Provisioning Cloud Service Mesh
1. Provisioning Cloud Service Mesh
Before you can leverage the robust features of Cloud Service Mesh, you must connect the cluster to a fleet and provision CSM. This section describes how to provision Cloud Service Mesh. The first step is to enable the Cloud Service Mesh API in the Google Cloud console or by using the gcloud services enable command. You can choose to use Managed Cloud Service Mesh as the default configuration for your fleet. With this configuration, CSM will be automatically enabled for each newly registered GKE cluster. When set as the default configuration, managed Cloud Service Mesh only supports Mesh Certificate Authority Service for certification management. To set up automatic management for CSM across all the Kubernetes clusters in your Google Cloud fleet, you enable CSM for your fleet. The first step is to create a mesh.yaml file with the management equals automatic configuration. Now, use the gcloud container mesh enable command to provision a control plane for CSM. Verify by using the gcloud container mesh describe command. An active state indicates the process is complete. Now the mesh has been created, but applications are not using it yet. For applications to use the mesh, you either need to inject envoy proxies or establish a proxyless gRPC service within your mesh. For production-scale applications, you need an automatic way to inject sidecars at the namespace level. This allows your administrators to organize resources. It is also useful in defining security and connectivity boundaries. You can use the kubectl label namespace sidecar-example command to add a label to the namespace. Any client pods created in that namespace will have an envoy sidecar container automatically injected. Automatically injecting sidecars is more efficient than injecting them manually. You can also enable Google to manage your data plane so that the sidecar proxies will be automatically updated for you. This is done by annotating the namespace with the kubectl annotate command. And you can verify that the sidecar container was injected by running the kubectl get pods command. Specify the namespace and label you'd like to verify. To verify that the envoy sidecar mesh service is set up, you can send a request to the whereami service from the client. In this example, all requests from the client container are redirected to the envoy proxy sidecar, so you can use any IP address. An alternative to a proxy sidecar is to use a proxyless gRPC service to allow applications to start using a mesh. Automatic gRPC configuration simplifies the setup process. But if your infrastructure requires more granular control, you can configure it manually. For details on how to accomplish this, please refer to the Google Cloud documentation. To use proxyless gRPC service, your application needs to be working with gRPC already. This approach is often reserved for specific use cases such as high-performance gRPC applications, resource efficiency in a large-scale service meshes, and where you can't deploy sidecar proxies with regular CSM. After the sidecar proxies are up and running, they will intercept traffic, add mTLS when possible, and collect telemetry data. This data is accessible from the Cloud Service Mesh console. So how do the sidecars configure the pod's networking to intercept all requests? There are two options depending on your mesh configuration. An init container configures the IP tables of the pod by default. The user or service account deploying pods to the mesh must have Kubernetes RBAC permissions to deploy pods with the NET_ADMIN and NET_RAW. Granting elevated Kubernetes RBAC permissions lead to security compliance issues for some organizations. The second option is to enable the Istio CNI plugin. This plugin configures traffic redirection during the network setup phase of a Kubernetes pod's lifecycle. This option does not require elevated Kubernetes RBAC permissions.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.