Use selective service discovery to improve the configuration push efficiency of the control plane - Configuration Push Optimization| Alibaba Cloud Documentation Center

You can use the selective service discovery feature to ensure that the Alibaba Cloud Service Mesh (ASM) control plane discovers and processes only applications in the namespace that you specify. This makes it more efficient for the control plane to push configurations to the data plane. This topic describes how to use selective service discovery to improve the configuration push efficiency of the control plane.

Prerequisites

An ASM instance that is running v1.10.5.32-g28fe5008-aliyun or later is created. For more information, see Create an ASM instance.
A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create an ACK managed cluster.
The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
The ACK cluster is connected by using kubectl. For more information, see Connect to ACK clusters by using kubectl.

Background information

By default, a sidecar stores all service information across all namespaces in the corresponding cluster on the data plane, including namespaces whose workloads are not injected into the sidecar. The control plane monitors services in all ASM namespaces. If a service change is detected, the control plane pushes relevant configurations to all sidecars.

You can use the selective service discovery feature to configure label selectors, and then use the selectors to filter namespaces based on their labels. The ASM control plane needs only to discover and process application services in the namespaces that are selected by the label selectors. Sidecars receive only the configurations of services in the selected namespaces. If a service in an unselected namespace changes, relevant configurations are not pushed to sidecars.

The label selectors support the following matching rules:

Exact match: You can specify a label name and a label value. A namespace can be selected only when its label name and value match the ones you specify.
Match by expression: You can specify a label name, an expression operator, and some label values to select data-plane namespaces whose labels meet the specified conditions. The following items describe the meanings of operators:
- In: A namespace on the data plane can be selected only when it has a label whose name matches the specified name and the corresponding label value is among the specified values.
- NotIn: A namespace on the data plane can be selected only when it has a label whose name matches the specified name but the corresponding label value is not among the specified values.
- Exists: A namespace on the data plane can be selected when it has a label whose name matches the specified name. No requirements are imposed on the corresponding label value.
- DoesNotExist: A namespace on the data plane can be selected only when none of its labels matches the specified label name. No requirements are imposed on label values.

Step 1: Create two namespaces in ASM

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the Global Namespace page, click Create.
In the Create Namespace panel, enter a namespace name and click OK. In this example, a namespace named ns-in-mesh is created.
Repeat Step 5 to create another namespace named ns-not-in-mesh.
Enable automatic injection for the ns-in-mesh namespace.
1. On the Global Namespace page, find the ns-in-mesh namespace and click Enable Automatic Sidecar Injection in the Automatic Sidecar Injection column.
2. In the message that appears, click OK.

Step 2: Deploy sample applications in the ACK cluster

Run the following command to add the asm-discovery=enabled label to the ns-in-mesh namespace in the ACK cluster:
```
kubectl label namespace ns-in-mesh asm-discovery=enabled
```

Create an httpbin.yaml file based on the following information:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

Create sample applications named httpbin in the namespaces.
- Run the following command to create a sample application named httpbin in the ns-in-mesh namespace:
```
kubectl apply -f httpbin.yaml -n ns-in-mesh
```
- Run the following command to create a sample application named httpbin in the ns-not-in-mesh namespace:
```
kubectl apply -f httpbin.yaml -n ns-not-in-mesh
```

Step 3: View the status of configurations pushed to sidecars

View sidecar configurations.
1. Run the following command to download the sidecar configurations:
```
kubectl exec -it httpbin-74fb669cc6-mz72t -c istio-proxy -n ns-in-mesh -- curl -s localhost:15000/config_dump > config_dump.json
```
2. Open the config_dump.json file downloaded to your local machine, and search for httpbin.ns-not-in-mesh.svc.cluster.local.
  httpbin.ns-not-in-mesh.svc.cluster.local is found. This indicates that the sidecar configuration center stores the service information in the ns-not-in-mesh namespace for which automatic sidecar injection is not enabled.

View control-plane logs.

Enable control-plane log collection. For more information, see Enable collection of control plane logs and control plane alerting.

Deploy a sleep service in the ACK cluster.

Create a sleep.yaml file based on the following information:

##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: pstauffer/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
---

Run the following command to deploy the sleep service in the ns-not-in-mesh namespace:
```
kubectl apply -f sleep.yaml -n ns-not-in-mesh
```

View logs.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.

On the Basic Information page, click View log on the right of Control-plane log collection.

In the upper-right corner of the Log Service project details page, set the time range to 5 minutes to narrow down the scope of logs that are displayed. You can find the logs related to the deployment of the sleep service on the Raw Logs tab. The logs indicate that the control plane pushes configurations to data-plane sidecars when the sleep service is deployed in the ns-not-in-mesh namespace for which automatic sidecar injection is not enabled.

2021-12-03T09:18:19.939580Z    info    ads    Incremental push, service sleep.ns-not-in-mesh.svc.cluster.local has no endpoints
2021-12-03T09:18:20.040291Z    info    ads    Push debounce stable[18] 2: 100.661695ms since last change, 107.19307ms since last push, full=true
2021-12-03T09:18:20.040785Z    info    ads    XDS: Pushing:2021-12-03T09:18:20Z/11 Services:13 ConnectedEndpoints:1  Version:2021-12-03T09:18:20Z/11
2021-12-03T09:18:20.041444Z    info    ads    CDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:20 size:12.9kB
2021-12-03T09:18:20.041499Z    info    ads    EDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:12 size:1.6kB empty:0 cached:12/12
2021-12-03T09:18:20.042280Z    info    ads    LDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:16 size:80.8kB
2021-12-03T09:18:20.042472Z    info    ads    RDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:7 size:5.3kB
2021-12-03T09:18:20.049506Z    info    ads    EDS: PUSH request for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:13 size:1.6kB empty:1 cached:12/13
2021-12-03T09:18:20.058780Z    info    ads    RDS: PUSH request for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:8 size:6.4kB
2021-12-03T09:18:28.260944Z    info    ads    Full push, new service ns-not-in-mesh/sleep.ns-not-in-mesh.svc.cluster.local
2021-12-03T09:18:28.361036Z    info    ads    Push debounce stable[19] 1: 100.041329ms since last change, 100.041123ms since last push, full=true
2021-12-03T09:18:28.361524Z    info    ads    XDS: Pushing:2021-12-03T09:18:28Z/12 Services:13 ConnectedEndpoints:1  Version:2021-12-03T09:18:28Z/12
2021-12-03T09:18:28.362134Z    info    ads    CDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:20 size:12.9kB
2021-12-03T09:18:28.362238Z    info    ads    EDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:13 size:1.7kB empty:0 cached:12/13
2021-12-03T09:18:28.362918Z    info    ads    LDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:16 size:80.8kB
2021-12-03T09:18:28.363128Z    info    ads    RDS: PUSH for node:httpbin-74fb669cc6-zf4wg.ns-in-mesh resources:8 size:6.4kB

Step 4: Configure selective service discovery in ASM

This section describes how to use the match by expression rule to select namespaces with the asm-discovery label. This way, the ASM control plane pushes configurations to sidecars only when service changes occur in namespaces with the asm-discovery label.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Configuration push optimization > Discovery Selectors in the left-side navigation pane.
On the Discovery Selectors page, click Add a label selector and then Add a matchExpressions. Set the Name parameter to asm-discovery and the Operator parameter to Exists, and then click OK.
On the Basic Information page, the value of the Status parameter is Updating. When the value changes to Running, the label selector is configured.

Step 5: Check whether the selective service discovery feature takes effect

View sidecar configurations.
1. Run the following command to download the sidecar configurations:
```
kubectl exec -it httpbin-74fb669cc6-mz72t -c istio-proxy -n ns-in-mesh -- curl -s localhost:15000/config_dump > config_dump.json
```
2. Open the config_dump.json file downloaded to your local machine, and search for httpbin.ns-not-in-mesh.svc.cluster.local.
  If httpbin.ns-not-in-mesh.svc.cluster.local is not found, the sidecar configuration center does not store the service information in the ns-not-in-mesh namespace.
View control-plane logs.
1. Enable control-plane log collection. For more information, see Enable collection of control plane logs and control plane alerting.
2. Run the following command to delete the sleep service from the ACK cluster:
```
kubectl delete -f sleep.yaml -n ns-not-in-mesh
```
3. View logs.
  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
  5. On the Basic Information page, click View log on the right of Control-plane log collection.
    In the upper-right corner of the Log Service project details page, set the time range to 15 minutes to narrow down the scope of logs that are displayed. If you cannot find logs related to the deletion of the sleep service, the selective service discovery feature takes effect. The control plane does not push configurations to sidecars when service changes occur in namespaces that are not selected by the selective service discovery feature.