| title | weight | description | tags | ||
|---|---|---|---|---|---|
Deploy Sidecar |
6 |
Duration: 5 min | Persona: Apps Operator |
|
{{< param description >}}
In this section, you will deploy a fine granular Sidecar in order to optimize the resources (CPU/Memory) usage of the Whereami app's sidecar proxy. At the end of this section you will still have the policies violation you faced earlier, but no worries, you will fix it in the next section.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.shBy default, each application in the whereami Namespace can reach to all the endpoints in the mesh. The list of these endpoints with could be listed by the command istioctl proxy-config clusters. Here is the output if you would have run this command for the whereami app:
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
8080 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
asm-ingressgateway.asm-ingress.svc.cluster.local 80 - outbound EDS
asm-ingressgateway.asm-ingress.svc.cluster.local 443 - outbound EDS
asm-ingressgateway.asm-ingress.svc.cluster.local 15021 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
whereami.whereami.svc.cluster.local 80 - outbound EDS
xds-grpc - - - STATIC
cat <<EOF > ${WORK_DIR}$WHERE_AMI_DIR_NAME/base/sidecar.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: whereami
spec:
workloadSelector:
labels:
app: whereami
egress:
- hosts:
- istio-system/*
EOFUpdate the Kustomize base overlay:
cd ${WORK_DIR}$WHERE_AMI_DIR_NAME/base
kustomize edit add resource sidecar.yamlcd ${WORK_DIR}$WHERE_AMI_DIR_NAME/
git add . && git commit -m "Whereami Sidecar" && git push origin mainList the Kubernetes resources managed by Config Sync in GKE cluster for the Whereami app repository:
gcloud alpha anthos config sync repo describe \
--project $TENANT_PROJECT_ID \
--managed-resources all \
--sync-name repo-sync \
--sync-namespace $WHEREAMI_NAMESPACEWait and re-run this command above until you see "status": "SYNCED" for this RepoSync. All the managed_resources listed should have STATUS: Current as well.
List the GitHub runs for the Whereami app repository:
cd ${WORK_DIR}$WHERE_AMI_DIR_NAME && gh run listThe endpoints that the whereami app can reach is now reduced:
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
8080 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
You could now see that you don't see anymore other endpoints that the whereami app is communicating with. That's a great CPU/Memory resources usage optimization!
We still have the issue previously described with the Whereami app, let’s fix the NetworkPolicies with the next section.