Use the Kubernetes API of clusters on the data plane to access Istio resources

Usage notes

• If the data plane of your ASM instance contains only one cluster, we recommend that you allow the Kubernetes API to access the Istio resources of the ASM instance. If you enable the feature for an ASM instance whose data plane contains multiple clusters, you can use the Kubernetes API of all clusters to create, delete, modify, and query the Istio resources of the ASM instance.
• After you allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane, you cannot delete the istio-system namespace from the clusters. To delete the istio-system namespace, you must first remove the clusters from the ASM instance.
• If you delete a namespace from the data plane, the corresponding namespace on the control plane and Istio resources in the namespace are not deleted.
• If the control plane contains a namespace but the data plane does not contain the same namespace, you must create the namespace for the data plane. Otherwise, you cannot create, delete, modify, or query Istio resources in the namespace, and the following error message is displayed:

  Error from server (NotFound): error when creating "xx.yaml": namespaces "daily-01" not found

• If a namespace created on the data plane for Istio resources does not exist on the control plane, the namespace is automatically created for the control plane.
• You cannot use abbreviations when you create, delete, modify, or query Istio resources. You must use full names for the resources, such as virtualservice.

Step 1: Allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane

1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane. On the Basic Information page, click Settings.
5. In the Settings Update panel, select Allow data plane cluster KubeAPI to access Istio CR and click OK.

   After this feature is enabled, ASM creates two roles for the clusters on the data plane. These roles are asm-istio-admin and asm-istio-readonly.

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     labels:
       api: asm-apiservice-apiserver
       apiserver: "true"
     name: asm-istio-admin
   rules:
   - apiGroups:
     - networking.istio.io
     - security.istio.io
     resources:
     - '*'
     verbs:
     - '*'

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     labels:
       api: asm-apiservice-apiserver
       apiserver: "true"
     name: asm-istio-readonly
   rules:
   - apiGroups:
     - networking.istio.io
     - security.istio.io
     resources:
     - '*'
     verbs:
     - get
     - list
     - watch

Step 2: Obtain the configurations of asm-cr-aggregation

1. View the ID of your ASM instance.
   1. Log on to the ASM console.
   2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
   3. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
      On the Basic Information page, view the ID of the ASM instance.
2. View the ID of the region in which your cluster resides.
   1. Log on to the ACK console.
   2. In the left-side navigation pane, click Clusters.
      On the Clusters page, find your cluster and view the region. For example, if your cluster resides in the China (Beijing) region, the region ID is cn-beijing.
3. View the AccessKey ID and AccessKey secret of your account. For more information, see Create an AccessKey pair.

Step 3: Install asm-cr-aggregation

1. Connect to the ACK cluster by using kubectl. For more information, see Connect to ACK clusters by using kubectl.
2. Install Helm on your computer. For more information, see Helm.
   Note After you use kubectl to connect to a cluster, the Helm client automatically uses KubeConfig to connect to the cluster.
3. Download and decompress the asm-cr-aggregation package to your computer.
4. Find and open the values.yaml file in the asm-cr-aggregation folder, add the obtained ASM instance ID, cluster region ID, AccessKey ID, and AccessKey secret to the values.yaml file, and then save the values.yaml file.
   Notice If your cluster resides outside the Chinese mainland, you must change the region of the asm-cr-aggregation image in the values.yaml file to the region in which the cluster resides. For example, if your cluster resides in Silicon Valley, change registry.cn-hangzhou.aliyuncs.com/acs/asm-craggregation-apiservice to registry.cn-us-west-1.aliyuncs.com/acs/asm-craggregation-apiservice.
5. Run the following command to install asm-cr-aggregation:

   helm install -f values.yaml asm-cr-aggregation ./

6. Verify whether asm-cr-aggregation is installed as expected.
   1. Log on to the ACK console.
   2. In the left-side navigation pane of the ACK console, click Clusters.
   3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
   4. In the left-side navigation pane of the cluster details page, choose Applications > Helm.
      If you can find asm-cr-aggregation on the Helm page, asm-cr-aggregation is installed as expected.

Step 4: Grant permissions to a RAM user

Grant the RAM user the read-only permissions on Istio resources

1. Log on to the ACK console by using your Alibaba Cloud account.
2. In the left-side navigation pane, click Authorizations.
3. On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
4. In the Configure Role-Based Access Control (RBAC) step, click the icon, select the cluster and namespace on which you want to grant permissions, set the Permission parameter to Custom, select asm-istio-readonly from the drop-down list, and then click Next Step.
   

   The message The authorization is complete appears.

5. Verify whether the RAM user has the read-only permissions on Istio resources.
   1. Run the following command to query the virtual service:

      kubectl get VirtualService

      Expected output:

      NAME            CREATED AT
      reviews-route   2021-11-15T07:09:10Z

   2. Run the following command to modify the virtual service:

      kubectl edit VirtualService reviews-route

      Expected output:

      error: virtualservices.networking.istio.io "reviews-route" could not be patched: virtualservices.networking.istio.io "reviews-route" is forbidden: User "22992783668156****" cannot patch resource "virtualservices" in API group "networking.istio.io" in the namespace "default

Grant the RAM user the read and write permissions on Istio resources

1. Log on to the ACK console by using your Alibaba Cloud account.
2. In the left-side navigation pane, click Authorizations.
3. On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
4. In the Configure Role-Based Access Control (RBAC) step, click the icon, select the cluster and namespace on which you want to grant permissions, set the Permission parameter to Custom, select asm-istio-admin from the drop-down list, and then click Next Step.
   

   The message The authorization is complete appears.

5. Verify whether the RAM user has the read and write permissions on Istio resources.
   1. Run the following command to query the virtual service:

      kubectl get VirtualService

      Expected output:

      NAME            CREATED AT
      reviews-route   2021-11-15T07:09:10Z

   2. Run the following command to modify the virtual service:

      kubectl edit VirtualService reviews-route

      Expected output:

      virtualservice.networking.istio.io/reviews-route edited

Step 5: Use the Kubernetes API of clusters on the data plane to create and query Istio resources

1. Download and decompress the Istio-bookinfo package to your computer.
   The Istio-bookinfo folder contains the YAML files of Istio resources and the Bookinfo application.
2. Go to the Istio-bookinfo folder. Then, run the following command to create Istio resources and install the Bookinfo application:

   helm install -f values.yaml istio-bookinfo ./

3. Verify whether Istio-bookinfo is installed as expected.
   1. Query Istio resources in the ASM console.
      1. On the details page of the ASM instance, choose Traffic Management > Gateway in the left-side navigation pane.
         The Gateway page shows the bookinfo-gateway gateway. This indicates that Istio resources are created as expected.
   2. Query the Bookinfo application in the ACK console.
      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
      4. In the left-side navigation pane of the cluster details page, choose Workloads > Deployments.
         The Deployments page shows applications such as reviews and details. This indicates that the Bookinfo application is installed as expected.

      The preceding results indicate that Istio-bookinfo is installed as expected and Istio resources are created by using the Kubernetes API as expected.

4. Run the following command to query the bookinfo-gateway gateway by using the Kubernetes API:

   kubectl get Gateway bookinfo-gateway -o yaml

   The YAML content of the bookinfo-gateway gateway is returned. This indicates that you can query the bookinfo-gateway gateway as expected.