Alibaba Cloud Service Mesh (ASM) allows you to create, delete, modify, and query Istio
resources by using the Kubernetes API of clusters on the data plane. This topic describes
how to create and query Istio resources by using the Kubernetes API of clusters on
the data plane.
Background information
The Kubernetes API is a resource-based programmatic interface provided by means of
HTTP. It supports the standard HTTP methods, including POST, PUT, PATCH, DELETE, and
GET. You can use these methods to query, create, update, and delete primary cluster
resources such as Deployments and Services. For more information, see Kubernetes API Concepts.
Step 1: Allow Istio resources to be accessed by using the Kubernetes API of clusters
on the data plane
You can use one of the following methods to allow Istio resources to be accessed by
using the Kubernetes API of clusters on the data plane:
- If you have not created an ASM instance, select Allow data plane cluster KubeAPI to access Istio CR when you create an ASM instance to allow Istio resources to be accessed by using
the Kubernetes API of clusters on the data plane. For more information, see Create an ASM instance.
- If you have created an ASM instance, select Allow data plane cluster KubeAPI to access Istio CR when you modify the ASM instance. This allows Istio resources to be accessed by using
the Kubernetes API of clusters on the data plane. In this topic, the second method
is used.
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the Basic Information page, click Settings.
- In the Settings Update panel, select Allow data plane cluster KubeAPI to access Istio CR and click OK.
After this feature is enabled, ASM creates two roles for the clusters on the data
plane. These roles are asm-istio-admin and asm-istio-readonly.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
api: asm-apiservice-apiserver
apiserver: "true"
name: asm-istio-admin
rules:
- apiGroups:
- networking.istio.io
- security.istio.io
resources:
- '*'
verbs:
- '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
api: asm-apiservice-apiserver
apiserver: "true"
name: asm-istio-readonly
rules:
- apiGroups:
- networking.istio.io
- security.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
Step 2: Obtain the configurations of asm-cr-aggregation
- View the ID of your ASM instance.
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the details page of the ASM instance, choose in the left-side navigation pane.
On the Basic Information page, view the ID of the ASM instance.
- View the ID of the region in which your cluster resides.
- Log on to the ACK console.
- In the left-side navigation pane, click Clusters.
On the Clusters page, find your cluster and view the region. For example, if your cluster resides
in the China (Beijing) region, the region ID is cn-beijing.
- View the AccessKey ID and AccessKey secret of your account. For more information,
see Create an AccessKey pair.
Step 3: Install asm-cr-aggregation
- Connect to the ACK cluster by using kubectl. For more information, see Connect to ACK clusters by using kubectl.
- Install Helm on your computer. For more information, see Helm.
Note After you use kubectl to connect to a cluster, the Helm client automatically uses
KubeConfig to connect to the cluster.
- Download and decompress the asm-cr-aggregation package to your computer.
- Find and open the values.yaml file in the asm-cr-aggregation folder, add the obtained ASM instance ID, cluster
region ID, AccessKey ID, and AccessKey secret to the values.yaml file, and then save the values.yaml file.
Notice If your cluster resides outside the Chinese mainland, you must change the region of
the asm-cr-aggregation image in the values.yaml file to the region in which the cluster resides. For example, if your cluster resides
in Silicon Valley, change registry.cn-hangzhou.aliyuncs.com/acs/asm-craggregation-apiservice
to registry.cn-us-west-1.aliyuncs.com/acs/asm-craggregation-apiservice
.
- Run the following command to install asm-cr-aggregation:
helm install -f values.yaml asm-cr-aggregation ./
- Verify whether asm-cr-aggregation is installed as expected.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the cluster details page, choose .
If you can find asm-cr-aggregation on the Helm page, asm-cr-aggregation is installed as expected.
Step 4: Grant permissions to a RAM user
Before you use the Kubernetes API to access Istio resources, your account must have
the permissions on Istio resources and permissions on ASM custom resources.
Note The permissions on Istio resources must be consistent with the permissions on ASM
custom resources. For example, if you have the read and write permissions on ASM custom
resources, you must also have the read and write permissions on Istio resources.
- Your account must have the permissions that ASM administrators or restricted users
have on ASM custom resources. For more information, see Grant RBAC permissions to RAM users and RAM roles.
ASM administrators are granted the read and write permissions on ASM custom resources.
ASM restricted users are granted the read-only permissions on ASM custom resources.
-
Your account must have the permissions to access Istio resources. Otherwise, you cannot
access Istio resources.
You can run the following command to check whether a RAM user has the permissions
to access Istio resources:
kubectl get VirtualService
Expected output:
Error from server (Forbidden): virtualservices.networking.istio.io is forbidden: User "24869613637716****" cannot list resource "virtualservices" in API group "networking.istio.io" in the namespace "default"
If the preceding result is returned, the RAM user does not have the permissions to
access Istio resources. To grant the RAM user the permissions to access Istio resources,
perform the following operations:
Grant the RAM user the read-only permissions on Istio resources
- Log on to the ACK console by using your Alibaba Cloud account.
- In the left-side navigation pane, click Authorizations.
- On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
- In the Configure Role-Based Access Control (RBAC) step, click the
icon, select the cluster and namespace on which you want to grant permissions, set
the Permission parameter to Custom, select asm-istio-readonly from the drop-down list, and then click Next Step. 
The message The authorization is complete appears.
- Verify whether the RAM user has the read-only permissions on Istio resources.
- Run the following command to query the virtual service:
kubectl get VirtualService
Expected output:
NAME CREATED AT
reviews-route 2021-11-15T07:09:10Z
- Run the following command to modify the virtual service:
kubectl edit VirtualService reviews-route
Expected output:
error: virtualservices.networking.istio.io "reviews-route" could not be patched: virtualservices.networking.istio.io "reviews-route" is forbidden: User "22992783668156****" cannot patch resource "virtualservices" in API group "networking.istio.io" in the namespace "default
Grant the RAM user the read and write permissions on Istio resources
- Log on to the ACK console by using your Alibaba Cloud account.
- In the left-side navigation pane, click Authorizations.
- On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
- In the Configure Role-Based Access Control (RBAC) step, click the
icon, select the cluster and namespace on which you want to grant permissions, set
the Permission parameter to Custom, select asm-istio-admin from the drop-down list, and then click Next Step. 
The message The authorization is complete appears.
- Verify whether the RAM user has the read and write permissions on Istio resources.
- Run the following command to query the virtual service:
kubectl get VirtualService
Expected output:
NAME CREATED AT
reviews-route 2021-11-15T07:09:10Z
- Run the following command to modify the virtual service:
kubectl edit VirtualService reviews-route
Expected output:
virtualservice.networking.istio.io/reviews-route edited
Step 5: Use the Kubernetes API of clusters on the data plane to create and query Istio
resources
This section describes how to create and query Istio resources by using Helm Charts.
Note After you allow Istio resources to be accessed by using the Kubernetes API of clusters
on the data plane, wait for 1 to 2 minutes for the settings to take effect.
- Download and decompress the Istio-bookinfo package to your computer.
The Istio-bookinfo folder contains the YAML files of Istio resources and the Bookinfo
application.
- Go to the Istio-bookinfo folder. Then, run the following command to create Istio resources
and install the Bookinfo application:
helm install -f values.yaml istio-bookinfo ./
- Verify whether Istio-bookinfo is installed as expected.
- Query Istio resources in the ASM console.
- On the details page of the ASM instance, choose in the left-side navigation pane.
The
Gateway page shows the bookinfo-gateway gateway. This indicates that Istio resources are
created as expected.

- Query the Bookinfo application in the ACK console.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster
or click Details in the Actions column.
- In the left-side navigation pane of the cluster details page, choose .
The
Deployments page shows applications such as reviews and details. This indicates that the Bookinfo
application is installed as expected.

The preceding results indicate that Istio-bookinfo is installed as expected and Istio
resources are created by using the Kubernetes API as expected.
- Run the following command to query the bookinfo-gateway gateway by using the Kubernetes
API:
kubectl get Gateway bookinfo-gateway -o yaml
The YAML content of the bookinfo-gateway gateway is returned. This indicates that
you can query the bookinfo-gateway gateway as expected.