In this section we will deploy 5 different Pods, and we will apply policies to control the traffic between them.
bookbuyeris an HTTP client making requests to
bookstore. This traffic is permitted.
bookthiefis an HTTP client and much like
bookbuyeralso makes HTTP requests to
bookstore. This traffic should be blocked.
bookstoreis a server, which responds to HTTP requests. It is also a client making requests to the
bookwarehouseservice. This traffic is permitted.
bookwarehouseis a server and should respond only to
bookthiefshould be blocked.
mysqlis a MySQL database only reachable by
We are going to define and deploy traffic access policies using SMI, which will bring us to this final desired state of allowed and blocked traffic between pods:
|from / to:||bookbuyer||bookthief||bookstore||bookwarehouse||mysql|
To show how to split traffic using SMI Traffic Split, we will deploy an additional application:
bookstore-v2- this is the same container as the first
bookstorewe deployed, but for this demo we will assume that it is a new version of the app we need to upgrade to.
bookwarehouse Pods will be in separate Kubernetes Namespaces with
the same names.
mysql will be in the
bookwarehouse namespace. Each new Pod in the service mesh will be injected with an Envoy sidecar container.
Create the Namespaces
kubectl create namespace bookstore kubectl create namespace bookbuyer kubectl create namespace bookthief kubectl create namespace bookwarehouse
Add the new namespaces to the OSM control plane
osm namespace add bookstore bookbuyer bookthief bookwarehouse
Now each one of the four namespaces is labelled with
openservicemesh.io/monitored-by: osm and also
openservicemesh.io/sidecar-injection: enabled. The OSM Controller, noticing the label and annotation
on these namespaces, will start injecting all new pods with Envoy sidecars.
Create Pods, Services, ServiceAccounts
bookbuyer service account and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookbuyer.yaml
bookthief service account and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookthief.yaml
bookstore service account, service, and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookstore.yaml
bookwarehouse service account, service, and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookwarehouse.yaml
mysql service account, service, and stateful set:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/mysql.yaml
Checkpoint: What Got Installed?
A Kubernetes Deployment and Pods for each of
bookwarehouse, and a StatefulSet for
mysql. Also, Kubernetes Services and Endpoints for
To view these resources on your cluster, run the following commands:
kubectl get pods,deployments,serviceaccounts -n bookbuyer kubectl get pods,deployments,serviceaccounts -n bookthief kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse
In addition, a Kubernetes Service Account was also created for each application. The Service Account serves as the application’s identity which will be used later in the demo to create service-to-service access control policies.
View the Application UIs
Set up client port forwarding with the following steps to access the applications in the Kubernetes cluster. It is best to start a new terminal session for running the port forwarding scripts to maintain the port forwarding session, while using the original terminal to continue to issue commands. The port-forward scripts will look for a
.env file for environment variables needed to run the script. The
.env creates the necessary variables that target the previously created namespaces. We will use the reference
.env.example file and then run the port forwarding scripts.
In a new terminal session, run the following commands to enable port forwarding into the Kubernetes cluster from the root of the project directory (your local clone of upstream OSM).
cp .env.example .env bash <<EOF ./scripts/port-forward-bookbuyer-ui.sh & ./scripts/port-forward-bookstore-ui.sh & ./scripts/port-forward-bookthief-ui.sh & wait EOF
Note: To override the default ports, prefix the
BOOKTHIEF_LOCAL_PORT variable assignments to the
port-forward scripts. For example:
export BOOKBUYER_LOCAL_PORT=7070 BOOKTHIEF_LOCAL_PORT=7073 BOOKSTORE_LOCAL_PORT=7074 bash <<EOF ./scripts/port-forward-bookbuyer-ui.sh & ./scripts/port-forward-bookstore-ui.sh & ./scripts/port-forward-bookthief-ui.sh & wait EOF
In a browser, open up the following urls:
- http://localhost:8080 - bookbuyer
- http://localhost:8083 - bookthief
- http://localhost:8084 - bookstore
Position the windows so that you can see all of them at the same time. The header at the top of the webpage indicates the application and version.
Now that the sample applications are running, configure traffic policies between the applications.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.