2.3. 将网络策略从 Service Mesh 2 迁移到 Service Mesh 3

流程

1. 运行以下命令标记命名空间：

   $ oc label namespace <app_namespace> service-mesh=enabled

   注意

   使用特定于网格的标签，您可以重复使用发现选择器。

2. 使用以下 NetworkPolicy 示例配置创建网络策略：

   mesh 命名空间中的 Istiod 网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istiod-basic
     namespace: istio-system
   spec:
     ingress:
       - {}
     podSelector:
       matchLabels:
         app: istiod
         istio.io/rev: basic
     policyTypes:
       - Ingress

   mesh 命名空间中的公开路由策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: expose-route-basic
     namespace: istio-system
   spec:
     podSelector:
       matchLabels:
         maistra.io/expose-route: "true"
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 network.openshift.io/policy-group: ingress
     policyTypes:
       - Ingress

   mesh 命名空间中的默认网格网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-mesh
     namespace: istio-system
   spec:
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 service-mesh: enabled
     podSelector: {}
     policyTypes:
       - Ingress

   info 命名空间中的公开路由网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-expose-route
     namespace: info
   spec:
     podSelector:
       matchLabels:
         maistra.io/expose-route: "true"
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 network.openshift.io/policy-group: ingress
     policyTypes:
       - Ingress

   info 命名空间中的网格网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-mesh
     namespace: info
   spec:
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 service-mesh: enabled
     podSelector: {}
     policyTypes:
       - Ingress

   info2 命名空间中的公开路由网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-expose-route
     namespace: info2
   spec:
     podSelector:
       matchLabels:
         maistra.io/expose-route: "true"
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 network.openshift.io/policy-group: ingress
     policyTypes:

   info2 命名空间中的网格网络策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-mesh
     namespace: info2
   spec:
     ingress:
       - from:
           - namespaceSelector:
               matchLabels:
                 service-mesh: enabled
     podSelector: {}
     policyTypes:
       - Ingress

3. 通过在 ServiceMeshControlPlane 资源中将 spec.security.manageNetworkPolicy 字段设置为 false 来禁用 OpenShift Service Mesh 2 中的网络策略。

   注意

   在 ServiceMeshControlPlane 资源中将 spec.security.manageNetworkPolicy 字段设置为 false 会删除 OpenShift Service Mesh 2 中默认创建的网络策略。

4. 运行以下命令查找您当前的活跃修订版本：

   $ oc get istios <istio_name>

   输出示例

   NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
   istio-tenant-a   1           1       0        istio-tenant-a    Healthy   v1.24.3   30s

5. 在 OpenShift Service Mesh 3 的第二个 Istiod 网络策略中复制输出中的活跃修订名称，以用于 istio.io/rev 标签。

6. 使用以下 NetworkPolicy 示例配置，为 OpenShift Service Mesh 3 创建第二个 Istiod 网络策略：

   示例策略示例

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: istio-istiod-v3
     namespace: istio-system
   spec:
     ingress:
       - {}
     podSelector:
       matchLabels:
         app: istiod
         istio.io/rev: istio-tenant-a 

   1

   
     policyTypes:
       - Ingress

   1

   必须与您当前的活跃修订名称匹配。