Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(perf): improve auto reachable services docs #1520

Merged
merged 1 commit into from
Nov 9, 2023
Merged

docs(perf): improve auto reachable services docs #1520

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 26 additions & 10 deletions app/_src/production/upgrades-tuning/fine-tuning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,7 @@
{% endwarning %}

Starting with release 2.5 the problem stated in [reachable services](#reachable-services) section
can be also mitigated by defining [MeshTrafficPermissions](/docs/{{ page.version }}/policies/meshtrafficpermission) in combination with:
- `KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES=true` environment variable set on **zone CP** (for helm use `--set {{site.set_flag_values_prefix}}controlPlane.envVars.KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES=true`) and
- [mTLS enabled in strict mode](/docs/{{ page.version }}/policies/mutual-tls/)
can be also mitigated by defining [MeshTrafficPermissions](/docs/{{ page.version }}/policies/meshtrafficpermission) and [configuring](/docs/{{ page.version }}/documentation/configuration) a **zone** control plane with `KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES=true`.

Check notice on line 30 in app/_src/production/upgrades-tuning/fine-tuning.md

View workflow job for this annotation

GitHub Actions / vale

[vale] app/_src/production/upgrades-tuning/fine-tuning.md#L30 

[Google.Parens] Use parentheses judiciously.
Raw output 
{"message": "[Google.Parens] Use parentheses judiciously.", "location": {"path": "app/_src/production/upgrades-tuning/fine-tuning.md", "range": {"start": {"line": 30, "column": 59}}}, "severity": "INFO"}

Switching on the flag will result in computing a graph of dependencies between the services
and generating XDS configuration that enables communication **only** with services that are allowed to communicate with each other
Expand Down Expand Up @@ -75,11 +73,9 @@

{% policy_yaml meshtrafficpermission_other_kind %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-system
name: mtp-mesh-to-mesh
type: MeshTrafficPermission
mesh: default
name: mtp-mesh-to-mesh
spec:
targetRef:
kind: MeshSubset
Expand Down Expand Up @@ -113,11 +109,31 @@
curl: (52) Empty reply from server
```

instead of getting a `403` with `"RBAC: access denied"` error.
instead of getting a `503` error.

```sh
root@second-test-server:/# curl -v first-test-server:80
* Trying [IP]:80...
* Connected to first-test-server ([IP]) port 80 (#0)
> GET / HTTP/1.1
> Host: first-test-server
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< content-length: 118
< content-type: text/plain
< date: Wed, 08 Nov 2023 14:15:24 GMT
< server: envoy
<
* Connection #0 to host first-test-server left intact
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection termination/
```

### Migration

A recommended path of migration is to start with a coarse grain `MeshTrafficPermission` targeting a namespace and then drill down to individual services if needed.
A recommended path of migration is to start with a coarse grain `MeshTrafficPermission` targeting a `MeshSubset` with `k8s.kuma.io/namespace` and then drill down to individual services if needed.

{% endif_version %}

Expand Down
Loading