Permissive Traffic Policy Mode

Set up application connectivity using service discovery without explicit SMI policies

This guide demonstrates a client and server application within the service mesh communicating using FSM’s permissive traffic policy mode, which configures application connectivity using service discovery without the need for explicit SMI traffic access policies.

Prerequisites

Kubernetes cluster running Kubernetes v1.19.0 or greater.
Have FSM installed.
Have kubectl available to interact with the API server.
Have fsm CLI available for managing the service mesh.

Demo

The following demo shows an HTTP curl client making HTTP requests to the httpbin service using permissive traffic policy mode.

Enable permissive mode if not enabled.

export FSM_NAMESPACE=fsm-system # Replace fsm-system with the namespace where FSM is installed
kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":true}}}'  --type=merge

Deploy the httpbin service into the httpbin namespace after enrolling its namespace to the mesh. The httpbin service runs on port 14001.

# Create the httpbin namespace
kubectl create namespace httpbin

# Add the namespace to the mesh
fsm namespace add httpbin

# Deploy httpbin service in the httpbin namespace
kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/samples/httpbin/httpbin.yaml -n httpbin

Confirm the httpbin service and pods are up and running.

$ kubectl get svc -n httpbin
NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
httpbin   ClusterIP   10.96.198.23   <none>        14001/TCP   20s

$ kubectl get pods -n httpbin
NAME                     READY   STATUS    RESTARTS   AGE
httpbin-5b8b94b9-lt2vs   2/2     Running   0          20s

Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

# Create the curl namespace
kubectl create namespace curl

# Add the namespace to the mesh
fsm namespace add curl

# Deploy curl client in the curl namespace
kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/samples/curl/curl.yaml -n curl

Confirm the curl client pod is up and running.

$ kubectl get pods -n curl
NAME                    READY   STATUS    RESTARTS   AGE
curl-54ccc6954c-9rlvp   2/2     Running   0          20s

Confirm the curl client is able to access the httpbin service on port 14001.

$ kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I http://httpbin.httpbin:14001
HTTP/1.1 200 OK
server: gunicorn/19.9.0
date: Wed, 29 Jun 2022 08:50:33 GMT
content-type: text/html; charset=utf-8
content-length: 9593
access-control-allow-origin: *
access-control-allow-credentials: true
connection: keep-alive

A 200 OK response indicates the HTTP request from the curl client to the httpbin service was successful.

Confirm the HTTP requests fail when permissive traffic policy mode is disabled.

kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":false}}}'  --type=merge

$ kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I http://httpbin.httpbin:14001
curl: (52) Empty reply from server
command terminated with exit code 52

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 18, 2024: fix workflow issue (c83135d)