CLI
RCTL support helps to automate the lifecycle of operations associated with Service Mesh Profiles, Rules and Policies.
| Resource | Create | Get | Delete |
|---|---|---|---|
| Profiles | YES | YES | YES |
| Rules | YES | YES | YES |
| Policy | YES | YES | YES |
The declarative method allows the users to create Service Mesh Profiles, Rules, and Policies on the required project and enables to develop automation for reproducible infrastructure.
Profiles¶
Create Profile¶
Run the below command to create a Service Mesh Profile using the spec yaml file.
./rctl apply -f profile_filename.yaml
An illustrative example of the profile shared between 2 projects spec YAML file is shown below.
apiVersion: servicemesh.k8smgmt.io/v3
kind: MeshProfile
metadata:
name: demo-profile
project: defaultproject
spec:
installationParams:
resourceQuota:
cpuRequests: 500m
memoryRequests: 2Gi
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
version: v1.0
An ilustrative example of the profile sharing between all project spec YAML file is show below.
apiVersion: servicemesh.k8smgmt.io/v3
kind: MeshProfile
metadata:
name: demo-profile
project: defaultproject
spec:
installationParams:
resourceQuota:
cpuRequests: 500m
memoryRequests: 2Gi
sharing:
enabled: true
projects:
- name: '*'
version: v1.0
Get Profile¶
Use any of the below command to get the list of Service Mesh Profiles of a specific project
| S. No | Command |
|---|---|
| 1 | ./rctl get meshprofile -p <project-name> |
| 2 | ./rctl get mp -p <project-name> |
| 3 | ./rctl get meshprofile |
| 4 | ./rctl get mp |
Example Output
./rctl get mp -p default-project
+----------------------+-------------------+
| PROFILE NAME | VERSION NAME |
+----------------------+-------------------+
| demo-profile | v1 |
+----------------------+-------------------+
| profile-user1 | v2.0 |
+----------------------+-------------------+
| test-profile | v2.1 |
+----------------------+-------------------+
Delete Profile¶
To delete a profile, use the below command
./rctl delete meshprofile <profile name>
(or)
./rctl delete mp <profile name>
Service Mesh in Blueprint¶
Once the Service Mesh Profiles are created, users can deploy the Service Mesh via blueprint spec yaml. This provides visibility into the traffic flows between your services. Refer Blueprint CLI for both the declarative and imperative RCTL commands.
An illustrative example of the blueprint spec YAML with Service Mesh is shown below.
apiVersion: infra.k8smgmt.io/v3
kind: Blueprint
metadata:
name: demo-bp
project: defaultproject
spec:
base:
name: default
version: 1.18.0
defaultAddons:
csiSecretStoreConfig:
providers: {}
enableIngress: true
enableLogging: false
enableMonitoring: false
enableVM: false
drift:
enabled: false
serviceMesh:
policies:
- name: demo-policy-1
version: v1.1
profile:
name: istio-profile-1
version: version-1
networkPolicy: {}
opaPolicy: {}
placement: {}
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
type: custom
version: v1
To enforce one or more policies to the Service Mesh Profiles, users can add the below components to the blueprint yaml file once the rules and policies are created.
serviceMesh:
policies:
- name: demo-policy-1
version: v1.1
- name: demo-policy-2
version: v2.1
Cluster Service Mesh Rule¶
Create Cluster Service Mesh Rule¶
Users can create a Cluster Service Mesh Rule either through upload file manually or Pull file from repository.
Run the below command to create a Cluster Service Mesh Rule using the spec yaml file.
./rctl apply -f cluster_mesh_rule.yaml
An illustrative example of the cluster Service Mesh Rule spec YAML of upload file manually type is shown below. The highlighted parameter shows the yaml file path located in your system.
apiVersion: servicemesh.k8smgmt.io/v3
kind: ClusterMeshRule
metadata:
name: demo-rule-upload
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: file://policy.yaml
options: {}
type: Yaml
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
version: v1
An illustrative example of the cluster Service Mesh Rule spec YAML of Pull file from repository type is shown below. The highlighted parameters show the repository details of the yaml file.
apiVersion: servicemesh.k8smgmt.io/v3
kind: ClusterMeshRule
metadata:
name: demo-rule-repo
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: cilium-allow-all-from-frontend.yaml
repository: demo-rule-repo
revision: main
options: {}
type: Yaml
sharing:
enabled: false
version: v1
Get Cluster Service Mesh Rule¶
Use any of the below command to get the list of Cluster Service Mesh Rules of a specific project.
| S. No | Command |
|---|---|
| 1 | ./rctl get clustermeshrule -p <project-name> |
| 2 | ./rctl get cmr -p <project-name> |
| 3 | ./rctl get clustermeshrule |
| 4 | ./rctl get cmr |
Example Output
./rctl get clustermeshrule -p default-project
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| RULE NAME | VERSION NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| cluster-wide-xwing-block | v2 | Yaml | paths:{name:"file://artifacts/cluster-wide-xwing-block/standard_cilium_networkpolicy.yaml"} | |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| cluster-rule-upload-12 | 1.0 | Yaml | paths:{name:"file://artifacts/example-rule-upload-12/policy.yaml"} | |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
Delete Cluster Service Mesh Rule¶
To delete a cluster Service Mesh rule, use the below command.
./rctl delete clustermeshrule <rule name>
(or)
./rctl delete cmr <rule name>
Namespace Service Mesh Rule¶
Create Namespace Service Mesh Rule¶
Users can create a Namespace Service Mesh Rule either through upload file manually or Pull file from repository.
Run the below command to create a Namespace Service Mesh Rule using the spec yaml file.
./rctl apply -f namespace_mesh_rule.yaml
An illustrative example of the Namespace Service Mesh Rule spec YAML of upload file manually type is shown below. The highlighted parameter show the yaml file path located in your system.
apiVersion: servicemesh.k8smgmt.io/v3
kind: NamespaceMeshRule
metadata:
name: demo-nsrule-upload
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: file://policy.yaml
options: {}
type: Yaml
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
version: v1
An illustrative example of the Namespace Service Mesh Rule spec YAML of Pull file from repository type is shown below. The highlighted parameters shows the repository details of the yaml file.
apiVersion: servicemesh.k8smgmt.io/v3
kind: NamespaceMeshRule
metadata:
name: demo-nsrule
project: defaultproject
spec:
version: v1.0
artifact:
artifact:
paths:
- name: cilium-allow-all-from-frontend.yaml
repository: demo-nsrepo-rule
revision: main
options: {}
type: Yaml
Get Namespace Service Mesh Rule¶
Use any of the below command to get the list of Namespace Service Mesh Rules of a specific project.
| S. No | Command |
|---|---|
| 1 | ./rctl get namespacemeshrule -p <project-name> |
| 2 | ./rctl get nmr -p <project-name> |
| 3 | ./rctl get namespacemeshrule |
| 4 | ./rctl get nmr |
Example Output
./rctl get namespacemeshrule -p default-project
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| RULE NAME | VERSION NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| ns-cluster-wide-xwing | v2 | Yaml | paths:{name:"file://artifacts/cluster-wide-xwing-block/standard_cilium_networkpolicy.yaml"} | |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
| ns-demo-rule-upload | 1.0 | Yaml | paths:{name:"file://artifacts/example-rule-upload-12/policy.yaml"} | |
+--------------------------+-----------------+---------------+---------------------------------------------------------------------------------------------+------------+
Delete Namespace Service Mesh Rule¶
To delete a Namespace Service Mesh rule, use the below command.
./rctl delete namespacemeshrule <rule name>
(or)
./rctl delete nmr <rule name>
Cluster Service Mesh Policy¶
Create Cluster Service Mesh Policy¶
Run the below command to create a Cluster Service Mesh policy using the spec yaml file.
./rctl apply -f cluster_mesh_policy.yaml
An illustrative example of the cluster Service Mesh policy spec YAML is shown below
apiVersion: servicemesh.k8smgmt.io/v3
kind: ClusterMeshPolicy
metadata:
name: demo-policy
project: defaultproject
spec:
rules:
- name: test
version: v1
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
version: v1
Get Cluster Service Mesh¶
Use any of the below command to get the list of Cluster Service Mesh Policies of a specific project.
| S. No | Command |
|---|---|
| 1 | ./rctl get clustermeshpolicy -p <project-name> |
| 2 | ./rctl get cmp -p <project-name> |
| 3 | ./rctl get clustermeshpolicy |
| 4 | ./rctl get cmp |
Example Output
./rctl get clustermeshpolicy -p default-name
+-----------------------------------+--------------+-----------------------------------------+
| POLICY NAME | VERSION NAME | RULES(VERSION) |
+-----------------------------------+--------------+-----------------------------------------+
| cluster-xwing-block-policy | v2 | cluster-wide-xwing-block(v2) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
| project-ns-policy | v4 | project-ns-rule(v4) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
| policy-test | v1 | rule-upload-12(demo-version) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
Delete Cluster Service Mesh¶
To delete a profile, use the below command.
./rctl delete clustermeshpolicy
(or)
./rctl delete cmp
Namespace Service Mesh Policy¶
Create Namespace Service Mesh Policy¶
Run the below command to create a Namespace Service Mesh using the spec yaml file.
./rctl apply -f namespace_mesh_policy.yaml
An illustrative example of the Namespace Service Mesh spec YAML is shown below.
apiVersion: servicemesh.k8smgmt.io/v3
kind: NamespaceMeshPolicy
metadata:
name: demo-nspolicy
project: defaultproject
spec:
rules:
- name: test
version: v1
sharing:
enabled: true
projects:
- name: project_1
- name: project_2
version: v1
Get Namespace Service Mesh¶
Use any of the below command to get the list of Namespace Service Mesh Policies of a specific project.
| S. No | Command |
|---|---|
| 1 | ./rctl get namespacemeshpolicy -p <project-name> |
| 2 | ./rctl get nmp -p <project-name> |
| 3 | ./rctl get namespacemeshpolicy |
| 4 | ./rctl get nmp |
Example Output
./rctl get namespacemeshpolicy -p default-name
+-----------------------------------+--------------+-----------------------------------------+
| POLICY NAME | VERSION NAME | RULES(VERSION) |
+-----------------------------------+--------------+-----------------------------------------+
| ns-xwing-block-policy | v2 | cluster-wide-xwing-block(v2) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
| ns-project-ns-policy | v4 | project-ns-rule(v4) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
| ns-policy-test | v1 | demo-rule-upload-12(demo-version) |
| | | |
+-----------------------------------+--------------+-----------------------------------------+
Delete Namespace Service Mesh¶
To delete a Namespace Service Mesh, use the below command.
./rctl delete namespacemeshpolicy
(or)
./rctl delete nmp