| Table of Contents |
|---|
...
This script will create a Kubernetes master node with Kubeadm and install calico network plugin. Some other needed tools such as Docker, Kubectl and Helm will be installed as well.
From the output of the script, you should see a command on how to join a node to the created Kubernets cluster. Note that this is an example, the token and cert-hash of your installation will be different, please copy & paste the command to somewhere, we will need it later.
| Code Block | ||||
|---|---|---|---|---|
| ||||
You can now join any number of machines by running the following on each node as root: kubeadm join 10.12.5.104:6443 --token 1x62yf.60ys5p2iw13tx2t8 --discovery-token-ca-cert-hash sha256:f06628c7cee002b262e69f3f9efadf47bdec125e19606ebff743a3e514a8383b |
Kubernetes worker Node
Log in the worker node machine, run this script to create a kubernetes worker node:
| Code Block | ||||
|---|---|---|---|---|
| ||||
./2_install_k8s_minion.sh |
...
Then open your browser at http://tracing_node_ip:tracing_node_port/, you should see something similar to the following:
Note
- Tracing_node_port can be found by 'kubctl get svc -n istio-system'.
- ONAP microservices need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.
Service Graph
Istio provides a Servicegraph service which generates and visualizes graph representations of the services in the mesh.
Open your browser at http://node_ip:30088/dotviz or http://node_ip:30088/force/forcegraph.html, you should see the service graph:
Metrics Visualization
Istio automatically gathers telemetry for services in a mesh. A Prometheus adapter is plugged into Mixer to serve the generated metric data. A Grafana addon is pre-configured with a Prometheus data source and has an Istio dashboard installed for the metric visualization.
Open your browser at http://node_ip:30300, you should see the Grafana Istio dashboard:
Authorization(RBAC)
Istio authorization is disabled by default, running the following command to enable it for onap namespace:
...
Note: There may be some delays due to caching and other propagation overhead.
Service Mesh Migration
Without Istio Authentication and Authorization
ONAP can be easily integrated with Istio service mesh if Istio Auth is disabled. In that case, ONAP can leverage the traffic management, telemetry and policies capabilities of Istio to connect, control and observe ONAP microservies, but without Mutual TLS authentication and authorization.
Though ONAP services can talk to each other within the mesh, to maximize the benefits brought by Istio, we still need to make little compatible changes to the existing services:
Service Port Name
The port names must be of the form protocol-suffix with http, http2, grpc, mongo, or redis as the protocol in order to take advantage of Istio’s routing features.
For example, name: http2-foo or name: http are valid port names, but name: http2foo is not. If the port name does not begin with a recognized prefix or if the port is unnamed, traffic on the port will be treated as plain TCP traffic (unless the port explicitly uses Protocol: UDP to signify a UDP port).
| Code Block |
|---|
kubectl describe svc aai -n onap
Name: aai
Namespace: onap
Labels: app=aai
chart=aai-2.0.0
heritage=Tiller
release=aai1
Annotations: <none>
Selector: app=aai
Type: NodePort
IP: 10.96.29.203
Port: http-aai 8080/TCP
---omitted for brevity |
Propagate Http Header for Distributed Tracing
Istio uses HTTP headers to record the request tracing information across multiple spans. Although Istio proxies are able to automatically send all the spans to Mixer, they need some hints to tie together the individual spans to get the entire trace.
To do this, ONAP microservies needs to collect and propagate the following headers from the incoming request to any outgoing requests:
x-request-idx-b3-traceidx-b3-spanidx-b3-parentspanidx-b3-sampledx-b3-flagsx-ot-span-context
With Istio Authentication and Authorization
In addition to the port name format and http header propagation, the followings need to be done to leverage Istio auth.
Liveness probe
Mutual TLS can't work with 8Shttp/tcp liveness probe. If mutual TLS is enabled, http and tcp health checks from the kubelet will not work since they do not have Istio-issued certs. The workaround is using liveness command instead or disabling http and tcp liveness probe for the time being.
Allow both Mutual TLS and Plain Traffic
During the migration, we can use “PERMISSIVE” mode of Istio Auth policy to allow both TLS and plain traffic. After migration is done, the mode can be switched to "STRICT" mode so only TLS traffics are permitted to access services.
| Code Block |
|---|
cat <<EOF | kubectl apply -n onap -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: onap
spec:
peers:
- mtls:
mode: PERMISSIVE
EOF |
In that case, the RBAC should be set to allow all users, including the unauthenticated users, to access the services.
| Code Block |
|---|
cat <<EOF | kubectl apply -n onap -f -
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: onap-default
namespace: onap
spec:
rules:
- services: ["*"]
methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-service-default
namespace: onap
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "onap-default"
EOF |
By this approach, ONAP can be smoothly migrated to Istio with auth enabled. After every ONAP microservice adopts Istio auth, then we can set the authentication to "STRICT" mode and enforce strict access control per the needs of each service.
What's the next? we will provide a user-friendly Istio UI to manage Istio rules and policies. Comment here to leave your thoughts or join our weekly project meeting if you're interested.