
    port: 8000
    protocol: TCP
    targetPort: 80
  selector:
    app: httpbin
  type: ClusterIP

Demonstration

The following section continues to demonstrate how to use Layer 7 authorization policies in the environment described in this topic.

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file. Then, deploy the following content of the waypoint proxy to the default namespace:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  labels:
    istio.io/waypoint-for: service
  name: waypoint
  namespace: default
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file. Then, run the following command to add a label for the productpage service so that the traffic of the productpage service is processed by the waypoint proxy:
```
kubectl label service productpage istio.io/use-waypoint=waypoint
```
Update the authorization policy with the following content:
```
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  targetRefs:
  - kind: Service
    group: ""
    name: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    to:
    - operation:
        methods: ["GET"]
```
The new authorization policy explicitly indicates that only the GET requests of the sleep application are allowed to access the productpage service and all other requests are rejected.
Note
If the preceding authorization policy fails to be applied, delete the original authorization policy and apply the preceding authorization policy again.
Verify whether the authorization policy takes effect.
1. Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file. Then, run the following command to use a GET request to access the productpage service:
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
2. Run the following command to use a DELETE request to access the productpage service:
```
kubectl exec deploy/sleep -- curl -XDELETE -s http://productpage:9080/
```
  Expected output:
```
RBAC: access denied
```
3. Run the following command to use a GET request to access the productpage service:
```
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
```
  Expected output:
```
RBAC: access denied
```
The preceding output indicates that the authorization policy takes effect.

Step 2: Define Layer 7 routing rules

For ASM instances of V1.21 and earlier

Run the following command to deploy a waypoint proxy for the reviews service, so that all traffic to the reviews service is routed by this waypoint proxy:
```
istioctl x waypoint apply --service-account bookinfo-reviews
```

Create a reviews.yaml file that contains the following content.

Configure a traffic routing rule to send 90% of requests to reviews-v1 and 10% of requests to reviews-v2.

Expand to view the reviews.yaml file

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v1
      weight: 90
    - destination:
        host: reviews
        subset: v2
      weight: 10

Run the following command to deploy a destination rule:
```
kubectl apply -f reviews.yaml
```

Run the following command to verify whether 10% of 100 requests are sent to reviews-v2:

kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://$GATEWAY_HOST/productpage | grep reviews-v.-; done"

Expected output:

        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v2-5d99885bc9-qb5cv</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>

The preceding output indicates that the Layer 7 routing rule takes effect.

For ASM instances of V1.22 and later

Run the following command to deploy a waypoint proxy for the reviews service, so that all traffic to the reviews service is routed by this waypoint proxy:
```
kubectl label service reviews istio.io/use-waypoint=waypoint
```

Use the following content to create a traffic routing rule for the reviews service to send 90% of requests to reviews-v1 and 10% of requests to reviews-v2:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v1
      weight: 90
    - destination:
        host: reviews
        subset: v2
      weight: 10

Run the following command to verify whether 10% of 100 requests are sent to reviews-v2:

kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://$GATEWAY_HOST/productpage | grep reviews-v.-; done"

Expected output:

        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v2-5d99885bc9-qb5cv</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>

The preceding output indicates that the Layer 7 routing rule takes effect.

Step 3: Delete resources

Run the following commands to delete the resources created in this topic:

istioctl x waypoint delete  --service-account bookinfo-productpage
istioctl x waypoint delete --service-account bookinfo-reviews
kubectl delete authorizationpolicy productpage-viewer