OpenShift Service Mesh 3 (OSSM 3) Cheatsheet operativo
OpenShift Service Mesh 3 (OSSM 3) Cheatsheet operativo
Focus: OSSM 3 sidecar mode,
Istio+IstioCNI, gateway injection, NodePort 30001/30002, scheduling su nodi infra, comandioc, troubleshooting e schema visivo finale.Linguaggio: pratico, da repo/runbook.
1) OSSM 3: cosa cambia davvero rispetto a OSSM 2
In OSSM 3 cambiano alcuni concetti base:
- non esiste più
ServiceMeshControlPlanecome CR principale: al suo posto c’è la risorsaIstio - la CNI è gestita separatamente con la risorsa
IstioCNI - Kiali, Prometheus, Tempo/Tracing non sono più addon gestiti dal control plane: si installano e configurano separatamente
- i gateway non sono più definiti dentro il control plane: vanno gestiti come Deployment/Service Kubernetes separati, usando gateway injection oppure Gateway API
- la “membership” del mesh non si fa più con
SMMR, ma condiscoverySelectors+ label sui namespace - la sidecar injection segue la logica Istio standard:
istio.io/rev=<revision>oppureistio-injection=enabledsolo se lavori con la revisione/tagdefault
In pratica:
- OSSM 2 = un CR grande (
SMCP) che gestisce quasi tutto - OSSM 3 = control plane Istio più “puro”, gateway e osservabilità separati
2) Architettura minima OSSM 3
+---------------------------------------------------------------+| OpenShift Cluster || || +----------------------+ +-------------------------+ || | OSSM 3 Operator | | Kiali Operator | || | (Sail-based) | | + Kiali Server/OSSMC | || +----------+-----------+ +------------+------------+ || | | || v v || +-------------+ +-------------+ || | Istio |------------------>| Kiali | || | (control | | UI / graph | || | plane) | +-------------+ || +------+------+ || | creates || v || +-------------+ || |IstioRevision| || +-------------+ || || +-------------+ || | IstioCNI |----> DaemonSet sui nodi || +-------------+ || || Namespace app / gateway visibili al mesh tramite || discoverySelectors + label namespace || || +-------------------+ +---------------------------+ || | Gateway namespace | | Application namespace | || | Deployment envoy | | pod + sidecar envoy | || | (gateway inject) | | svc + workload | || +---------+---------+ +-------------+-------------+ || | ^ || +---- Gateway / VirtualService ------+ || || Observability esterna al control plane: || - OpenShift Monitoring / UWM || - Tempo / Distributed Tracing Platform || - Kiali |+---------------------------------------------------------------+3) Concetti chiave da ricordare
3.1 Control plane
Il control plane OSSM 3 è la risorsa:
apiVersion: sailoperator.io/v1kind: Istio
È cluster-wide come risorsa, ma i pod del control plane vengono eseguiti nel namespace indicato in:
spec.namespace
3.2 CNI
La CNI è separata:
apiVersion: sailoperator.io/v1kind: IstioCNI
Installa un DaemonSet cluster-wide sui nodi.
3.3 Scope del mesh
In OSSM 3 il modo consigliato per limitare quali namespace siano gestiti dal mesh è:
- label sui namespace, ad esempio
istio-discovery=enabled spec.values.meshConfig.discoverySelectors
3.4 Injection
Per fare injection lato workload:
- se usi una revisione non
default, etichetta namespace/pod con
istio.io/rev=<nome-istio-o-revision-tag> istio-injection=enabledè utile solo quando lavori condefault
3.5 Gateway
I gateway in OSSM 3 non stanno nello Istio CR.
Vanno creati come:
DeploymentService- opzionalmente
Route - risorse Istio
GatewayeVirtualService
4) Flusso operativo consigliato
- installa Red Hat OpenShift Service Mesh 3 Operator
- crea namespace control plane (
istio-system) e CNI (istio-cni) se non esistono - crea
Istio - crea
IstioCNI - verifica
IstioRevision - applica
discoverySelectors - etichetta i namespace applicativi e/o gateway
- abilita injection con
istio.io/rev=<rev> - crea gateway separato con gateway injection
- crea
Gateway+VirtualService - integra separatamente Kiali / Monitoring / Tempo
5) Installazione operator: nota pratica
Per l’installazione dell’Operator, in OSSM 3 conviene usare:
- canale
stableper seguire l’ultima release supportata - oppure
stable-3.xper restare su una specifica linea di release
Per la versione del control plane puoi usare:
- una versione completa, ad esempio
v1.24.6 - oppure l’alias
vX.Y-latest, ad esempiov1.24-latest
6) Namespace base
oc create namespace istio-systemoc create namespace istio-cnioc create namespace ingress-basicoc create namespace app-demo7) Manifest minimale Istio (cluster-wide, sidecar mode)
Qui uso il nome
basicperché è più vicino al tuo vecchio SMCP.
In questo caso, per injection useraiistio.io/rev=basic.
apiVersion: sailoperator.io/v1kind: Istiometadata: name: basicspec: namespace: istio-system version: v1.24-latest updateStrategy: type: InPlace values: pilot: autoscaleEnabled: false replicaCount: 2 resources: requests: cpu: 100m memory: 256Mi meshConfig: enableAutoMtls: trueApply:
oc apply -f istio-basic.yamlVerifica:
oc get istiooc get istiorevisionsoc get pods -n istio-system -l app=istiod8) Manifest IstioCNI
apiVersion: sailoperator.io/v1kind: IstioCNImetadata: name: defaultspec: namespace: istio-cni version: v1.24-latestApply:
oc apply -f istiocni.yamlVerifica:
oc get istiocnioc get ds -n istio-cnioc get pods -n istio-cni -o wide9) Sostituto di SMMR: discoverySelectors
In OSSM 3, per limitare il mesh a namespace scelti:
9.1 Etichetta i namespace
oc label namespace istio-system istio-discovery=enabled --overwriteoc label namespace ingress-basic istio-discovery=enabled --overwriteoc label namespace app-demo istio-discovery=enabled --overwrite9.2 Aggiorna la risorsa Istio
apiVersion: sailoperator.io/v1kind: Istiometadata: name: basicspec: namespace: istio-system version: v1.24-latest updateStrategy: type: InPlace values: pilot: autoscaleEnabled: false replicaCount: 2 resources: requests: cpu: 100m memory: 256Mi meshConfig: enableAutoMtls: true discoverySelectors: - matchLabels: istio-discovery: enabledApply:
oc apply -f istio-basic-scoped.yaml10) Injection dei workload
Con metadata.name: basic sul control plane, abilita injection così:
oc label namespace app-demo istio.io/rev=basic --overwriteVerifica la revisione:
oc get istiorevisionsRiavvia i deployment già esistenti:
oc rollout restart deploy -n app-demoVerifica sidecar:
oc get pods -n app-demooc get pod -n app-demo <pod-name> -o jsonpath='{.spec.containers[*].name}{"\n"}'11) Scheduling del control plane sui nodi infra
In OSSM 2 lo facevi con:
runtime.defaults.pod.nodeSelectorruntime.components.pilot.pod.nodeSelector
In OSSM 3 gli equivalenti sono:
spec.values.global.defaultNodeSelectorspec.values.global.defaultTolerationsspec.values.pilot.nodeSelectorspec.values.pilot.tolerations
11.1 Esempio Istio con control plane su nodi infra
apiVersion: sailoperator.io/v1kind: Istiometadata: name: basicspec: namespace: istio-system version: v1.24-latest updateStrategy: type: InPlace values: global: defaultNodeSelector: node-role.kubernetes.io/infra: "" defaultTolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/infra operator: Exists effect: NoExecute - key: node.ocs.openshift.io/storage operator: Exists effect: NoSchedule pilot: autoscaleEnabled: false replicaCount: 2 nodeSelector: node-role.kubernetes.io/infra: "" tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/infra operator: Exists effect: NoExecute - key: node.ocs.openshift.io/storage operator: Exists effect: NoSchedule resources: requests: cpu: 100m memory: 256Mi meshConfig: enableAutoMtls: true discoverySelectors: - matchLabels: istio-discovery: enabledApply:
oc apply -f istio-basic-infra.yamlVerifica scheduling:
oc get pods -n istio-system -o wideoc get nodes --show-labels | grep infraNota:
IstioCNIè un DaemonSet cluster-wide. Non lo “spostare” solo su infra: deve operare sui nodi che eseguono i workload del mesh.
12) Gateway injection: concetto operativo
In OSSM 3 il gateway è un Envoy standalone installato come:
DeploymentService- eventualmente
Route
Per farlo funzionare:
- namespace gateway visibile al mesh via
discoverySelectors Deploymentcon:- annotation
inject.istio.io/templates: gateway - label
istio: <gateway-name> - label
istio.io/rev: basic(o la tua revisione attiva) - container
istio-proxyconimage: auto
- annotation
Serviceche selezionaistio: <gateway-name>
13) Gateway injection con NodePort 30001/30002 e nodi infra
13.1 Namespace gateway visibile al mesh
oc create namespace ingress-basicoc label namespace ingress-basic istio-discovery=enabled --overwrite13.2 RBAC per lettura secret TLS
apiVersion: v1kind: ServiceAccountmetadata: name: secret-reader namespace: ingress-basic---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: secret-reader namespace: ingress-basicrules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: secret-reader namespace: ingress-basicroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: secret-readersubjects: - kind: ServiceAccount name: secret-reader namespace: ingress-basicApply:
oc apply -f gateway-rbac.yaml13.3 Deployment gateway su nodi infra
apiVersion: apps/v1kind: Deploymentmetadata: name: istio-ingressgateway namespace: ingress-basicspec: replicas: 2 selector: matchLabels: istio: ingress-basic template: metadata: annotations: inject.istio.io/templates: gateway labels: istio: ingress-basic istio.io/rev: basic spec: serviceAccountName: secret-reader nodeSelector: node-role.kubernetes.io/infra: "" tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/infra operator: Exists effect: NoExecute - key: node.ocs.openshift.io/storage operator: Exists effect: NoSchedule securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" containers: - name: istio-proxy image: auto securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true ports: - name: http-envoy-prom containerPort: 15090 protocol: TCP resources: requests: cpu: 100m memory: 128Mi limits: cpu: "2" memory: 1GiApply:
oc apply -f gateway-deployment.yamloc rollout status deployment/istio-ingressgateway -n ingress-basicVerifica che l’injection sia avvenuta:
oc get pod -n ingress-basicoc get pod -n ingress-basic <pod-name> -o jsonpath='{.spec.containers[*].name}{"\n"}'13.4 Service NodePort 30001 / 30002
A differenza di OSSM 2, qui il gateway è un normale
ServiceKubernetes.
Quindi i NodePort li metti direttamente nelService.
apiVersion: v1kind: Servicemetadata: name: istio-ingressgateway namespace: ingress-basicspec: type: NodePort selector: istio: ingress-basic ports: - name: status-port port: 15021 protocol: TCP targetPort: 15021 - name: http2 port: 80 protocol: TCP targetPort: 80 nodePort: 30001 - name: https port: 443 protocol: TCP targetPort: 443 nodePort: 30002Apply:
oc apply -f gateway-service-nodeport.yamlVerifica:
oc get svc -n ingress-basic istio-ingressgatewayoc get svc -n ingress-basic istio-ingressgateway -o jsonpath='{range .spec.ports[*]}{.name}{" port="}{.port}{" nodePort="}{.nodePort}{" targetPort="}{.targetPort}{"\n"}{end}'14) Gateway e VirtualService
14.1 Gateway
apiVersion: networking.istio.io/v1kind: Gatewaymetadata: name: app-demo-gw namespace: app-demospec: selector: istio: ingress-basic servers: - port: number: 80 name: http protocol: HTTP hosts: - app-demo.example.com14.2 VirtualService
apiVersion: networking.istio.io/v1kind: VirtualServicemetadata: name: app-demo-vs namespace: app-demospec: hosts: - app-demo.example.com gateways: - app-demo-gw http: - route: - destination: host: myapp.app-demo.svc.cluster.local port: number: 8080Apply:
oc apply -f gateway.yamloc apply -f virtualservice.yamlVerifica:
oc get gateway -n app-demooc get virtualservice -n app-demo15) Route OpenShift: esplicita, non automatica
In OSSM 3 non c’è più l’IOR che crea route automaticamente dal gateway.
Se vuoi una route OpenShift esplicita:
oc expose service istio-ingressgateway -n ingress-basicoc get route -n ingress-basicSe invece usi F5/VIP esterno e NodePort, la route può non servirti.
16) Mini esempio app namespace
Namespace:
oc label namespace app-demo istio-discovery=enabled --overwriteoc label namespace app-demo istio.io/rev=basic --overwriteDeployment restart:
oc rollout restart deployment -n app-demoVerifica pod con sidecar:
oc get pods -n app-demooc get pod -n app-demo <pod> -o jsonpath='{.spec.containers[*].name}{"\n"}'17) Comandi utili da usare sempre
17.1 Stato operator / CR principali
oc get istiooc get istiorevisionsoc get istiorevisiontagsoc get istiocni17.2 Pod control plane / CNI
oc get pods -n istio-system -l app=istiod -o wideoc get ds -n istio-cnioc get pods -n istio-cni -o wide17.3 Namespace e label
oc get ns --show-labels | egrep 'istio-discovery|istio.io/rev|istio-injection'17.4 Gateway
oc get deploy,svc -n ingress-basicoc get gateway,virtualservice -A17.5 Verifiche scheduling su infra
oc get pods -n istio-system -o wideoc get pods -n ingress-basic -o wideoc get nodes --show-labels | grep node-role.kubernetes.io/infraoc describe node <infra-node> | egrep -i 'taints|Roles'17.6 Scoprire tutti i campi configurabili
oc explain istiosoc explain istios.specoc explain istios.spec.valuesoc explain istiocnisoc explain istiocnis.spec18) Patch rapide
18.1 Aggiungere discoverySelectors
oc patch istio basic --type merge -p 'spec: values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: enabled'18.2 Spostare il control plane sui nodi infra
oc patch istio basic --type merge -p 'spec: values: global: defaultNodeSelector: node-role.kubernetes.io/infra: "" defaultTolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/infra operator: Exists effect: NoExecute - key: node.ocs.openshift.io/storage operator: Exists effect: NoSchedule pilot: nodeSelector: node-role.kubernetes.io/infra: "" tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/infra operator: Exists effect: NoExecute - key: node.ocs.openshift.io/storage operator: Exists effect: NoSchedule'18.3 Etichettare namespace app per mesh + injection
oc label namespace app-demo istio-discovery=enabled --overwriteoc label namespace app-demo istio.io/rev=basic --overwrite19) Troubleshooting rapido
19.1 Nessun sidecar nei pod applicativi
Controlla:
- il namespace è etichettato con
istio.io/rev=basic? - il namespace è incluso dai
discoverySelectors? - il deployment è stato restartato?
- il control plane è
Healthy? - esiste l’
IstioRevisioncorretta?
Comandi:
oc get istiooc get istiorevisionsoc get ns app-demo --show-labelsoc rollout restart deploy -n app-demo19.2 Il gateway non viene “injectato”
Controlla il Deployment gateway:
- annotation
inject.istio.io/templates: gateway - label
istio: ingress-basic - label
istio.io/rev: basic - container
istio-proxyconimage: auto
Comandi:
oc get deploy -n ingress-basic istio-ingressgateway -o yamloc get pods -n ingress-basicoc get pod -n ingress-basic <pod> -o jsonpath='{.spec.containers[*].name}{"\n"}'19.3 Il control plane non va sui nodi infra
Controlla:
- label nodi infra
- taint reali dei nodi
spec.values.global.defaultNodeSelectorspec.values.global.defaultTolerationsspec.values.pilot.nodeSelectorspec.values.pilot.tolerations
Comandi:
oc get nodes --show-labels | grep infraoc describe node <infra-node> | egrep -i 'Taints|Roles'oc get istio basic -o yamloc get pods -n istio-system -o wide19.4 Il gateway è su worker invece che su infra
Ricorda: in OSSM 3 il gateway è fuori dal control plane.
Quindi il suo scheduling si fa nel Deployment del gateway, non nella risorsa Istio.
Controlla:
oc get deploy -n ingress-basic istio-ingressgateway -o yamloc get pods -n ingress-basic -o wide19.5 ServiceMeshControlPlane / SMMR non esistono
Corretto: in OSSM 3 devi ragionare così:
SMCP->IstioSMMR->discoverySelectors+ label namespace- gateway definiti nello SMCP -> gateway injection / Gateway API
- addon osservabilità -> operator separati
19.6 NodePort non raggiungibile
Controlla:
oc get svc -n ingress-basic istio-ingressgatewayoc get endpoints -n ingress-basic istio-ingressgatewayoc get pods -n ingress-basic -o widePoi verifica:
- firewall
- F5 / VIP
- security rules
- reachability verso nodi infra
- porta 30001/30002 aperta
20) Mapping mentale OSSM 2 -> OSSM 3
| OSSM 2 | OSSM 3 |
|---|---|
ServiceMeshControlPlane | Istio |
ServiceMeshMemberRoll | discoverySelectors + label namespace |
gateway in spec.gateways.* dello SMCP | Deployment + Service + Gateway + VirtualService |
addon in SMCP (grafana, kiali, jaeger, prometheus) | installazione/configurazione separata |
| IOR / route automatiche | route esplicite |
nodeSelector/tolerations in runtime.* | spec.values.global.*, spec.values.pilot.*, oppure nel Deployment del gateway |
21) Esempio completo “reference set” per sidecar mode
Ordine file consigliato:
00-namespaces.yaml01-istio-basic.yaml02-istiocni.yaml03-label-namespaces.sh04-gateway-rbac.yaml05-gateway-deployment.yaml06-gateway-service-nodeport.yaml07-gateway.yaml08-virtualservice.yamlOrdine apply:
oc apply -f 00-namespaces.yamloc apply -f 01-istio-basic.yamloc apply -f 02-istiocni.yamlbash 03-label-namespaces.shoc apply -f 04-gateway-rbac.yamloc apply -f 05-gateway-deployment.yamloc apply -f 06-gateway-service-nodeport.yamloc apply -f 07-gateway.yamloc apply -f 08-virtualservice.yaml22) Schema visivo: come gira una request in OSSM 3
22.1 Caso NodePort/F5 verso ingress gateway
Utente / Client | v+-------------+| F5 / VIP / || LB esterno |+-------------+ | | TCP 30001 / 30002 v+----------------------------------------------+| Service NodePort istio-ingressgateway || namespace: ingress-basic || ports: 80->30001, 443->30002 |+-------------------+--------------------------+ | v+----------------------------------------------+| Deployment istio-ingressgateway || gateway injection || pod schedulati sui nodi infra || labels: istio=ingress-basic || rev: basic |+-------------------+--------------------------+ | | selezione da risorsa Gateway v+----------------------------------------------+| Istio Gateway || namespace applicativo || selector: istio=ingress-basic |+-------------------+--------------------------+ | | routing L7 v+----------------------------------------------+| VirtualService || host/path matching || route verso service Kubernetes |+-------------------+--------------------------+ | v+----------------------------------------------+| Service app-demo / workload target |+-------------------+--------------------------+ | v+----------------------------------------------+| Pod applicativo + sidecar Envoy || namespace etichettato con || - istio-discovery=enabled || - istio.io/rev=basic |+----------------------------------------------+22.2 Cosa fa ogni componente
-
OSSM 3 Operator
gestisce lifecycle diIstio,IstioRevision,IstioCNI,ZTunnel -
Istio
è il CR principale del control plane -
IstioRevision
rappresenta una revisione concreta del control plane; utile per canary update e revision-based upgrades -
IstioCNI
installa il plugin CNI sui nodi; evita privilegi elevati nei pod applicativi -
discoverySelectors
dicono quali namespace il control plane deve considerare parte del mesh -
istio.io/rev=<rev>
collega workload/gateway a una specifica revisione/control plane -
Gateway injection
trasforma un normale deployment/service Kubernetes in un gateway Envoy gestito dal mesh -
Gateway / VirtualService
descrivono il routing L7 -
Kiali
vista topologica, validazioni, collegamenti a metriche e tracing -
Tempo / Distributed Tracing Platform
tracing distribuito integrato separatamente -
OpenShift Monitoring / UWM
metriche di mesh e workload
23) Checklist finale “pronta all’uso”
Control plane
- Operator OSSM 3 installato
-
Istiocreato -
IstioCNIcreato -
IstioRevisionHealthy -
istiodrunning
Scope mesh
- namespace control plane etichettato con
istio-discovery=enabled - namespace app etichettati con
istio-discovery=enabled - namespace app etichettati con
istio.io/rev=<rev>
Infra scheduling
- control plane schedulato su infra con
values.global/pilot - gateway schedulato su infra nel suo
Deployment
Gateway
- RBAC secret-reader creato
- Deployment gateway injectato
- Service NodePort 30001/30002 creato
-
Gatewaycreato -
VirtualServicecreato
Observability
- UWM/Monitoring disponibile
- Kiali installato separatamente
- Tempo integrato separatamente
24) Fonti ufficiali Red Hat usate per costruire questo cheatsheet
- OpenShift Service Mesh 3.0 - Installing
- OpenShift Service Mesh 3.0 - Gateways
- OpenShift Service Mesh 3.0 - About
- OpenShift Service Mesh 3.0 - Observability
- OpenShift Service Mesh 3.0 - Migrating from Service Mesh 2 to Service Mesh 3
- OpenShift Service Mesh 3.x - Updating / Release Notes
Riferimenti operativi principali:
Istioal posto diServiceMeshControlPlaneIstioCNIseparatodiscoverySelectorsal posto diSMMR- gateway gestiti separatamente
- route OpenShift esplicite
- scheduling infra del control plane via
spec.values.global.*espec.values.pilot.* - scheduling infra dei gateway via normale
Deployment.spec.template.spec