2021年10月份发布了OSM 1.0 RC[1],在过去的几个月里,OSM 的贡献者一直在努力为 v1.0.0 版本的发布做准备。2022年2月1日,OSM 团队正式发布 1.0.0 版本[2]。 OSM 从最初的发布到现在已经走了很长的路,团队继续专注于社区需要的关键和必要的功能。Open Service Mesh(OSM)是一个 轻量级、 可扩展的 Service Mesh 工具,旨在通过引入简单性和降低复杂性来管理和保护 K8s 集群内的 API。它基于 envoy Proxy 并将其作为 sidecar 容器注入到每个Observable应用程序中,该应用程序依次执行流量管理、路由策略、捕获指标等。

微软把Open Service Mesh 捐赠给云原生计算基金会(CNCF),以确保它由社区主导,并具有开放的治理,OSM目前还是 沙箱项目。

1.0 版本已经支持多集群和混合环境中运行 OSM。 1.0版本中的一些新功能:

  • 新的内部控制平面事件管理框架来处理对 Kubernetes 集群和策略的更改
  • 拒绝/忽略无效 SMI TrafficTarget 资源的验证
  • 改进控制平面内存利用率,OSM 现在可以根据内存使用情况自动缩放。
  • 支持用于网状流量的 TCP 服务器优先协议。appProtocol: tcp-server-first 除了在 Egress 策略中指定的服务之外,现在可以在网格中的服务端口上指定,以减少 MySQL 和 PostgreSQL 等协议的延迟。
  • OSM 附带的 Grafana 仪表板更加准确和一致。
  • OSM 控制平面镜像现在是多架构的,支持 linux/amd64 和 linux/arm64。

自上次发布以来,osmCLI 也有了一些改进。

  • osm support bug-report除了网格内的 Pod 之外,收集日志和其他有助于调试的信息的命令现在可以从 OSM 的控制平面收集日志。
  • 对于在没有 Helm 的情况下管理 OSM 生命周期的用户,该osm install命令现在支持选择性地清理由控制平面创建的 CustomResourceDefinition、webhook 配置和资源以简化卸载。
  • osm version命令现在将显示安装在集群上的 OSM 版本以及 CLI 的版本。

查看我们最新更新的文档网站[3],了解更多关于特性、演示和架构的信息。

显著特性

Open Service Mesh 相对于Istio 来说,确实很轻量。SMI 处理了所有你期望的标准服务 Mesh 功能,包括使用 mTLS 确保服务之间的通信安全,管理访问控制策略,服务监控等。

  • 为服务定义并执行细化的访问控制策略,基于 Service Mesh Interface (SMI) 的实现,主要包括 Traffic Access ControlTraffic SpecsTraffic Split 以及 Traffic Metrics

  • 通过启用相互 TLS (mTLS) 来保护服务与服务之间的通信 ;

  • 定义和执行服务间的访问控制策略;

  • 通过 Prometheus 和 Grafana 完成器观察性;

  • 可与外部证书管理服务进行集成;

  • 使用 Envoy 边车代理自动注入,将应用程序加入到 OSM 网格中;

上手体验

这里我使用 Rancher Desktop[4] 作为我本地的实验环境,来亲手试一试看了。

安装非常简单,参考文档 [5],直接去 Release 页面下载预编译好的二进制文件。可将二进制文件加入到 $PATH 中。

wget  https://github.com/openservicemesh/osm/releases/download/v1.0.0/osm-v1.0.0-windows-amd64.zip -o osm.zip

unzip osm.zip

osm.exe version

下面的命令显示了如何在 Kubernetes 集群上安装 OSM。此命令启用 PrometheusGrafanaJaeger集成。文件中的osm.enablePermissiveTrafficPolicychart 参数values.yaml 指示 OSM 忽略任何策略,让流量在 Pod 之间自由流动。在 OSM 中的宽松流量策略模式下,系统会绕过 SMI 流量策略强制执行。 在此模式下,OSM 会自动发现属于服务网格一部分的服务,并在每个 Envoy 代理挎斗上对流量策略规则进行编程,以便能够与这些服务通信。

osm install  --mesh-name "osm-system" --osm-namespace "osm" --set=osm.enablePermissiveTrafficPolicy=true --set=osm.deployPrometheus=true  --set=osm.deployGrafana=true   --set=osm.deployJaeger=true

可以看到默认安装完成后,都在 osm-system 命名空间下有6个pod:

上图是使用k8slens :https://k8slens.dev/ ,这里简要介绍一下lens:(Lens 就是一个强大的 IDE,可以实时查看集群状态,实时查看日志流,方便排查故障。有了 Lens,你可以更方便快捷地使用你的集群,从根本上提高工作效率和业务迭代速度。Lens 可以管理多集群,它使用内置的 kubectl 通过 kubeconfig 来访问集群,支持本地集群和外部集群(如EKS、AKS、GKE、Pharos、UCP、Rancher 等),甚至连 Openshift 也支持。)

  • osm-controller:osm控制器

  • osm-grafana:Dashboard 相关,可通过 osm dashboard 命令唤起;

  • osm-prometheus:采集 metrics ;

  • osm-injector:注入程序

  • osm-bootstrap:启动

  • jaeger :链路追踪

检查 OSM 控制器Deployment、Pod 和svc

kubectl get deployment,pod,service -n osm --selector app=osm-controller

正常运行的 OSM 控制器将如下所示:

检查 OSM 注入程序Deployment、Pod 和服务

kubectl get deployment,pod,service -n osm --selector app=osm-injector

正常运行的 OSM 注入程序将如下所示:

检查 OSM 启动 Deployment、Pod 和服务

kubectl get deployment,pod,service -n osm --selector app=osm-bootstrap

检查验证 Webhook 和改变 Webhook

kubectl get ValidatingWebhookConfiguration --selector app=osm-controller

正常运行的 OSM 验证 Webhook 将如下所示:

检查改变 Webhook 的服务和 CA 捆绑包

kubectl get ValidatingWebhookConfiguration osm-validator-mesh-osm-system -o json | jq '.webhooks[0].clientConfig.service'

正确配置的改变 Webhook 配置将如下所示:

{
       "name": "osm-validator",
       "namespace": "osm",
       "path": "/validate",
       "port": 9093

}

检查 osm-mesh-config 资源

检查该 ConfigMap 是否存在:kubectl get meshconfig osm-mesh-config -n osm

检查 OSM MeshConfig 的内容

kubectl get meshconfig osm-mesh-config -n osm -o yaml

PS C:\Users\zsygz> kubectl get meshconfig osm-mesh-config -n osm -o yaml

apiVersion: config.openservicemesh.io/v1alpha1

kind: MeshConfig

metadata:
   creationTimestamp: "2022-02-03T07:47:42Z"
   generation: 1
   name: osm-mesh-config
   namespace: osm
   resourceVersion: "230958"
   uid: 2701cf39-02dd-4d8d-b920-30120f52dc66

spec:
   certificate:
     certKeyBitSize: 2048
     serviceCertValidityDuration: 24h
   featureFlags:
     enableAsyncProxyServiceMapping: false
     enableEgressPolicy: true
     enableEnvoyActiveHealthChecks: false
     enableIngressBackendPolicy: true
     enableMulticlusterMode: false
     enableRetryPolicy: false
     enableSnapshotCacheMode: false
     enableWASMStats: true
   observability:
     enableDebugServer: false
     osmLogLevel: info
     tracing:
       enable: false
   sidecar:
     configResyncInterval: 0s
     enablePrivilegedInitContainer: false
     logLevel: error
     resources: {}
   traffic:
     enableEgress: false
     enablePermissiveTrafficPolicyMode: true
     inboundExternalAuthorization:
       enable: false
       failureModeAllow: false
       statPrefix: inboundExtAuthz
       timeout: 1s
     inboundPortExclusionList: []
     outboundIPRangeExclusionList: []
     outboundPortExclusionList: []

以及一系列的 CRD

PS C:\Users\zsygz> kubectl get crds -n osm

NAME                                                            CREATED AT

addons.k3s.cattle.io                                            2022-01-03T02:00:57Z

helmcharts.helm.cattle.io                                       2022-01-03T02:00:57Z

helmchartconfigs.helm.cattle.io                                 2022-01-03T02:00:57Z

middlewaretcps.traefik.containo.us                              2022-01-03T02:03:26Z

ingressrouteudps.traefik.containo.us                            2022-01-03T02:03:26Z

tlsstores.traefik.containo.us                                   2022-01-03T02:03:26Z

serverstransports.traefik.containo.us                           2022-01-03T02:03:26Z

traefikservices.traefik.containo.us                             2022-01-03T02:03:26Z

ingressroutetcps.traefik.containo.us                            2022-01-03T02:03:26Z

middlewares.traefik.containo.us                                 2022-01-03T02:03:26Z

tlsoptions.traefik.containo.us                                  2022-01-03T02:03:26Z

ingressroutes.traefik.containo.us                               2022-01-03T02:03:26Z

challenges.acme.cert-manager.io                                 2022-01-03T10:05:42Z

certificaterequests.cert-manager.io                             2022-01-03T10:05:42Z

clusterissuers.cert-manager.io                                  2022-01-03T10:05:42Z

issuers.cert-manager.io                                         2022-01-03T10:05:42Z

orders.acme.cert-manager.io                                     2022-01-03T10:05:42Z

certificates.cert-manager.io                                    2022-01-03T10:05:42Z

features.management.cattle.io                                   2022-01-03T11:35:16Z

navlinks.ui.cattle.io                                           2022-01-03T11:35:19Z

clusters.management.cattle.io                                   2022-01-03T11:35:20Z

apiservices.management.cattle.io                                2022-01-03T11:35:20Z

clusterregistrationtokens.management.cattle.io                  2022-01-03T11:35:20Z

settings.management.cattle.io                                   2022-01-03T11:35:20Z

preferences.management.cattle.io                                2022-01-03T11:35:20Z

clusterrepos.catalog.cattle.io                                  2022-01-03T11:35:20Z

operations.catalog.cattle.io                                    2022-01-03T11:35:20Z

apps.catalog.cattle.io                                          2022-01-03T11:35:20Z

fleetworkspaces.management.cattle.io                            2022-01-03T11:35:20Z

managedcharts.management.cattle.io                              2022-01-03T11:35:20Z

clusters.provisioning.cattle.io                                 2022-01-03T11:35:21Z

rkeclusters.rke.cattle.io                                       2022-01-03T11:35:21Z

rkecontrolplanes.rke.cattle.io                                  2022-01-03T11:35:21Z

rkebootstraps.rke.cattle.io                                     2022-01-03T11:35:21Z

rkebootstraptemplates.rke.cattle.io                             2022-01-03T11:35:21Z

custommachines.rke.cattle.io                                    2022-01-03T11:35:21Z

clusters.cluster.x-k8s.io                                       2022-01-03T11:35:21Z

machinedeployments.cluster.x-k8s.io                             2022-01-03T11:35:21Z

machinehealthchecks.cluster.x-k8s.io                            2022-01-03T11:35:21Z

machines.cluster.x-k8s.io                                       2022-01-03T11:35:22Z

machinesets.cluster.x-k8s.io                                    2022-01-03T11:35:22Z

authconfigs.management.cattle.io                                2022-01-03T11:35:22Z

groupmembers.management.cattle.io                               2022-01-03T11:35:22Z

groups.management.cattle.io                                     2022-01-03T11:35:22Z

tokens.management.cattle.io                                     2022-01-03T11:35:22Z

userattributes.management.cattle.io                             2022-01-03T11:35:22Z

users.management.cattle.io                                      2022-01-03T11:35:22Z

catalogs.management.cattle.io                                   2022-01-03T11:35:23Z

clusterroletemplatebindings.management.cattle.io                2022-01-03T11:35:23Z

catalogtemplates.management.cattle.io                           2022-01-03T11:35:23Z

dynamicschemas.management.cattle.io                             2022-01-03T11:35:23Z

catalogtemplateversions.management.cattle.io                    2022-01-03T11:35:23Z

etcdbackups.management.cattle.io                                2022-01-03T11:35:23Z

clusteralerts.management.cattle.io                              2022-01-03T11:35:23Z

globalrolebindings.management.cattle.io                         2022-01-03T11:35:23Z

clusteralertgroups.management.cattle.io                         2022-01-03T11:35:23Z

clustercatalogs.management.cattle.io                            2022-01-03T11:35:23Z

globalroles.management.cattle.io                                2022-01-03T11:35:23Z

clusterloggings.management.cattle.io                            2022-01-03T11:35:23Z

kontainerdrivers.management.cattle.io                           2022-01-03T11:35:23Z

clusteralertrules.management.cattle.io                          2022-01-03T11:35:23Z

apps.project.cattle.io                                          2022-01-03T11:35:23Z

nodedrivers.management.cattle.io                                2022-01-03T11:35:23Z

clustermonitorgraphs.management.cattle.io                       2022-01-03T11:35:23Z

clusterscans.management.cattle.io                               2022-01-03T11:35:23Z

apprevisions.project.cattle.io                                  2022-01-03T11:35:23Z

pipelineexecutions.project.cattle.io                            2022-01-03T11:35:23Z

nodepools.management.cattle.io                                  2022-01-03T11:35:23Z

nodetemplates.management.cattle.io                              2022-01-03T11:35:23Z

pipelinesettings.project.cattle.io                              2022-01-03T11:35:23Z

composeconfigs.management.cattle.io                             2022-01-03T11:35:23Z

nodes.management.cattle.io                                      2022-01-03T11:35:23Z

podsecuritypolicytemplateprojectbindings.management.cattle.io   2022-01-03T11:35:24Z

multiclusterapps.management.cattle.io                           2022-01-03T11:35:24Z

pipelines.project.cattle.io                                     2022-01-03T11:35:23Z

podsecuritypolicytemplates.management.cattle.io                 2022-01-03T11:35:24Z

sourcecodecredentials.project.cattle.io                         2022-01-03T11:35:24Z

multiclusterapprevisions.management.cattle.io                   2022-01-03T11:35:24Z

projectnetworkpolicies.management.cattle.io                     2022-01-03T11:35:24Z

sourcecodeproviderconfigs.project.cattle.io                     2022-01-03T11:35:24Z

monitormetrics.management.cattle.io                             2022-01-03T11:35:24Z

sourcecoderepositories.project.cattle.io                        2022-01-03T11:35:24Z

notifiers.management.cattle.io                                  2022-01-03T11:35:24Z

projectroletemplatebindings.management.cattle.io                2022-01-03T11:35:24Z

projects.management.cattle.io                                   2022-01-03T11:35:24Z

projectalerts.management.cattle.io                              2022-01-03T11:35:24Z

projectalertgroups.management.cattle.io                         2022-01-03T11:35:24Z

rkek8ssystemimages.management.cattle.io                         2022-01-03T11:35:24Z

projectcatalogs.management.cattle.io                            2022-01-03T11:35:24Z

projectloggings.management.cattle.io                            2022-01-03T11:35:24Z

rkek8sserviceoptions.management.cattle.io                       2022-01-03T11:35:24Z

projectalertrules.management.cattle.io                          2022-01-03T11:35:24Z

rkeaddons.management.cattle.io                                  2022-01-03T11:35:24Z

roletemplates.management.cattle.io                              2022-01-03T11:35:24Z

projectmonitorgraphs.management.cattle.io                       2022-01-03T11:35:24Z

samltokens.management.cattle.io                                 2022-01-03T11:35:24Z

clustertemplates.management.cattle.io                           2022-01-03T11:35:24Z

clustertemplaterevisions.management.cattle.io                   2022-01-03T11:35:24Z

cisconfigs.management.cattle.io                                 2022-01-03T11:35:24Z

cisbenchmarkversions.management.cattle.io                       2022-01-03T11:35:24Z

templates.management.cattle.io                                  2022-01-03T11:35:24Z

templateversions.management.cattle.io                           2022-01-03T11:35:24Z

templatecontents.management.cattle.io                           2022-01-03T11:35:24Z

globaldnses.management.cattle.io                                2022-01-03T11:35:24Z

globaldnsproviders.management.cattle.io                         2022-01-03T11:35:24Z

prometheuses.monitoring.coreos.com                              2022-01-03T11:35:29Z

prometheusrules.monitoring.coreos.com                           2022-01-03T11:35:29Z

alertmanagers.monitoring.coreos.com                             2022-01-03T11:35:29Z

servicemonitors.monitoring.coreos.com                           2022-01-03T11:35:29Z

azureconfigs.rke-machine-config.cattle.io                       2022-01-03T11:35:32Z

vmwarevsphereconfigs.rke-machine-config.cattle.io               2022-01-03T11:35:32Z

digitaloceanconfigs.rke-machine-config.cattle.io                2022-01-03T11:35:32Z

harvesterconfigs.rke-machine-config.cattle.io                   2022-01-03T11:35:32Z

linodeconfigs.rke-machine-config.cattle.io                      2022-01-03T11:35:32Z

amazonec2configs.rke-machine-config.cattle.io                   2022-01-03T11:35:32Z

digitaloceanmachines.rke-machine.cattle.io                      2022-01-03T11:35:32Z

azuremachines.rke-machine.cattle.io                             2022-01-03T11:35:32Z

linodemachines.rke-machine.cattle.io                            2022-01-03T11:35:32Z

vmwarevspheremachines.rke-machine.cattle.io                     2022-01-03T11:35:32Z

harvestermachines.rke-machine.cattle.io                         2022-01-03T11:35:32Z

amazonec2machines.rke-machine.cattle.io                         2022-01-03T11:35:32Z

digitaloceanmachinetemplates.rke-machine.cattle.io              2022-01-03T11:35:32Z

azuremachinetemplates.rke-machine.cattle.io                     2022-01-03T11:35:32Z

linodemachinetemplates.rke-machine.cattle.io                    2022-01-03T11:35:32Z

amazonec2machinetemplates.rke-machine.cattle.io                 2022-01-03T11:35:32Z

vmwarevspheremachinetemplates.rke-machine.cattle.io             2022-01-03T11:35:32Z

harvestermachinetemplates.rke-machine.cattle.io                 2022-01-03T11:35:32Z

bundles.fleet.cattle.io                                         2022-01-03T11:35:20Z

bundledeployments.fleet.cattle.io                               2022-01-03T11:36:37Z

bundlenamespacemappings.fleet.cattle.io                         2022-01-03T11:36:37Z

clustergroups.fleet.cattle.io                                   2022-01-03T11:36:37Z

clusters.fleet.cattle.io                                        2022-01-03T11:35:20Z

clusterregistrationtokens.fleet.cattle.io                       2022-01-03T11:36:37Z

gitrepos.fleet.cattle.io                                        2022-01-03T11:36:37Z

clusterregistrations.fleet.cattle.io                            2022-01-03T11:36:37Z

gitreporestrictions.fleet.cattle.io                             2022-01-03T11:36:37Z

contents.fleet.cattle.io                                        2022-01-03T11:36:37Z

imagescans.fleet.cattle.io                                      2022-01-03T11:36:37Z

gitjobs.gitjob.cattle.io                                        2022-01-03T11:36:37Z

components.dapr.io                                              2022-01-07T10:13:43Z

configurations.dapr.io                                          2022-01-07T10:13:44Z

subscriptions.dapr.io                                           2022-01-07T10:13:45Z

meshconfigs.config.openservicemesh.io                           2022-02-03T07:46:15Z

multiclusterservices.config.openservicemesh.io                  2022-02-03T07:46:15Z

egresses.policy.openservicemesh.io                              2022-02-03T07:46:15Z

trafficsplits.split.smi-spec.io                                 2022-02-03T07:46:15Z

tcproutes.specs.smi-spec.io                                     2022-02-03T07:46:15Z

ingressbackends.policy.openservicemesh.io                       2022-02-03T07:46:15Z

traffictargets.access.smi-spec.io                               2022-02-03T07:46:15Z

httproutegroups.specs.smi-spec.io                               2022-02-03T07:46:15Z

使用以下命令获取已安装的 SMI CRD 版本:

PS C:\Users\zsygz> osm mesh list

MESH NAME    MESH NAMESPACE   VERSION   ADDED NAMESPACES

osm-system   osm              v1.0.0

MESH NAME    MESH NAMESPACE   SMI SUPPORTED

osm-system   osm              HTTPRouteGroup:v1alpha4,TCPRoute:v1alpha4,TrafficSplit:v1alpha2,TrafficTarget:v1alpha3

To list the OSM controller pods for a mesh, please run the following command passing in the mesh's namespace
         kubectl get pods -n <osm-mesh-namespace> -l app=osm-controller


实践

下面我们来部署一个应用程序测试一下,OSM 强调的 Observable 的含义是什么 ——用户可以选择哪些应用程序(命名空间)应该在 OSM的管理范围,OSM 会监控那些不影响其他人的应用程序!

  • 创建实验用的 namespace, 并通过 osm namespace add 将其纳入管理范围中:

kubectl create namespace bookstore

kubectl create namespace bookbuyer

kubectl create namespace bookthief

kubectl create namespace bookwarehouse

osm namespace add bookstore --mesh-name=osm-system

osm namespace add bookbuyer --mesh-name=osm-system

osm namespace add bookthief --mesh-name=osm-system

osm namespace add bookwarehouse --mesh-name=osm-system

osm metrics enable --namespace bookstore

osm metrics enable --namespace bookbuyer

osm metrics enable --namespace bookthief

osm metrics enable --namespace bookwarehouse

现在,四个命名空间中的每一个都用 标记openservicemesh.io/monitored-by: osm和注释openservicemesh.io/sidecar-injection: enabled。OSM 控制器注意到这些命名空间上的标签和注释,将开始使用 Envoy sidecar 注入所有pod。

  • 部署实验应用程序

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookbuyer.yaml

serviceaccount/bookbuyer created

deployment.apps/bookbuyer created

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookthief.yaml

serviceaccount/bookthief created

deployment.apps/bookthief created

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookstore.yaml

service/bookstore created

serviceaccount/bookstore created

deployment.apps/bookstore created

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookwarehouse.yaml

serviceaccount/bookwarehouse created

service/bookwarehouse created

deployment.apps/bookwarehouse created

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/mysql.yaml

serviceaccount/mysql created

service/mysql created

statefulset.apps/mysql created

PS C:\Users\zsygz> kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookstore-v2.yaml

service/bookstore-v2 created

serviceaccount/bookstore-v2 created

deployment.apps/bookstore-v2 created

traffictarget.access.smi-spec.io/bookstore-v2 created

使用下列命令检查下安装的资源:

kubectl get pods,deployments,serviceaccounts -n bookbuyer

kubectl get pods,deployments,serviceaccounts -n bookthief

kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore

kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse

实验里为每个应用程序创建了一个Kubernetes 服务帐户。服务帐户用作应用程序的身份,稍后将在演示中使用它来创建服务到服务的访问控制策略。

  • 本地访问

可以通过 kubectl port-foward 在本地对刚才部署的应用进行访问。我们也可以通过Rancher Desktop 来操作:

访问 http://localhost:62300/  即可看到示例项目。例如:

通过 osm dashboard --osm-namespace=osm可直接唤起本地浏览器,并 port-foward 将 Grafana 打开。

PS C:\Users\zsygz> osm dashboard --osm-namespace=osm

[+] Starting Dashboard forwarding

[+] Issuing open browser http://localhost:3000

Grafana 登录的默认用户名和密码是admin/admin。

  • 访问控制策略

一旦应用程序启动并运行,它们可以使用宽松流量策略模式或SMI 流量策略模式相互交互。在宽松流量策略模式下,应用服务之间的流量由 自动配置osm-controller,SMI Traffic Targets 定义的访问控制策略不强制执行。在 SMI 策略模式下,默认情况下所有流量都被拒绝,除非使用 SMI 访问和路由策略的组合明确允许。

前面我们安装osm 的时候指定的--set=osm.enablePermissiveTrafficPolicy=true 就是宽松流量策略模式。从而允许应用程序之间的连接,而不需要 SMI 流量访问策略。

kubectl edit meshconfig -n osm

将osm.enablePermissiveTrafficPolicy 改成false 保存,从而禁用宽松流量策略模式,启用SMI流量策略。

SMI 流量策略可用于以下方面:

  1. SMI 访问控制策略,用于授权服务身份之间的流量访问
  2. 用于定义路由规则以与访问控制策略相关联的 SMI 流量规范策略
  3. SMI 流量拆分策略可根据权重将客户端流量引导至多个后端

我们现在来部署 SMI TrafficTarget 和 HTTPRouteGroup 策略:

kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/access/traffic-access-v1.yaml


kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha3
metadata:
name: bookstore
namespace: bookstore
spec:
destination:
kind: ServiceAccount
name: bookstore
namespace: bookstore
rules:
- kind: HTTPRouteGroup
name: bookstore-service-routes
matches:
- buy-a-book
- books-bought
sources:
- kind: ServiceAccount
name: bookbuyer
namespace: bookbuyer
---
apiVersion: specs.smi-spec.io/v1alpha4
kind: HTTPRouteGroup
metadata:
name: bookstore-service-routes
namespace: bookstore
spec:
matches:
- name: books-bought
pathRegex: /books-bought
methods:
- GET
headers:
- "user-agent": ".*-http-client/*.*"
- "client-app": "bookbuyer"
- name: buy-a-book
pathRegex: ".*a-book.*new"
methods:
- GET 这里定义了两个 SMI 中的资源 TrafficTarget 和 HTTPRouteGroup ,用来控制入口流量,应用后将允许访问对应的服务。 清理 列出osm 扫描器下的所有命名空间 osm ns list --mesh-name=osm-system 从 OSM 扫描器中删除命名空间
osm namespace remove bookbuyer --mesh-name=osm-system
osm namespace remove bookstore --mesh-name=osm-system
osm namespace remove bookthief --mesh-name=osm-system
osm namespace remove bookwarehouse --mesh-name=osm-system

重新部署 删除Envoy 边车
kubectl rollout restart deployment bookbuyer -n bookbuyer
kubectl rollout restart deployment bookstore -n bookstore
kubectl rollout restart deployment bookthief -n bookthief
kubectl rollout restart deployment bookwarehouse -n bookwarehouse

从k8s 集群里卸载osm
osm uninstall mesh --mesh-name=osm-system  --osm-namespace=osm

总结

Open Service Mesh 相对来说,确实非常的轻量。所需要的访问控制,流量切割等功能通过自己创建 SMI 资源来控制, Dapr 和 OSM 是非常好的一个实践多运行时架构的组合。

参考资料

[1] 第一个候选版本: https://github.com/openservicemesh/osm/releases/tag/v1.0.0-rc.1

[2] 第一个1.0 正式版本: https://github.com/openservicemesh/osm/releases/tag/v1.0.0

[3] 文档网站: https://docs.openservicemesh.io/

[4] 通过Rancher Desktop在桌面上运行K8s :https://www.cnblogs.com/shanyou/p/15759035.html

[5] 设置OSM:https://release-v1-0.docs.openservicemesh.io/docs/getting_started/setup_osm/

体验 正式发布 的OSM v1.0.0 版本的更多相关文章

  1. Kube-OVN v1.10.0:新增Windows节点支持,用户自定义子网ACL等10+硬核功能

    在Kube-OVN社区小伙伴的共同努力下,Kube-OVN v1.10.0于五月份正式发布.Kube-OVN v1.10.0版本中,我们一如既往地对Kube-OVN 的功能.性能.稳定性和易用性进行了 ...

  2. DBA 的效率加速器——CloudQuery v1.3.0 上线!

    好久不见! 自 CloudQuery v1.2.1 发布至今,已有月余,在此期间我们收到了很多朋友对 CloudQuery 的反馈和建议,很多朋友表达了对 v1.3.0 的期待,非常感谢. Cloud ...

  3. Volcano社区v1.6.0版本正式发布

    摘要:Volcano社区v1.6.0版本正式发布.此次版本增加了弹性作业管理.基于真实负载的动态调度. 基于真实负载的重调度.Volcano Job插件--MPI等多个新特性. 本文分享自华为云社区& ...

  4. 浏览器端类EXCEL表格插件 - 智表ZCELL产品V1.0.0.1版本发布

    智表的优势 智表兼容与依赖 ZCELL 基于jQuery V1.11.3版本研发,兼容性依赖于jQuery自身的兼容性. 经过验证,目前IE.火狐.谷歌.360等主流浏览器均可以正常使用. 智表下载 ...

  5. 【VIP视频网站项目】VIP视频网站项目v1.0.3版本发布啦(程序一键安装+电影后台自动抓取+代码结构调整)

    在线体验地址:http://vip.52tech.tech/ GIthub源码:https://github.com/xiugangzhang/vip.github.io 项目预览 主页面 登录页面 ...

  6. Gitea v1.17.0 正式发布 | 集成软件包管理器、容器镜像仓库

    我们自豪地宣布 Gitea v1.17.0 发布了.本次发布带来了诸多新特性和累积的更新,我们强烈建议用户在更新到最新版本之前仔细阅读发行注记. 在 1.17.0 版本的开发中我们一共合并了 645 ...

  7. Dapr v1.9.0 版本已发布

    Dapr是一套开源.可移植的事件驱动型运行时,允许开发人员轻松立足云端与边缘位置运行弹性.微服务.无状态以及有状态等应用程序类型.Dapr能够确保开发人员专注于编写业务逻辑,而不必分神于解决分布式系统 ...

  8. 浏览器端类EXCEL表格插件 版本更新 - 智表ZCELL产品V1.1.0.1版本发布

    智表(ZCELL),浏览器下纯JS表格控件,为您提供EXCEL般的智能体验! 纯国产化.高性价比的可靠解决方案. 更新说明     让大家久等了.因为最近忙其他项目,发布时间稍有延迟.  下次版本更新 ...

  9. 【开源】SpringBootNetty聊天室V1.2.0升级版本介绍

    前言 SpringBoot!微服务微架构的基础,Netty通信框架的元老级别框架,即之前的SpringBoot与Netty的实现聊天室的功能后已经过了不到一周的时间啦,今天我们更新了项目版本从V1.0 ...

随机推荐

  1. Anti-prime Sequences

    Anti-prime Sequences Time Limit: 3000MS   Memory Limit: 30000K Total Submissions: 3355   Accepted: 1 ...

  2. Problem 2236 第十四个目标

    Problem 2236 第十四个目标 Accept: 4    Submit: 6Time Limit: 1000 mSec    Memory Limit : 32768 KB Problem D ...

  3. centos 各版本下载

    地址: go to http://vault.centos.org/ for packages.

  4. [opencv]findcoutours函数使用

    轮廓是定义或限定形状或对象的边或线,是机器视觉中的常用的概念,多用于目标检测.识别等任务. 关于OpenCV轮廓操作,尤其是级别及如何使用轮廓级别进行筛选等问题,相关文章比较少,正好最近用到,因此将其 ...

  5. TYPEC转HDMI+PD+USB3.0拓展坞三合一优化方案|CS5266 dmeoboard原理图

    CS5266 Capstone 是Type-C转HDMI带PD3.0快充的音视频转换芯片. CS5266接收器端口将信道配置(CC)控制器.电源传输(PD)控制器.Billboard控制器和displ ...

  6. Java基础寒假作业-个人所得税计算系统

    <个人所得税计算系统>设计 一.需求说明 设计一个简易的个人所得税计算系统,通过输入个人应发工资计算出各个地区的三险(医疗保险.养老保险)一金(公积金)和个人所得税.系统需要实现用户登录. ...

  7. NPM镜像地址

    NPM镜像地址 npm ---- https://registry.npmjs.org/ cnpm --- http://r.cnpmjs.org/ taobao - https://registry ...

  8. Gradle sync failed (3 s 402 ms) - Android Studio问题解决方法

    问题:Gradle同步失败 解决方法: 删除gradle-wrpper.jar中的 implementation 'com.android.support:design:30.+' 最后在Build中 ...

  9. Redis缓存安装Version5.0.7

    1.说明 Redis是一个开源(BSD许可)的, 内存中的数据结构存储系统, 它可以用作数据库.缓存和消息中间件. 这里介绍在Linux下使用源码编译安装的方式. 2.下载 官方下载地址:https: ...

  10. RSA非对称加密算法实现:Java

    RSA是1977年由罗纳德·李维斯特(Ron Rivest).阿迪·萨莫尔(Adi Shamir)和伦纳德·阿德曼(Leonard Adleman)一起提出的.当时他们三人都在麻省理工学院工作.RSA ...