红帽全球峰会第 12 章 Networking
12.1. Using Service Mesh with OpenShift Serverless
Using Service Mesh with OpenShift Serverless enables developers to configure additional networking and routing options that are not supported when using OpenShift Serverless with the default Kourier implementation. These options include setting custom domains, using TLS certificates, and using JSON Web Token authentication.
Prerequisites
- Install the OpenShift Serverless Operator and Knative Serving.
- Install Red Hat OpenShift Service Mesh.
Procedure
Add the
defaultnamespace to the ServiceMeshMemberRoll as a member:apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: name: default namespace: istio-system spec: members: - default重要Adding sidecar injection to Pods in system namespaces such as
knative-servingandknative-serving-ingressis not supported.Create a network policy that permits traffic flow from Knative system pods to Knative services:
Add the
serving.knative.openshift.io/system-namespace=truelabel to theknative-servingnamespace:$ oc label namespace knative-serving serving.knative.openshift.io/system-namespace=trueAdd the
serving.knative.openshift.io/system-namespace=truelabel to theknative-serving-ingressnamespace:$ oc label namespace knative-serving-ingress serving.knative.openshift.io/system-namespace=trueCopy the following
NetworkPolicyresource into a YAML file:apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-serving-system-namespace namespace: default spec: ingress: - from: - namespaceSelector: matchLabels: serving.knative.openshift.io/system-namespace: "true" podSelector: {} policyTypes: - IngressApply the
NetworkPolicyresource:$ oc apply -f <filename>
12.1.1. Enabling sidecar injection for a Knative service
You can add an annotation to the Service resource YAML file to enable sidecar injection for a Knative service.
Procedure
Add the
sidecar.istio.io/inject="true"annotation to theServiceresource:apiVersion: serving.knative.dev/v1 kind: Service metadata: name: hello-example-1 spec: template: metadata: annotations: sidecar.istio.io/inject: "true"1 spec: containers: - image: docker.io/openshift/hello-openshift name: container- 1
- Add the
sidecar.istio.io/inject="true"annotation.
Apply the
Serviceresource YAML file:$ oc apply -f <filename>
12.1.2. Additional resources
- For more information about Red Hat OpenShift Service Mesh, see Red Hat OpenShift Service Mesh architecture.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}