支持控制台(Console)开发人员开始试用联系人

第 12 章 Networking

12.1. Using Service Mesh with OpenShift Serverless

Using Service Mesh with OpenShift Serverless enables developers to configure additional networking and routing options that are not supported when using OpenShift Serverless with the default Kourier implementation. These options include setting custom domains, using TLS certificates, and using JSON Web Token authentication.

Prerequisites

  1. Install the OpenShift Serverless Operator and Knative Serving.
  2. Install Red Hat OpenShift Service Mesh.

Procedure

  1. Add the default namespace to the ServiceMeshMemberRoll as a member: 

    apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: istio-system
spec:
  members:
    - default
    重要

    Adding sidecar injection to Pods in system namespaces such as knative-serving and knative-serving-ingress is not supported.

  2. Create a network policy that permits traffic flow from Knative system pods to Knative services:

    1. Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving namespace: 

      $ oc label namespace knative-serving serving.knative.openshift.io/system-namespace=true

    2. Add the serving.knative.openshift.io/system-namespace=true label to the knative-serving-ingress namespace: 

      $ oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=true

    3. Copy the following NetworkPolicy resource into a YAML file: 

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-serving-system-namespace
  namespace: default
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          serving.knative.openshift.io/system-namespace: "true"
  podSelector: {}
  policyTypes:
  - Ingress

    4. Apply the NetworkPolicy resource: 

      $ oc apply -f <filename>

12.1.1. Enabling sidecar injection for a Knative service

You can add an annotation to the Service resource YAML file to enable sidecar injection for a Knative service.

Procedure

  1. Add the sidecar.istio.io/inject="true" annotation to the Service resource: 

    apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: hello-example-1
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true" 1
    spec:
      containers:
      - image: docker.io/openshift/hello-openshift
        name: container
    1
    Add the sidecar.istio.io/inject="true" annotation.

  2. Apply the Service resource YAML file: 

    $ oc apply -f <filename>

12.1.2. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.