Use the Kubernetes API of clusters on the data plane to access Istio resources - Mesh Management| Alibaba Cloud Documentation Center

Background information

The Kubernetes API is a resource-based programmatic interface provided by means of HTTP. It supports the standard HTTP methods, including POST, PUT, PATCH, DELETE, and GET. You can use these methods to query, create, update, and delete primary cluster resources such as Deployments and Services. For more information, see Kubernetes API Concepts.

Usage notes

If the data plane of your ASM instance contains only one cluster, we recommend that you allow the Kubernetes API to access the Istio resources of the ASM instance. If you enable the feature for an ASM instance whose data plane contains multiple clusters, you can use the Kubernetes API of all clusters to create, delete, modify, and query the Istio resources of the ASM instance.
After you allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane, you cannot delete the istio-system namespace from the clusters. To delete the istio-system namespace, you must first remove the clusters from the ASM instance.
If you delete a namespace from the data plane, the corresponding namespace on the control plane and Istio resources in the namespace are not deleted.
If the control plane contains a namespace but the data plane does not contain the same namespace, you must create the namespace for the data plane. Otherwise, you cannot create, delete, modify, or query Istio resources in the namespace, and the following error message is displayed:
```
Error from server (NotFound): error when creating "xx.yaml": namespaces "daily-01" not found
```
If a namespace created on the data plane for Istio resources does not exist on the control plane, the namespace is automatically created for the control plane.
You cannot use abbreviations when you create, delete, modify, or query Istio resources. You must use full names for the resources, such as virtualservice.

Step 1: Allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane

You can use one of the following methods to allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane:

If you have not created an ASM instance, select Allow data plane cluster KubeAPI to access Istio CR when you create an ASM instance to allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane. For more information, see Create an ASM instance.
If you have created an ASM instance, select Allow data plane cluster KubeAPI to access Istio CR when you modify the ASM instance. This allows Istio resources to be accessed by using the Kubernetes API of clusters on the data plane. In this topic, the second method is used.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose ASM Instance > Basic Information in the left-side navigation pane. On the Basic Information page, click Settings.

In the Settings Update panel, select Allow data plane cluster KubeAPI to access Istio CR and click OK.

After this feature is enabled, ASM creates two roles for the clusters on the data plane. These roles are asm-istio-admin and asm-istio-readonly.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    api: asm-apiservice-apiserver
    apiserver: "true"
  name: asm-istio-admin
rules:
- apiGroups:
  - networking.istio.io
  - security.istio.io
  resources:
  - '*'
  verbs:
  - '*'

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    api: asm-apiservice-apiserver
    apiserver: "true"
  name: asm-istio-readonly
rules:
- apiGroups:
  - networking.istio.io
  - security.istio.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

Step 2: Obtain the configurations of asm-cr-aggregation

View the ID of your ASM instance.
1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane.
  On the Basic Information page, view the ID of the ASM instance.
View the ID of the region in which your cluster resides.
1. Log on to the ACK console.
2. In the left-side navigation pane, click Clusters.
  On the Clusters page, find your cluster and view the region. For example, if your cluster resides in the China (Beijing) region, the region ID is cn-beijing.
View the AccessKey ID and AccessKey secret of your account. For more information, see Create an AccessKey pair.

Step 3: Install asm-cr-aggregation

Connect to the ACK cluster by using kubectl. For more information, see Connect to ACK clusters by using kubectl.
Install Helm on your computer. For more information, see Helm.

Note After you use kubectl to connect to a cluster, the Helm client automatically uses KubeConfig to connect to the cluster.
Download and decompress the asm-cr-aggregation package to your computer.
Find and open the values.yaml file in the asm-cr-aggregation folder, add the obtained ASM instance ID, cluster region ID, AccessKey ID, and AccessKey secret to the values.yaml file, and then save the values.yaml file.

Notice If your cluster resides outside the Chinese mainland, you must change the region of the asm-cr-aggregation image in the values.yaml file to the region in which the cluster resides. For example, if your cluster resides in Silicon Valley, change registry.cn-hangzhou.aliyuncs.com/acs/asm-craggregation-apiservice to registry.cn-us-west-1.aliyuncs.com/acs/asm-craggregation-apiservice.
Run the following command to install asm-cr-aggregation:
```
helm install -f values.yaml asm-cr-aggregation ./
```
Verify whether asm-cr-aggregation is installed as expected.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the cluster details page, choose Applications > Helm.
  If you can find asm-cr-aggregation on the Helm page, asm-cr-aggregation is installed as expected.

Step 4: Grant permissions to a RAM user

Before you use the Kubernetes API to access Istio resources, your account must have the permissions on Istio resources and permissions on ASM custom resources.

Note The permissions on Istio resources must be consistent with the permissions on ASM custom resources. For example, if you have the read and write permissions on ASM custom resources, you must also have the read and write permissions on Istio resources.

Your account must have the permissions that ASM administrators or restricted users have on ASM custom resources. For more information, see Grant RBAC permissions to RAM users and RAM roles.
ASM administrators are granted the read and write permissions on ASM custom resources. ASM restricted users are granted the read-only permissions on ASM custom resources.
Your account must have the permissions to access Istio resources. Otherwise, you cannot access Istio resources.

You can run the following command to check whether a RAM user has the permissions to access Istio resources:
```
kubectl get VirtualService
```
Expected output:
```
Error from server (Forbidden): virtualservices.networking.istio.io is forbidden: User "24869613637716****" cannot list resource "virtualservices" in API group "networking.istio.io" in the namespace "default" 
```
If the preceding result is returned, the RAM user does not have the permissions to access Istio resources. To grant the RAM user the permissions to access Istio resources, perform the following operations:

Grant the RAM user the read-only permissions on Istio resources

Log on to the ACK console by using your Alibaba Cloud account.
In the left-side navigation pane, click Authorizations.
On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
In the Configure Role-Based Access Control (RBAC) step, click the icon, select the cluster and namespace on which you want to grant permissions, set the Permission parameter to Custom, select asm-istio-readonly from the drop-down list, and then click Next Step.
The message The authorization is complete appears.

Verify whether the RAM user has the read-only permissions on Istio resources.

Run the following command to query the virtual service:

kubectl get VirtualService

Expected output:

NAME            CREATED AT
reviews-route   2021-11-15T07:09:10Z

Run the following command to modify the virtual service:

kubectl edit VirtualService reviews-route

Expected output:

error: virtualservices.networking.istio.io "reviews-route" could not be patched: virtualservices.networking.istio.io "reviews-route" is forbidden: User "22992783668156****" cannot patch resource "virtualservices" in API group "networking.istio.io" in the namespace "default

Grant the RAM user the read and write permissions on Istio resources

Log on to the ACK console by using your Alibaba Cloud account.
In the left-side navigation pane, click Authorizations.
On the RAM Users tab, find the RAM user to which you want to grant permissions and click Modify Permissions.
In the Configure Role-Based Access Control (RBAC) step, click the icon, select the cluster and namespace on which you want to grant permissions, set the Permission parameter to Custom, select asm-istio-admin from the drop-down list, and then click Next Step.
The message The authorization is complete appears.
Verify whether the RAM user has the read and write permissions on Istio resources.
1. Run the following command to query the virtual service:
```
kubectl get VirtualService
```
  Expected output:
```
NAME            CREATED AT
reviews-route   2021-11-15T07:09:10Z
```
2. Run the following command to modify the virtual service:
```
kubectl edit VirtualService reviews-route
```
  Expected output:
```
virtualservice.networking.istio.io/reviews-route edited
```

Step 5: Use the Kubernetes API of clusters on the data plane to create and query Istio resources

This section describes how to create and query Istio resources by using Helm Charts.

Note After you allow Istio resources to be accessed by using the Kubernetes API of clusters on the data plane, wait for 1 to 2 minutes for the settings to take effect.

Download and decompress the Istio-bookinfo package to your computer.
The Istio-bookinfo folder contains the YAML files of Istio resources and the Bookinfo application.
Go to the Istio-bookinfo folder. Then, run the following command to create Istio resources and install the Bookinfo application:
```
helm install -f values.yaml istio-bookinfo ./
```
Verify whether Istio-bookinfo is installed as expected.
1. Query Istio resources in the ASM console.
  1. On the details page of the ASM instance, choose Traffic Management > Gateway in the left-side navigation pane.
    The Gateway page shows the bookinfo-gateway gateway. This indicates that Istio resources are created as expected.
2. Query the Bookinfo application in the ACK console.
  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
  4. In the left-side navigation pane of the cluster details page, choose Workloads > Deployments.
    The Deployments page shows applications such as reviews and details. This indicates that the Bookinfo application is installed as expected.
  The preceding results indicate that Istio-bookinfo is installed as expected and Istio resources are created by using the Kubernetes API as expected.
Run the following command to query the bookinfo-gateway gateway by using the Kubernetes API:
```
kubectl get Gateway bookinfo-gateway -o yaml
```
The YAML content of the bookinfo-gateway gateway is returned. This indicates that you can query the bookinfo-gateway gateway as expected.