Red Hat SummitChapter 7. Deploying multiple service meshes on a single cluster
You can use the Red Hat OpenShift Service Mesh to operate many service meshes in a single cluster, with each mesh managed by a separate control plane. Using discovery selectors and revisions prevents conflicts between control planes.
7.1. About deploying multiple control planes
To configure a cluster to host two control planes, set up separate Istio resources with unique names in independent Istio system namespaces. Assign a unique revision name to each Istio resource to identify the control planes, workloads, or namespaces it manages. Apply these revision names using injection or
istio.io/revEach
Istioistio-ca-root-certWhen adding an additional Istio control plane to a cluster with an existing control plane, ensure that the existing
IstioOnly one
IstioCNI7.2. Using multiple control planes on a single cluster
You can use discovery selectors to limit the visibility of an Istio control plane to specific namespaces in a cluster. By combining discovery selectors with control plane revisions, you can deploy multiple control planes in a single cluster, ensuring that each control plane manages only its assigned namespaces. This approach avoids conflicts between control planes and enables soft multi-tenancy for service meshes.
7.2.1. Deploying the first control plane
You deploy the first control plane by creating its assigned namespace.
Prerequisites
- You have installed the OpenShift Service Mesh operator.
You have created an Istio Container Network Interface (CNI) resource.
NoteYou can run the following command to check for existing
instances:Istio$ oc get istios-
You have installed the binary on your localhost.
istioctl
You can have extended support for more than two control planes. The maximum number of service meshes in a single cluster depends on the available cluster resources.
Procedure
Create the namespace for the first Istio control plane called
by running the following command:istio-system-1$ oc new-project istio-system-1Add the following label to the first namespace, which is used with the Istio
field by running the following command:discoverySelectors$ oc label namespace istio-system-1 istio-discovery=mesh-1Create a YAML file named
with the nameistio-1.yamland themesh-1asdiscoverySelector:mesh-1Example configuration
kind: Istio apiVersion: sailoperator.io/v1 metadata: name: mesh-1 spec: namespace: istio-system-1 values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: mesh-1 # ...Create the first
resource by running the following command:Istio$ oc apply -f istio-1.yamlTo restrict workloads in
from communicating freely with decrypted traffic between meshes, deploy amesh-1resource to enforce mutual TLS (mTLS) traffic within thePeerAuthenticationdata plane. Apply themesh-1resource in thePeerAuthenticationnamespace by using a configuration file, such asistio-system-1:peer-auth-1.yaml$ oc apply -f peer-auth-1.yamlExample configuration
apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: "mesh-1-peerauth" namespace: "istio-system-1" spec: mtls: mode: STRICT
7.2.2. Deploying the second control plane
After deploying the first control plane, you can deploy the second control plane by creating its assigned namespace.
Procedure
Create a namespace for the second Istio control plane called
by running the following command:istio-system-2$ oc new-project istio-system-2Add the following label to the second namespace, which is used with the Istio
field by running the following command:discoverySelectors$ oc label namespace istio-system-2 istio-discovery=mesh-2Create a YAML file named
:istio-2.yamlExample configuration
kind: Istio apiVersion: sailoperator.io/v1 metadata: name: mesh-2 spec: namespace: istio-system-2 values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: mesh-2 # ...Create the second
resource by running the following command:Istio$ oc apply -f istio-2.yamlDeploy a policy for workloads in the
namespace to only accept mutual TLS trafficistio-system-2by running the following command:peer-auth-2.yaml$ oc apply -f peer-auth-2.yamlExample configuration
apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: "mesh-2-peerauth" namespace: "istio-system-2" spec: mtls: mode: STRICT
7.2.3. Verifying multiple control planes
Verify that both of the Istio control planes are deployed and running properly. You can validate that the
istiodVerify that the workloads are assigned to the control plane in
by running the following command:istio-system-1$ oc get pods -n istio-system-1Example output
NAME READY STATUS RESTARTS AGE istiod-mesh-1-b69646b6f-kxrwk 1/1 Running 0 4m14sVerify that the workloads are assigned to the control plane in
by running the following command:istio-system-2$ oc get pods -n istio-system-2Example output
NAME READY STATUS RESTARTS AGE istiod-mesh-2-8666fdfc6-mqp45 1/1 Running 0 118s
7.3. Deploy application workloads in each mesh
To deploy application workloads, assign each workload to a separate namespace.
Procedure
Create an application namespace called
by running the following command:app-ns-1$ oc create namespace app-ns-1To ensure that the namespace is discovered by the first control plane, add the
label by running the following command:istio-discovery=mesh-1$ oc label namespace app-ns-1 istio-discovery=mesh-1To enable sidecar injection into all the pods by default while ensuring that pods in this namespace are mapped to the first control plane, add the
label to the namespace by running the following command:istio.io/rev=mesh-1$ oc label namespace app-ns-1 istio.io/rev=mesh-1Optional: You can verify the
revision name by running the following command:mesh-1$ oc get istiorevisionsDeploy the
andsleepapplications by running the following command:httpbin$ oc apply -n app-ns-1 \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yamlWait for the
andhttpbinpods to run with sidecars injected by running the following command:sleep$ oc get pods -n app-ns-1Example output
NAME READY STATUS RESTARTS AGE httpbin-7f56dc944b-kpw2x 2/2 Running 0 2m26s sleep-5577c64d7c-b5wd2 2/2 Running 0 91mCreate a second application namespace called
by running the following command:app-ns-2$ oc create namespace app-ns-2Create a third application namespace called
by running the following command:app-ns-3$ oc create namespace app-ns-3Add the label
to both namespaces and the revision labelistio-discovery=mesh-2to match the discovery selector of the second control plane by running the following command:mesh-2$ oc label namespace app-ns-2 app-ns-3 istio-discovery=mesh-2 istio.io/rev=mesh-2Deploy the
andsleepapplications to thehttpbinnamespace by running the following command:app-ns-2$ oc apply -n app-ns-2 \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yamlDeploy the
andsleepapplications to thehttpbinnamespace by running the following command:app-ns-3$ oc apply -n app-ns-3 \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml \ -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yamlOptional: Use the following command to wait for a deployment to be available:
$ oc wait deployments -n app-ns-2 --all --for condition=Available
Verification
Verify that each application workload is managed by its assigned control plane by using the
command after deploying the applications:istioctl psVerify that the workloads are assigned to the control plane in
by running the following command:istio-system-1$ istioctl ps -i istio-system-1Example output
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION httpbin-7f56dc944b-vwfm5.app-ns-1 Kubernetes SYNCED (11m) SYNCED (11m) SYNCED (11m) SYNCED (11m) IGNORED istiod-mesh-1-b69646b6f-kxrwk 1.23.0 sleep-5577c64d7c-d675f.app-ns-1 Kubernetes SYNCED (11m) SYNCED (11m) SYNCED (11m) SYNCED (11m) IGNORED istiod-mesh-1-b69646b6f-kxrwk 1.23.0Verify that the workloads are assigned to the control plane in
by running the following command:istio-system-2$ istioctl ps -i istio-system-2Example output
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION httpbin-7f56dc944b-54gjs.app-ns-3 Kubernetes SYNCED (3m59s) SYNCED (3m59s) SYNCED (3m59s) SYNCED (3m59s) IGNORED istiod-mesh-2-8666fdfc6-mqp45 1.23.0 httpbin-7f56dc944b-gnh72.app-ns-2 Kubernetes SYNCED (4m1s) SYNCED (4m1s) SYNCED (3m59s) SYNCED (4m1s) IGNORED istiod-mesh-2-8666fdfc6-mqp45 1.23.0 sleep-5577c64d7c-k9mxz.app-ns-2 Kubernetes SYNCED (4m1s) SYNCED (4m1s) SYNCED (3m59s) SYNCED (4m1s) IGNORED istiod-mesh-2-8666fdfc6-mqp45 1.23.0 sleep-5577c64d7c-m9hvm.app-ns-3 Kubernetes SYNCED (4m1s) SYNCED (4m1s) SYNCED (3m59s) SYNCED (4m1s) IGNORED istiod-mesh-2-8666fdfc6-mqp45 1.23.0
Verify that the application connectivity is restricted to workloads within their respective mesh:
Send a request from the
pod insleepto theapp-ns-1service inhttpbinto check that the communication fails by running the following command:app-ns-2$ oc -n app-ns-1 exec deploy/sleep -c sleep -- curl -sIL http://httpbin.app-ns-2.svc.cluster.local:8000The
resources created earlier enforce mutual TLS (mTLS) traffic inPeerAuthenticationmode within each mesh. Each mesh uses its own root certificate, managed by theSTRICTconfig map, which prevents communication between meshes. The output indicates a communication failure, similar to the following example:istio-ca-root-certExample output
HTTP/1.1 503 Service Unavailable content-length: 95 content-type: text/plain date: Wed, 16 Oct 2024 12:05:37 GMT server: envoyConfirm that the communication works by sending a request from the
pod to thesleepservice that are present in thehttpbinnamespace which is managed byapp-ns-2. Run the following command:mesh-2$ oc -n app-ns-2 exec deploy/sleep -c sleep -- curl -sIL http://httpbin.app-ns-3.svc.cluster.local:8000Example output
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com content-type: text/html; charset=utf-8 date: Wed, 16 Oct 2024 12:06:30 GMT x-envoy-upstream-service-time: 8 server: envoy transfer-encoding: chunked
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}