This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 12. Networking
12.1. Using Service Mesh with OpenShift Serverless Link kopierenLink in die Zwischenablage kopiert!
Using Service Mesh with OpenShift Serverless enables developers to configure additional networking and routing options that are not supported when using OpenShift Serverless with the default Kourier implementation. These options include setting custom domains, using TLS certificates, and using JSON Web Token authentication.
Prerequisites
- Install the OpenShift Serverless Operator and Knative Serving.
- Install Red Hat OpenShift Service Mesh.
Procedure
Add the
default
namespace to the ServiceMeshMemberRoll as a member:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantAdding sidecar injection to Pods in system namespaces such as
knative-serving
andknative-serving-ingress
is not supported.Create a network policy that permits traffic flow from Knative system pods to Knative services:
Add the
serving.knative.openshift.io/system-namespace=true
label to theknative-serving
namespace:oc label namespace knative-serving serving.knative.openshift.io/system-namespace=true
$ oc label namespace knative-serving serving.knative.openshift.io/system-namespace=true
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the
serving.knative.openshift.io/system-namespace=true
label to theknative-serving-ingress
namespace:oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=true
$ oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=true
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Copy the following
NetworkPolicy
resource into a YAML file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the
NetworkPolicy
resource:oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.1.1. Enabling sidecar injection for a Knative service Link kopierenLink in die Zwischenablage kopiert!
You can add an annotation to the Service
resource YAML file to enable sidecar injection for a Knative service.
Procedure
Add the
sidecar.istio.io/inject="true"
annotation to theService
resource:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Add the
sidecar.istio.io/inject="true"
annotation.
Apply the
Service
resource YAML file:oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.1.2. Additional resources Link kopierenLink in die Zwischenablage kopiert!
- For more information about Red Hat OpenShift Service Mesh, see Red Hat OpenShift Service Mesh architecture.
12.2. Using JSON Web Token authentication with Service Mesh and OpenShift Serverless Link kopierenLink in die Zwischenablage kopiert!
You can enable JSON Web Token (JWT) authentication for Knative services by creating a policy in your serverless application namespace that only allows requests with valid JWTs.
Prerequisites
- Install OpenShift Serverless.
- Install Red Hat OpenShift Service Mesh.
- Configure Service Mesh with OpenShift Serverless, including enabling sidecar injection for your Knative services.
Adding sidecar injection to pods in system namespaces such as knative-serving
and knative-serving-ingress
is not supported.
Procedure
Copy the following
Policy
resource into a YAML file:ImportantThe paths
/metrics
and/healthz
must be included inexcludedPaths
because they are accessed from system pods in theknative-serving
namespace.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the
Policy
resource YAML file:oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
If you try to use a
curl
request to get the Knative service URL, it is denied.curl http://hello-example-default.apps.mycluster.example.com/
$ curl http://hello-example-default.apps.mycluster.example.com/
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
Origin authentication failed.
Origin authentication failed.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify the request with a valid JWT.
Get the valid JWT token by entering the following command:
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Access the service by using the valid token in the
curl
request header:curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"
$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The request is now allowed.
Example output
Hello OpenShift!
Hello OpenShift!
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.2.1. Additional resources Link kopierenLink in die Zwischenablage kopiert!
- See Red Hat OpenShift Service Mesh architecture.
-
For more information about verifying Knative services and using
curl
requests, see Verifying your serverless application deployment.
12.3. Using custom domains for Knative services with Service Mesh Link kopierenLink in die Zwischenablage kopiert!
By default, Knative services have a fixed domain format:
<application_name>-<namespace>.<openshift_cluster_domain>
<application_name>-<namespace>.<openshift_cluster_domain>
You can customize the domain for your Knative service by configuring the service as a private service and creating the required Service Mesh resources.
Prerequisites
- Install the OpenShift Serverless Operator and Knative Serving.
- Install Red Hat OpenShift Service Mesh.
- Complete the configuration steps in Using Service Mesh with OpenShift Serverless.
- You can configure a custom domain for an existing Knative service, or create a new sample service. To create a new service, see Creating and managing serverless applications.
12.3.1. Setting cluster availability to cluster-local Link kopierenLink in die Zwischenablage kopiert!
By default, Knative services are published to a public IP address. Being published to a public IP address means that Knative services are public applications, and have a publicly accessible URL.
Publicly accessible URLs are accessible from outside of the cluster. However, developers may need to build back-end services that are only be accessible from inside the cluster, known as private services. Developers can label individual services in the cluster with the serving.knative.dev/visibility=cluster-local
label to make them private.
Procedure
Set the visibility for your service by adding the
serving.knative.dev/visibility=cluster-local
label:oc label ksvc <service_name> serving.knative.dev/visibility=cluster-local
$ oc label ksvc <service_name> serving.knative.dev/visibility=cluster-local
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Check that the URL for your service is now in the format
http://<service_name>.<namespace>.svc.cluster.local
, by entering the following command and reviewing the output:oc get ksvc
$ oc get ksvc
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
NAME URL LATESTCREATED LATESTREADY READY REASON hello http://hello.default.svc.cluster.local hello-tx2g7 hello-tx2g7 True
NAME URL LATESTCREATED LATESTREADY READY REASON hello http://hello.default.svc.cluster.local hello-tx2g7 hello-tx2g7 True
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.3.2. Creating necessary Service Mesh resources Link kopierenLink in die Zwischenablage kopiert!
Procedure
Create an Istio gateway to accept traffic.
Create a YAML file, and copy the following YAML into it:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file:
oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create an Istio
VirtualService
object to rewrite the host header.Create a YAML file, and copy the following YAML into it:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file:
oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create an Istio
ServiceEntry
object. This is required for OpenShift Serverless because Kourier is outside of the service mesh.Create a YAML file, and copy the following YAML into it:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Your Knative service in the format
<service_name>.<namespace>.svc
.
Apply the YAML file:
oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create an OpenShift Container Platform route that points to the
VirtualService
object.Create a YAML file, and copy the following YAML into it:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- 1
- The OpenShift Container Platform route must be created in the same namespace as the ServiceMeshControlPlane. In this example, the ServiceMeshControlPlane is deployed in the
istio-system
namespace.Apply the YAML file:
oc apply -f <filename>
$ oc apply -f <filename>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.3.3. Accessing a service using your custom domain Link kopierenLink in die Zwischenablage kopiert!
Procedure
Access the custom domain by using the
Host
header in acurl
request. For example:curl -H "Host: custom-ksvc-domain.example.com" http://<ip_address>
$ curl -H "Host: custom-ksvc-domain.example.com" http://<ip_address>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow where
<ip_address>
is the IP address that the OpenShift Container Platform ingress router is exposed to.Example output
Hello OpenShift!
Hello OpenShift!
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
12.3.4. Additional resources Link kopierenLink in die Zwischenablage kopiert!
- For more information about Red Hat OpenShift Service Mesh, see Understanding Red Hat OpenShift Service Mesh.