Configure Managed Services Gateway
This topic describes how to configure the Managed Services Gateway. This feature enables you to onboard cloud-managed services onto a slice. All the other application pods on that slice can access the onboarded cloud-managed services.
For more information, see Managed Services Gateway.
Configure the Managed Services Gateway on a Slice
You must configure the services envoy gateway on a slice either while creating it or modify if it exists.
apiVersion: controller.kubeslice.io/v1alpha1 # The KubeSlice Controller API version. A set of resources that are exposed together, along with the version. The value must be controller.kubeslice.io/v1alpha1.
kind: SliceConfig # The name of a particular object schema. The value must be SliceConfig.
metadata:
name: slicedemo # name of the slice
spec: # The specification of the desired state of an object.
overlayNetworkDeploymentMode: "single-network" # The deployment mode; select single-network while creating slice for vpc service access.
sliceType: Application # Type of slice. For onboarding applications, the slice type must be application.
clusters: # An array of worker clusters
- cluster1
- cluster2
namespaceIsolationProfile: # It is the configuration to onboard namespaces and/or isolate namespaces with the network policy.
isolationEnabled: false # It enables isolation of namespaces on a slice. By default, it is set to false.
applicationNamespaces: # Array object. Defines the namespaces that will be onboarded to the slice and their corresponding worker clusters.
- namespace: appns # Namespace
clusters: # Namespace sameness is enabled when asterisk (*) is set as the value.
- '*'
# with-network
sliceSubnet: 10.183.0.0/16 # This subnet is used to assign IP addresses to pods that connect to the slice overlay network. The CIDR range can be re-used for each slice or can be modified as required. Example: 192.168.0.0/16
sliceGatewayProvider: # It is the type of slice gateway created for inter cluster communication.
sliceGatewayType: OpenVPN # The slice gateway type for inter cluster communication. The value must be `OpenVPN`.
sliceCaType: Local # The slice gateway certificate authority type that provides certificates to secure inter-cluster traffic. The value must be always set to Local.
qosProfileDetails: # QoS profile for the slice inter cluster traffic.
queueType: HTB # It is the slice traffic control queue type. The value must be Hierarchical Token Bucket (`HTB`). HTB facilitates guaranteed bandwidth for the slice traffic.
priority: 0 # QoS profiles allows traffic management within a slice as well as prioritization across slices. The value range is 0-3. Integer 0 represents the lowest priority and integer 3 represents the highest priority.
tcType: BANDWIDTH_CONTROL # It is the traffic control type. The value must be `BANDWIDTH_CONTROL`.
bandwidthCeilingKbps: 30000 # The maximum bandwidth in Kbps that is allowed for the slice traffic.
bandwidthGuaranteedKbps: 20000 # The guaranteed bandwidth in Kbps for the slice traffic
dscpClass: AF11 # DSCP marking code for the slice inter-cluster traffic.
sliceIpamType: Local # It is the type of the IP address management for the slice subnet. The value must be always set to `Local`.
# external gateway configuration
externalGatewayConfig: # It is the slice ingress/egress gateway configuration.
- gatewayType: "envoy" # The type of ingress/egress gateways that need to be provisioned for the slice. It should be set to `envoy` for VPC service access gateway.
clusters: # List of clusters to which the `externalGateway` configuration should be applied.
- "cluster1"
- "cluster2"
vpcServiceAccess: # To enable the VPC service access for onboarding a cloud-managed service.
egress: # To use the egress gateway for cloud-based services on your slice, set the value to `true`
enabled: true
After the slice is created, the Slice Operator pulls the configuration from the KubeSlice controller and then creates a namespace
called <slice-name>-vpc-egress-gw-system
in the worker 1 cluster that contains the cloud-managed services.
Create a VPCServiceImport Object on the Worker Cluster
You must create a VPCServiceImport object on the worker cluster with direct access to the cloud-managed service. Applying this object allows the cloud-managed service to be part of the slice overlay network. All the application pods on that slice can then access this cloud-managed service.
Use the following template to create a vpcserviceimport.yaml
file.
apiVersion: networking.kubeslice.io/v1alpha1 # APIVersion defines the versioned schema of this representation of an object.
#Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.
kind: VpcServiceImport # Kind is a string value representing the REST resource this object represents.
# Servers may infer this from the endpoint the client submits requests to.
metadata: # metadata of the object
name: cosmosdb # name of the VPCServiceImport object
spec:
sliceName: <slice name> # Name of the slice
fqdn: # Fully qualified domain name of the cloud-managed service
- "slicedemo.db.cosmos.cloud.com"
ipAddress: # Optional; String value; array of IP addresses
- "10.10.100.100"
ports: # ServicePort - Array of ports
- name: https # Name of the port
port: 10255 # Port number of the exported service
protocol: HTTPS # The protocol being used by the exported VPC service. Supported values are HTTP, HTTPS, TLS, and TCP.
HTTPS and TLS signify TLS passthrough, not TLS termination. Because routing is based on HTTP headers, both clients and servers should implement Service Name Indicaiton (SNI).
Apply the VPCServiceImport Object to the Worker Cluster
Apply the vpcserviceimport.yaml
file to the worker cluster that has direct access to the
cloud-managed service to allow it to be part of the slice.
Use the following command to apply the vpcserviceimport.yaml
file:
kubectl apply -f `vpcserviceimport.yaml` -n <slice_name>-vpc-access-gw-system
The cloud-managed service will be part of the slice overlay network. Thus, the other worker clusters from that are connected to the same slice can access the cloud-managed service.
Validate the VPCServiceImport Object
Use the following command to validate the VPCServiceImport object:
kubectl get vpcserviceimport <vpcserviceimport name> -n <slice_name>-vpc-access-gw-system
Example
kubectl get vpcserviceimport cosmosdb -n slicedemo-vpc-access-gw-system
Expected Output
NAME SLICE STATUS
cosmosdb slicedemo true
Validate the Service Import on Other Worker Clusters
Use the following command to validate the service import on other worker clusters:
kubectl get serviceimport <vpcserviceimport name> -n <slice_name>-vpc-access-gw-system
Example
kubectl get serviceimport cosmosdb -n slicedemo-vpc-access-gw-system
Expected Output
NAME SLICE PORT(S) ENDPOINTS STATUS ALIAS
cosmosdb slicedemo 10255/TCP 1 READY ["slicedemo.db.cosmos.cloud.com"]
Turn Off the Managed Services Gateway
To turn off the onboarded managed service on a slice:
-
Remove the VPCServiceImport object from the worker cluster it was applied using the following command:
kubectl delete -f <vpc-service-import>.yaml
Example
kubectl delete -f vpc-service-import.yaml
Expected Output
vpcserviceimport.networking.kubeslice.io "cosmosdb" deleted
-
On the controller cluster, offboard the namespaces by deleting them and the associated clusters under the
applicationNamespaces
from the slice configuration file. -
Delete the slice from the project namespace using the following command:
kubectl delete sliceconfig <slice_name> -n <project namespace>
Example
kubectl delete sliceconfig slicedemo -n kubeslice-cisco
Expected Output
sliceconfig.controller.kubeslice.io "slicedemo" deleted