ASM lets you perform create, read, update, and delete (CRUD) operations on Istio resources through the Kubernetes API (KubeAPI) of data plane clusters. You can also use Helm to manage applications. This topic describes how to access Istio resources through the KubeAPI of a data plane cluster.
Prerequisites
You have created an ASM Enterprise Edition or Ultimate Edition instance. The instance version must be 1.12.4.50 or later. For more information, see Create an ASM instance and Upgrade an ASM instance.
Background
The Kubernetes API is a resource-based, programmatic interface served over HTTP. It supports standard HTTP verbs (POST, PUT, PATCH, DELETE, and GET) to retrieve, create, update, and delete primary cluster resources, such as Deployments and Services. For more information, see Kubernetes API.
Notes
We recommend that you use this feature in single-cluster mode. If your ASM instance has multiple data plane clusters, you can perform CRUD operations on Istio resources from any of those clusters.
After you enable this feature, you can no longer delete the istio-system namespace from the data plane cluster. To delete the namespace, you must first remove the data plane cluster from the ASM instance.
After you enable this feature, the data plane takes one to two minutes to prepare.
Deleting a namespace from the data plane does not delete the corresponding namespace or its Istio resources on the control plane.
To perform CRUD operations on Istio resources, the target namespace must exist on the data plane. If the namespace exists only on the control plane, you must first create it on the data plane. Otherwise, an error message similar to the following one is returned:
Error from server (NotFound): error when creating "xx.yaml": namespaces "daily-01" not foundIf you create an Istio resource in a namespace on the data plane and that namespace does not exist on the ASM control plane, the namespace is automatically created on the control plane.
Istio resources created through the KubeAPI of a data plane cluster are stored on the control plane. Therefore, when you create or update an Istio resource, do not add an
ownerReferencesfield that points to a data plane resource. Otherwise, the Istio resource on the control plane may be garbage-collected because its owner cannot be found.
Enable data plane KubeAPI access
For new ASM instances
For instances created after November 2024, this feature is enabled by default. For instances created before this date, follow the steps in For existing ASM instances.
For existing ASM instances
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the Basic Information page, click Enable next to Enable Data-plane KubeAPI access.
In the Confirm to enable data-plane cluster KubeAPI access dialog box, click OK.
Use case 1: Manage Istio resources with kubectl
After you enable data plane KubeAPI access, you can connect to a data plane cluster by using kubectl and then use the cluster's KubeConfig to create, query, modify, and delete Istio resources. This section uses a VirtualService as an example.
To create a VirtualService, run the following command:
kubectl apply -f <VirtualService-YAML-filename>To query VirtualServices, run the following command:
kubectl get VirtualServiceTo modify a VirtualService, run the following command:
kubectl edit VirtualService <VirtualService-name>To delete a VirtualService, run the following command:
kubectl delete VirtualService <VirtualService-name>
Use case 2: Deploy applications with Helm
After you enable data plane KubeAPI access, Helm can use the cluster's KubeConfig to simultaneously install applications on the cluster and deploy Istio resources to ASM.
-
Connect to the ACK cluster by using kubectl. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Install Helm on your local machine. For more information, see Helm.
NoteAfter you connect to the cluster by using kubectl, the Helm client automatically uses the same KubeConfig to connect to the cluster.
Download and extract the istio-bookinfo sample Helm chart.
Change to the istio-bookinfo directory and run the following command to install the application:
helm install -f values.yaml istio-bookinfo ./Expected output:
NAME:istio-bookinfo LAST DEPLOYED:THU May 26 16:44:19 2022 NAMESPACE:default STATUS:deployed REVISION:1 TEST SUITE:NoneVerify the deployment.
Check the Bookinfo application in the ACK console.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
On the Deployments page, set Namespace to default.
You can see the applications installed by Helm, such as details, productpage, and ratings.
NoteTo view the Helm release, choose in the navigation pane on the left. The Helm page displays the release.
Check the VirtualService and Gateway in the ASM console.
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
In the navigation pane on the left of the mesh details page, choose .
On the VirtualService page, you can see the VirtualService named bookinfo, which was installed by Helm.
In the navigation pane on the left of the mesh details page, choose .
On the Gateway page, you can see the Gateway named bookinfo-gateway, which was installed by Helm.
-
Related operations
Run the following command to view the list of Helm releases:
helm listRun the following command to update a Helm chart:
helm upgrade -f values.yaml istio-bookinfo ./