Application Protocol Selection
FSM is capable of routing different application protocols such as HTTP
, TCP
, and gRPC
differently. The following guide describes how to configure service ports to specify the application protocol to use for traffic filtering and routing.
Configuring the application protocol
Kubernetes services expose one or more ports. A port exposed by an application running the service can serve a specific application protocol such as HTTP, TCP, gRPC etc. Since FSM filters and routes traffic for different application protocols differently, a configuration on the Kubernetes service object is necessary to convey to FSM how traffic directed to a service port must be routed.
In order to determine the application protocol served by a service’s port, FSM expects the appProtocol
field on the service’s port to be set.
FSM supports the following application protocols for service ports:
http
: For HTTP based filtering and routing of traffictcp
: For TCP based filtering and routing of traffictcp-server-first
: For TCP based filtering and routing of traffic where the server initiates communication with a client, such as mySQL, PostgreSQL, and othersgRPC
: For HTTP2 based filtering and routing of gRPC traffic
The application protocol configuration described is applicable to both SMI and Permissive traffic policy modes.
Examples
Consider the following SMI traffic access and traffic specs policies:
- A
TCPRoute
resource namedtcp-route
that specifies the port TCP traffic should be allowed on. - An
HTTPRouteGroup
resource namedhttp-route
that specifies the HTTP routes for which HTTP traffic should be allowed. - A
TrafficTarget
resource namedtest
that allows pods in the service accountsa-2
to access pods in the service accountsa-1
for the specified TCP and HTTP rules.
kind: TCPRoute
metadata:
name: tcp-route
spec:
matches:
ports:
- 8080
---
kind: HTTPRouteGroup
metadata:
name: http-route
spec:
matches:
- name: version
pathRegex: "/version"
methods:
- GET
---
kind: TrafficTarget
metadata:
name: test
namespace: default
spec:
destination:
kind: ServiceAccount
name: sa-1 # There are 2 services under this service account: service-1 and service-2
namespace: default
rules:
- kind: TCPRoute
name: tcp-route
- kind: HTTPRouteGroup
name: http-route
sources:
- kind: ServiceAccount
name: sa-2
namespace: default
Kubernetes service resources should explicitly specify the application protocol being served by the service’s ports using the appProtocol
field.
A service service-1
backed by a pod in service account sa-1
serving http
application traffic should be defined as follows:
kind: Service
metadata:
name: service-1
namespace: default
spec:
ports:
- port: 8080
name: some-port
appProtocol: http
A service service-2
backed by a pod in service account sa-1
serving raw tcp
application traffic shold be defined as follows:
kind: Service
metadata:
name: service-2
namespace: default
spec:
ports:
- port: 8080
name: some-port
appProtocol: tcp
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.