Use service discovery selectors to improve the configuration push efficiency of the control plane - Alibaba Cloud Service Mesh

Alibaba Cloud Service Mesh (ASM) allows you to configure service discovery selectors to ensure that the ASM control plane discovers and processes only application services in the selected namespaces. This makes it more efficient for the control plane to push service configurations to sidecar proxies on the data plane. This topic describes how to configure service discovery selectors.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is created. An ASM instance running the version v1.10.5.32-g28fe5008-aliyun or later is created. The ACK cluster is added to the ASM instance. For more information, see The cluster is added to the ASM instance.
A kubectl client is connected to the cluster.

Background information

By default, sidecar proxies on the data plane store the configurations of services in all the namespaces of a cluster, including those in the namespaces that do not have sidecar injection enabled. The control plane monitors services in all the namespaces and pushes the service changes to sidecar proxies.

You can configure label selectors based on the labels of the namespaces in the cluster. The label selectors ensure that the control plane discovers and processes only services in the selected namespaces. This way, sidecar proxies store only the configurations of services in the selected namespaces, because the control plane does not push the configurations of services in unselected namespaces to sidecar proxies.

The label selectors support the following matching rules:

Exact match: You can specify a label name and a label value. A namespace can be selected only when its label name and value match the ones you specify.
Match by expression: You can specify a label name, an expression operator, and some label values to select data-plane namespaces whose labels meet the specified conditions. The following items describe the meanings of operators:
- In: A namespace on the data plane can be selected only when it has a label whose name matches the specified name and the corresponding label value is among the specified values.
- NotIn: A namespace on the data plane can be selected only when it has a label whose name matches the specified name but the corresponding label value is not among the specified values.
- Exists: A namespace on the data plane can be selected when it has a label whose name matches the specified name. No requirements are imposed on the corresponding label value.
- DoesNotExist: A namespace on the data plane can be selected only when none of its labels matches the specified label name. No requirements are imposed on label values.

Step 1: Create two namespaces in ASM

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Global Namespace.
On the Global Namespace page, click Create.
In the Create Namespace panel, enter a namespace name and click OK. In this example, the name is set to ns-in-mesh.
Repeat the preceding steps to create another namespace named ns-not-in-mesh.
Enable automatic sidecar injection for the ns-in-mesh namespace.
1. On the Global Namespace page, find the ns-in-mesh namespace, and click Enable Automatic Sidecar Injection in the Automatic Sidecar Injection column.
2. In the message that appears, click OK.

Step 2: Deploy a sample application in the two namespaces

Run the following command to add the asm-discovery=enabled label to the ns-in-mesh namespace:
```
kubectl label namespace ns-in-mesh asm-discovery=enabled
```

Create an httpbin.yaml file that contains the following content:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

Deploy the httpbin application in the two namespaces.
- Run the following command to deploy the httpbin application in the ns-in-mesh namespace:
```
kubectl apply -f httpbin.yaml -n ns-in-mesh
```
- Run the following command to deploy the httpbin application in the ns-not-in-mesh namespace:
```
kubectl apply -f httpbin.yaml -n n-not-in-meshs
```

Step 3: Check whether the control plane pushes the configurations to sidecar proxies

View configurations in sidecar proxies.
1. Run the following command to download configurations in sidecar proxies:
```
kubectl exec -it httpbin-74fb669cc6-m**** -c istio-proxy -n ns-in-mesh -- curl -s localhost:15000/config_dump > config_dump.json
```
2. Open the config_dump.json file downloaded to your local machine, and search for httpbin.ns-not-in-mesh.svc.cluster.local.
  httpbin.ns-not-in-mesh.svc.cluster.local is found. This indicates that sidecar proxies stores service configurations in the ns-not-in-mesh namespace even though the namespace does not have sidecar injection enabled.

View control-plane logs.

Enable control-plane log collection. For more information, see Enable control-plane log collection and log-based alerting.

Deploy a sleep application in the ACK cluster.

Create a sleep.yaml file that contains the following content:

##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: pstauffer/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
---

Run the following command to deploy the sleep application in the ns-not-in-mesh namespace:
```
kubectl apply -f sleep.yaml -n ns-not-in-mesh
```

View logs.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.

On the Basic Information page, click View log next to Control-plane log collection.

In the upper-right corner of the Log Service project details page that appears, set the time range to 5 Minutes to narrow down the scope of logs that are displayed. On the Raw Logs tab, you can see logs about the application creation. The logs indicate that the control plane pushes service configurations in the ns-not-in-mesh namespace even though the namespace does not have sidecar injection enabled.

2021-12-03T09:18:19.939580Z    info    ads    Incremental push, service sleep.ns-not-in-mesh.svc.cluster.local has no endpoints
2021-12-03T09:18:20.040291Z    info    ads    Push debounce stable[18] 2: 100.661695ms since last change, 107.19307ms since last push, full=true
2021-12-03T09:18:20.040785Z    info    ads    XDS: Pushing:2021-12-03T09:18:20Z/11 Services:13 ConnectedEndpoints:1  Version:2021-12-03T09:18:20Z/11
2021-12-03T09:18:20.041444Z    info    ads    CDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:20 size:12.9kB
2021-12-03T09:18:20.041499Z    info    ads    EDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:12 size:1.6kB empty:0 cached:12/12
2021-12-03T09:18:20.042280Z    info    ads    LDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:16 size:80.8kB
2021-12-03T09:18:20.042472Z    info    ads    RDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:7 size:5.3kB
2021-12-03T09:18:20.049506Z    info    ads    EDS: PUSH request for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:13 size:1.6kB empty:1 cached:12/13
2021-12-03T09:18:20.058780Z    info    ads    RDS: PUSH request for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:8 size:6.4kB
2021-12-03T09:18:28.260944Z    info    ads    Full push, new service ns-not-in-mesh/sleep.ns-not-in-mesh.svc.cluster.local
2021-12-03T09:18:28.361036Z    info    ads    Push debounce stable[19] 1: 100.041329ms since last change, 100.041123ms since last push, full=true
2021-12-03T09:18:28.361524Z    info    ads    XDS: Pushing:2021-12-03T09:18:28Z/12 Services:13 ConnectedEndpoints:1  Version:2021-12-03T09:18:28Z/12
2021-12-03T09:18:28.362134Z    info    ads    CDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:20 size:12.9kB
2021-12-03T09:18:28.362238Z    info    ads    EDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:13 size:1.7kB empty:0 cached:12/13
2021-12-03T09:18:28.362918Z    info    ads    LDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:16 size:80.8kB
2021-12-03T09:18:28.363128Z    info    ads    RDS: PUSH for node:httpbin-74fb669cc6-z****.ns-in-mesh resources:8 size:6.4kB

Step 4: Configure a service discovery selector in ASM

You can configure a service discovery selector to make the control plane push only the configurations of application services in the namespace with the asm-discovery label to sidecar proxies.

You can select the namespace or edit the label selector to configure a service discovery selector.

Method 1: Select the namespace

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the details page of the ASM instance, choose Mesh Optimization Center > Service Discovery Selectors in the left-side navigation pane.
On the Service Discovery Selector page, set Mesh Discovery Mode to Discovery services according to Discovery Selectors.
On the Select Namespaces tab, select the ACK cluster, click select next to the ns-in-mesh namespace in the list, and then click OK.
Check whether the configuration is successful.
1. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
2. On the Basic Information page, check the status of the ASM instance.
  If the Status is Running, the configuration is successful.

Method 2: Edit the label selector

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Optimization Center > Service Discovery Selectors.
On the Service Discovery Selector page, set Mesh Discovery Mode to Discovery services according to Discovery Selectors, and click the Edit Discovery Selectors Directly tab.
Click Add a label selector. In the new label selector, click Add a matchExpressions. Set the Key parameter to asm-discovery and the Value parameter to Exists. Then, click OK.
Check whether the configuration is successful.
1. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
2. On the Basic Information page, view the status of the ASM instance.
  If the Status is Running, the configuration is successful.

Step 5: Verify that the service discovery selector takes effect

View configurations in sidecar proxies.
1. Run the following command to download configurations in sidecar proxies:
```
kubectl exec -it httpbin-74fb669cc6-mz72t -c istio-proxy -n ns-in-mesh -- curl -s localhost:15000/config_dump > config_dump.json
```
2. Open the config_dump.json file downloaded to your local machine, and search for httpbin.ns-not-in-mesh.svc.cluster.local.
  If httpbin.ns-not-in-mesh.svc.cluster.local is not found, it indicates that sidecar proxies do not store the service configurations in the ns-not-in-mesh namespace.
View control-plane logs.
1. Enable control-plane log collection. For more information, see Enable control-plane log collection and log-based alerting.
2. Run the following command to delete the sleep application from the ACK cluster:
```
kubectl delete -f sleep.yaml -n ns-not-in-mesh
```
3. View logs.
  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  3. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
  4. On the Basic Information page, click View log next to Control-plane log collection.
    In the upper-right corner of the Log Service project details page that appears, set the time range to 15 Minutes to narrow down the scope of logs that are displayed. If no logs about the application deletion appear, it indicates that the service discovery selector takes effect. The control plane does not push service configurations to sidecar proxies when service changes occur in namespaces that are not selected.