通过策略我们可以构建灵活的service mesh
应用策略
我们可以通过kumactl 以及kubectl 应用策略
- kumactl 格式
echo "
type: ..
spec: ..
" | kumactl -f -
- kubectl 格式
echo "
apiVersion: kuma.io/v1alpha1
kind: ..
spec: ..
" | kubectl -f -
mesh 类型的策略
允许在同一个kuma 集群中创建多service mesh
通用格式:
type: Mesh
name: default
k8s 格式:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
namespace: kuma-system
name: default
双向 tls
- 通用格式
type: Mesh
name: default
mtls:
enabled: true
ca:
builtin: {}
- k8s 格式:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
namespace: kuma-system
name: default
spec:
mtls:
enabled: true
ca:
builtin: {}
流量许可
- 通用格式
type: TrafficPermission
name: permission-1
mesh: default
rules:
- sources:
- match:
service: backend
destinations:
- match:
service: redis
version: "5.0"
- k8s 格式
apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
namespace: default
name: permission-1
spec:
rules:
- sources:
- match:
service: backend
destinations:
- match:
service: redis
version: "5.0"
流量路由
- 通用格式
type: TrafficRoute
name: route-1
mesh: default
rules:
- sources:
- match:
service: backend
destinations:
- match:
service: redis
conf:
- weight: 90
destination:
- service: backend
version: "1.0"
- weight: 10
destination:
- service: backend
version: "2.0"
- k8s 格式
apiVersion: kuma.io/v1alpha1
kind: TrafficRoute
mesh: default
metadata:
namespace: default
name: route-1
spec:
rules:
- sources:
- match:
service: backend
destinations:
- match:
service: redis
conf:
- weight: 90
destination:
- service: backend
version: "1.0"
- weight: 10
destination:
- service: backend
version: "2.0"
流量追踪
- 通用格式
type: Mesh
name: default
tracing:
enabled: true
type: zipkin
address: zipkin.srv:9000
- k8s 格式
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
namespace: kuma-system
name: default
spec:
tracing:
enabled: true
type: zipkin
address: zipkin.srv:9000
流量日志
- 通用格式
type: Mesh
name: default
logging:
accessLogs:
enabled: true
filePath: "/tmp/access.log"
- k8s 格式
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
namespace: kuma-system
name: default
spec:
logging:
accessLogs:
enabled: true
filePath: "/tmp/access.log"
proxy template
proxy template 很强大 ,通过此我们可以配置低级的envoy
- 格式
type: ProxyTemplate
mesh: default
name: template-1
selectors:
- match:
service: backend
conf:
imports:
- default-proxy
resources:
- ..
- ..
当前对于import的支持稍简单,以下是一个复杂的例子:
imports:
- default-proxy
resources:
- name: localhost:9901
version: v1
resource: |
'@type': type.googleapis.com/envoy.api.v2.Cluster
connectTimeout: 5s
name: localhost:9901
loadAssignment:
clusterName: localhost:9901
endpoints:
- lbEndpoints:
- endpoint:
address:
socketAddress:
address: 127.0.0.1
portValue: 9901
type: STATIC
- name: inbound:0.0.0.0:4040
version: v1
resource: |
'@type': type.googleapis.com/envoy.api.v2.Listener
name: inbound:0.0.0.0:4040
address:
socket_address:
address: 0.0.0.0
port_value: 4040
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
route_config:
virtual_hosts:
- routes:
- match:
prefix: "/stats/prometheus"
route:
cluster: localhost:9901
domains:
- "*"
name: envoy_admin
codec_type: AUTO
http_filters:
name: envoy.router
stat_prefix: stats