Configure Traffic Policies

Configure traffic to flow between the bookstore applications

Traffic Policy Modes

Once the applications are up and running, they can interact with each other using permissive traffic policy mode or SMI traffic policy mode. In permissive traffic policy mode, traffic between application services is automatically configured by fsm-controller, and access control policies defined by SMI Traffic Targets are not enforced. In the SMI policy mode, all traffic is denied by default unless explicitly allowed using a combination of SMI access and routing policies.

Traffic Encryption

All traffic is encrypted via mTLS regardless of whether you’re using access control policies or have enabled permissive traffic policy mode.

How to Check Traffic Policy Mode

Check whether permissive traffic policy mode is enabled or not by retrieving the value for the enablePermissiveTrafficPolicyMode key in the fsm-mesh-config MeshConfig resource.

# Replace fsm-system with fsm-controller's namespace if using a non default namespace
kubectl get meshconfig fsm-mesh-config -n fsm-system -o jsonpath='{.spec.traffic.enablePermissiveTrafficPolicyMode}{"\n"}'
# Output:
# false: permissive traffic policy mode is disabled, SMI policy mode is enabled
# true: permissive traffic policy mode is enabled, SMI policy mode is disabled

The following sections demonstrate using FSM with permissive traffic policy mode and SMI Traffic Policy Mode.

Permissive Traffic Policy Mode

In permissive traffic policy mode, application connectivity within the mesh is automatically configured by fsm-controller. It can be enabled in the following ways.

During install using fsm CLI:

fsm install --set=fsm.enablePermissiveTrafficPolicy=true

Post install by patching the fsm-mesh-config custom resource in the control plane’s namespace (fsm-system by default)

kubectl patch meshconfig fsm-mesh-config -n fsm-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":true}}}'  --type=merge

Verify FSM is in permissive traffic policy mode

Before proceeding, verify the traffic policy mode and ensure the enablePermissiveTrafficPolicyMode key is set to true in the fsm-mesh-config MeshConfig resource. Refer to the section above to enable permissive traffic policy mode.

In step Deploy the Bookstore Application, we have already deployed the applications needed to verify traffic flow in permissive traffic policy mode. The bookstore service we previously deployed is encoded with an identity of bookstore-v1 for demo purpose, as can be seen in the Deployment’s manifest. The identity reflects which counter increments in the bookbuyer and bookthief UI, and the identity displayed in the bookstore UI.

The counter in the bookbuyer, bookthief UI for the books bought and stolen respectively from bookstore v1 should now be incrementing:

http://localhost:8080 - bookbuyer
http://localhost:8083 - bookthief

The counter in the bookstore UI for the books sold should also be incrementing:

http://localhost:8084 - bookstore

The bookbuyer and bookthief applications are able to buy and steal books respectively from the newly deployed bookstore application because permissive traffic policy mode is enabled, thereby allowing connectivity between applications without the need for SMI traffic access policies.

This can be demonstrated further by disabling permissive traffic policy mode and verifying that the counter for books bought from bookstore is not incrementing anymore:

kubectl patch meshconfig fsm-mesh-config -n fsm-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":false}}}'  --type=merge

Note: When you disable permissive traffic policy mode, SMI traffic access mode is implicitly enabled. If counters for the books are incrementing then it could be because some SMI Traffic Access policies have been applied previously to allow such traffic.

SMI Traffic Policy Mode

SMI traffic policies can be used for the following:

SMI access control policies to authorize traffic access between service identities
SMI traffic specs policies to define routing rules to associate with access control policies
SMI traffic split policies to direct client traffic to multiple backends based on weights

The following sections describe how to leverage each of these policies to enforce fine grained control over traffic flowing within the service mesh. Before proceeding, verify the traffic policy mode and ensure the enablePermissiveTrafficPolicyMode key is set to false in the fsm-mesh-config MeshConfig resource.

SMI traffic policy mode can be enabled by disabling permissive traffic policy mode:

kubectl patch meshconfig fsm-mesh-config -n fsm-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":false}}}'  --type=merge

Deploy SMI Access Control Policies

At this point, applications do not have access to each other because no access control policies have been applied. Confirm this by verifying that none of the counters in the bookbuyer, bookthief, bookstore, and bookstore-v2 UI are incrementing.

Apply the SMI Traffic Target and SMI Traffic Specs resources to define access control and routing policies for the applications to communicate:

Deploy SMI TrafficTarget and HTTPRouteGroup policy:

kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/access/traffic-access-v1.yaml

The counters should now be incrementing for the bookbuyer, and bookstore applications:

http://localhost:8080 - bookbuyer
http://localhost:8084 - bookstore

Note that the counter is not incrementing for the bookthief application:

http://localhost:8083 - bookthief

That is because the SMI Traffic Target SMI HTTPRouteGroup resources deployed only allow bookbuyer to communicate with bookstore.

Allowing the Bookthief Application to access the Mesh

Currently the Bookthief application has not been authorized to participate in the service mesh communication. We will now update the TrafficTarget to allow bookthief to communicate with bookstore.

Current TrafficTarget spec without bookthief listed in spec.sources:

kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha3
metadata:
  name: bookstore-v1
  namespace: bookstore
spec:
  destination:
    kind: ServiceAccount
    name: bookstore
    namespace: bookstore
  rules:
  - kind: HTTPRouteGroup
    name: bookstore-service-routes
    matches:
    - buy-a-book
    - books-bought
  sources:
  - kind: ServiceAccount
    name: bookbuyer
    namespace: bookbuyer

Updated TrafficTarget spec with bookthief in spec.sources:

kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha3
metadata:
 name: bookstore-v1
 namespace: bookstore
spec:
 destination:
   kind: ServiceAccount
   name: bookstore
   namespace: bookstore
 rules:
 - kind: HTTPRouteGroup
   name: bookstore-service-routes
   matches:
   - buy-a-book
   - books-bought
 sources:
 - kind: ServiceAccount
   name: bookbuyer
   namespace: bookbuyer
 - kind: ServiceAccount
   name: bookthief
   namespace: bookthief

Apply the updated TrafficTarget:

kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/access/traffic-access-v1-allow-bookthief.yaml

The counter in the bookthief window will start incrementing.

http://localhost:8083 - bookthief

Apply the original Traffic Target object without the bookthief listed as an allowed source:

kubectl apply -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/release/v1.2/manifests/access/traffic-access-v1.yaml

The counter in the bookthief window will stop incrementing.

http://localhost:8083 - bookthief

Next Steps

Learn how to balance traffic between services by configuring traffic split.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 18, 2024: fix workflow issue (c83135d)