Examples

    Prerequisites

    Before following those examples, make sure your cluster follows .

    Deploy those two yaml files on your Kubernetes cluster in order to add a simple backend example, available through HTTP and TCP.

    namespace.yaml

    deployment.yaml

    2. kind: Deployment
    3. apiVersion: apps/v1
    4. metadata:
    5.   name: whoami
    6.   namespace: whoami
    7. spec:
    8.   replicas: 2
    9.   selector:
    10.     matchLabels:
    11.       app: whoami
    12.   template:
    13.     metadata:
    14.       labels:
    15.         app: whoami
    16.     spec:
    17.       serviceAccount: whoami-server
    18.       containers:
    19.       - name: whoami
    20.         image: containous/whoami:v1.4.0
    21.         imagePullPolicy: IfNotPresent
    23. ---
    24. kind: Deployment
    25. apiVersion: apps/v1
    26. metadata:
    27.   name: whoami-tcp
    28.   namespace: whoami
    29. spec:
    30.   replicas: 2
    31.   selector:
    32.     matchLabels:
    33.       app: whoami-tcp
    34.   template:
    35.     metadata:
    36.       labels:
    37.         app: whoami-tcp
    38.     spec:
    39.       serviceAccount: whoami-server
    40.       containers:
    41.       - name: whoami-tcp
    42.         image: containous/whoamitcp:latest
    43.         imagePullPolicy: IfNotPresent
    45. ---
    46. apiVersion: v1
    47. kind: Service
    48. metadata:
    49.   name: whoami
    50.   namespace: whoami
    51.   labels:
    52.     app: whoami
    53. spec:
    54.   type: ClusterIP
    55.   ports:
    56.   - port: 80
    57.     name: whoami
    58.   selector:
    59.     app: whoami
    61. ---
    62. apiVersion: v1
    63. kind: Service
    64. metadata:
    65.   name: whoami-tcp
    66.   namespace: whoami
    67.   labels:
    68. spec:
    69.   type: ClusterIP
    70.   ports:
    71.     - port: 8080
    72.       name: whoami-tcp
    73.   selector:
    76. ---
    77. apiVersion: v1
    78. kind: Pod
    79. metadata:
    80.   name: whoami-client
    81.   namespace: whoami
    82. spec:
    83.   serviceAccountName: whoami-client
    84.   containers:
    85.     - name: whoami-client
    86.       image: giantswarm/tiny-tools:3.9
    87.       command:
    88.       - "sleep"
    89.       - "3600"

    You should now see the following when running kubectl get all -n whoami:

    1. NAME                             READY   STATUS    RESTARTS   AGE
    2. pod/whoami-client                1/1     Running   0          11s
    3. pod/whoami-f4cbd7f9c-lddgq       1/1     Running   0          12s
    4. pod/whoami-f4cbd7f9c-zk4rb       1/1     Running   0          12s
    5. pod/whoami-tcp-7679bc465-ldlt2   1/1     Running   0          12s
    6. pod/whoami-tcp-7679bc465-wf87n   1/1     Running   0          12s
    8. NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
    9. service/whoami       ClusterIP   100.68.109.244   <none>        80/TCP     13s
    10. service/whoami-tcp   ClusterIP   100.68.73.211    <none>        8080/TCP   13s
    12. NAME                         DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
    13. deployment.apps/whoami       2         2         2            2           13s
    14. deployment.apps/whoami-tcp   2         2         2            2           13s
    16. NAME                                   DESIRED   CURRENT   READY   AGE
    17. replicaset.apps/whoami-f4cbd7f9c       2         2         2       13s
    18. replicaset.apps/whoami-tcp-7679bc465   2         2         2       13s

    Command

    1. kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.svc.cluster.local

    Expected Output

    And through TCP, by executing the following netcat command and sending some data.

    Command

    1. kubectl -n whoami exec -ti whoami-client -- nc whoami-tcp.whoami.svc.cluster.local 8080
    2. my data

    Expected Output

    1. Received: my data

    You can now install Maesh by following this documentation on your cluster.

    Now, in order to configure Maesh for your whoami service, you just need to update the whoami service specs, in order to add the appropriate annotations.

    The HTTP service needs to have maesh.containo.us/traffic-type: "http" and the TCP service, maesh.containo.us/traffic-type: "tcp".

    1. apiVersion: v1
    2. kind: Service
    3. metadata:
    4.   name: whoami
    5.   namespace: whoami
    6.   labels:
    7.     app: whoami
    8.   # These annotations enable Maesh for this service:
    9.   annotations:
    10.     maesh.containo.us/traffic-type: "http"
    11.     maesh.containo.us/retry-attempts: "2"
    12. spec:
    13.   type: ClusterIP
    14.   ports:
    15.   - port: 80
    16.     name: whoami
    17.   selector:
    18.     app: whoami
    20. ---
    21. apiVersion: v1
    22. kind: Service
    23. metadata:
    24.   name: whoami-tcp
    25.   namespace: whoami
    26.     app: whoami-tcp
    27.   # These annotations enable Maesh for this service:
    29.     maesh.containo.us/traffic-type: "tcp"
    30. spec:
    31.   type: ClusterIP
    32.   ports:
    33.     - port: 8080
    34.       name: whoami-tcp
    35.   selector:
    36.     app: whoami-tcp

    You should now be able to access your HTTP and TCP services through the Maesh endpoint:

    Command

    Expected Output

    1. Hostname: whoami-84bdf87956-gvbm8
    2. IP: 127.0.0.1
    3. IP: 5.6.7.8
    4. RemoteAddr: 1.2.3.4:12345
    5. GET / HTTP/1.1
    6. Host: whoami.whoami.svc.cluster.local
    7. User-Agent: curl/7.64.0
    8. Accept: */*
    9. X-Forwarded-For: 3.4.5.6

    ACL Example

    The can be enabled when installing Maesh. Once activated, all traffic is forbidden unless explicitly authorized using the SMI TrafficTarget resource. This example will present the configuration required to allow the client pod to send traffic to the HTTP and TCP services defined in the previous example.

    1. apiVersion: specs.smi-spec.io/v1alpha1
    2. kind: HTTPRouteGroup
    3. metadata:
    4.   name: http-everything
    5.   namespace: whoami
    6. matches:
    7. - name: everything
    8.   pathRegex: ".*"
    9.   methods: ["*"]
    10. ---
    11. kind: TrafficTarget
    12. apiVersion: access.smi-spec.io/v1alpha1
    13. metadata:
    14.   name: whatever
    15.   namespace: whoami
    16. destination:
    17.   kind: ServiceAccount
    18.   name: whoami-server
    19.   namespace: whoami
    20.   port: "80"
    21. specs:
    22. - kind: HTTPRouteGroup
    23.   name: http-everything
    24.   matches:
    25.   - everything
    26. sources:
    27. - kind: ServiceAccount
    28.   name: whoami-client
    29.   namespace: whoami

    Incoming traffic on a TCP service can also be authorized using a TrafficTarget and a TCPRoute.

    1. kind: TrafficTarget
    2. apiVersion: access.smi-spec.io/v1alpha1
    3. metadata:
    4.   name: api-service-target
    5.   namespace: default
    6. destination:
    7.   kind: ServiceAccount
    8.   name: api-service
    9.   namespace: default
    10. specs:
    11. - kind: TCPRoute
    12.   name: my-tcp-route
    13. sources:
    14. - kind: ServiceAccount
    15.   name: my-other-service
    16.   namespace: default
    17. ---
    18. apiVersion: specs.smi-spec.io/v1alpha1
    19. kind: TCPRoute