Examples

    Prerequisites

    Before following those examples, make sure your cluster follows .

    Deploy those two yaml files on your Kubernetes cluster in order to add a simple backend example, available through HTTP and TCP.

    namespace.yaml

    deployment.yaml

    2. kind: Deployment
    3. apiVersion: apps/v1
    4. metadata:
    5.   name: whoami
    6.   namespace: whoami
    7. spec:
    8.   replicas: 2
    9.   selector:
    10.     matchLabels:
    11.       app: whoami
    12.   template:
    13.     metadata:
    14.       labels:
    15.         app: whoami
    16.     spec:
    17.       serviceAccount: whoami-server
    18.       containers:
    19.         - name: whoami
    20.           image: traefik/whoami:v1.6.0
    21.           imagePullPolicy: IfNotPresent
    23. ---
    24. kind: Deployment
    25. apiVersion: apps/v1
    26. metadata:
    27.   name: whoami-tcp
    28.   namespace: whoami
    29. spec:
    30.   replicas: 2
    31.   selector:
    32.     matchLabels:
    33.       app: whoami-tcp
    34.   template:
    35.     metadata:
    36.       labels:
    37.         app: whoami-tcp
    38.     spec:
    39.       serviceAccount: whoami-server
    40.       containers:
    41.         - name: whoami-tcp
    42.           image: traefik/whoamitcp:v0.1.0
    43.           imagePullPolicy: IfNotPresent
    45. ---
    46. apiVersion: v1
    47. kind: Service
    48. metadata:
    49.   name: whoami
    50.   namespace: whoami
    51.   labels:
    52.     app: whoami
    53. spec:
    54.   type: ClusterIP
    55.   ports:
    56.     - port: 80
    57.       name: whoami
    58.   selector:
    59.     app: whoami
    61. ---
    62. apiVersion: v1
    63. kind: Service
    64. metadata:
    65.   name: whoami-tcp
    66.   namespace: whoami
    67.   labels:
    68.     app: whoami-tcp
    69. spec:
    70.   ports:
    71.     - port: 8080
    72.       name: whoami-tcp
    73.   selector:
    74.     app: whoami-tcp
    76. ---
    78. kind: Pod
    79. metadata:
    80.   name: whoami-client
    81.   namespace: whoami
    82. spec:
    83.   serviceAccountName: whoami-client
    84.   containers:
    85.     - name: whoami-client
    86.       image: giantswarm/tiny-tools:3.9
    87.       command:
    88.         - "sleep"
    89.         - "3600"

    You should now see the following when running kubectl get all -n whoami:

    1. NAME                             READY   STATUS    RESTARTS   AGE
    2. pod/whoami-client                1/1     Running   0          11s
    3. pod/whoami-f4cbd7f9c-lddgq       1/1     Running   0          12s
    4. pod/whoami-f4cbd7f9c-zk4rb       1/1     Running   0          12s
    5. pod/whoami-tcp-7679bc465-ldlt2   1/1     Running   0          12s
    6. pod/whoami-tcp-7679bc465-wf87n   1/1     Running   0          12s
    8. NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
    9. service/whoami       ClusterIP   100.68.109.244   <none>        80/TCP     13s
    10. service/whoami-tcp   ClusterIP   100.68.73.211    <none>        8080/TCP   13s
    12. NAME                         DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
    13. deployment.apps/whoami       2         2         2            2           13s
    14. deployment.apps/whoami-tcp   2         2         2            2           13s
    16. NAME                                   DESIRED   CURRENT   READY   AGE
    17. replicaset.apps/whoami-f4cbd7f9c       2         2         2       13s
    18. replicaset.apps/whoami-tcp-7679bc465   2         2         2       13s

    Command

    1. kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.svc.cluster.local

    Expected Output

    And through TCP, by executing the following netcat command and sending some data.

    Command

    1. kubectl -n whoami exec -ti whoami-client -- nc whoami-tcp.whoami.svc.cluster.local 8080
    2. my data

    Expected Output

    1. Received: my data

    You can now install Traefik Mesh by following this documentation on your cluster.

    Now, in order to configure Traefik Mesh for your whoami service, you just need to update the whoami service specs, in order to add the appropriate annotations.

    The HTTP service needs to have mesh.traefik.io/traffic-type: "http" and the TCP service, mesh.traefik.io/traffic-type: "tcp".

    1. ---
    2. apiVersion: v1
    3. kind: Service
    4. metadata:
    5.   name: whoami
    6.   namespace: whoami
    7.   labels:
    8.     app: whoami
    9.   annotations:
    10.     mesh.traefik.io/traffic-type: "http"
    11.     mesh.traefik.io/retry-attempts: "2"
    12. spec:
    13.   type: ClusterIP
    14.   ports:
    15.     - port: 80
    16.       name: whoami
    17.   selector:
    18.     app: whoami
    20. ---
    21. apiVersion: v1
    22. kind: Service
    23. metadata:
    24.   name: whoami-tcp
    25.   namespace: whoami
    26.   labels:
    27.     app: whoami-tcp
    28.   annotations:
    29.     mesh.traefik.io/traffic-type: "tcp"
    30.   type: ClusterIP
    31.   ports:
    32.     - port: 8080
    33.       name: whoami-tcp
    35.     app: whoami-tcp

    You should now be able to access your HTTP and TCP services through the Traefik Mesh endpoint:

    Command

    Expected Output

    1. Hostname: whoami-84bdf87956-gvbm8
    2. IP: 127.0.0.1
    3. IP: 5.6.7.8
    4. RemoteAddr: 1.2.3.4:12345
    5. GET / HTTP/1.1
    6. Host: whoami.whoami.traefik.mesh
    7. User-Agent: curl/7.64.0
    8. Accept: */*
    9. X-Forwarded-For: 3.4.5.6

    ACL Example

    The can be enabled when installing Traefik Mesh. Once activated, all traffic is forbidden unless explicitly authorized using the SMI TrafficTarget resource. This example will present the configuration required to allow the client pod to send traffic to the HTTP and TCP services defined in the previous example.

    1. ---
    2. apiVersion: specs.smi-spec.io/v1alpha3
    3. kind: HTTPRouteGroup
    4. metadata:
    5.   name: http-everything
    6.   namespace: whoami
    7. spec:
    8.   matches:
    9.     - name: everything
    10.       pathRegex: ".*"
    11.       methods: ["*"]
    13. ---
    14. kind: TrafficTarget
    15. apiVersion: access.smi-spec.io/v1alpha2
    16. metadata:
    17.   name: whatever
    18.   namespace: whoami
    19. spec:
    20.   destination:
    21.     kind: ServiceAccount
    22.     name: whoami-server
    23.     namespace: whoami
    24.     port: 80
    25.   rules:
    26.     - kind: HTTPRouteGroup
    27.       name: http-everything
    28.       matches:
    29.         - everything
    30.   sources:
    31.     - kind: ServiceAccount
    32.       name: whoami-client
    33.       namespace: whoami

    Incoming traffic on a TCP service can also be authorized using a TrafficTarget and a TCPRoute.

    1. ---
    2. kind: TrafficTarget
    3. apiVersion: access.smi-spec.io/v1alpha2
    4. metadata:
    5.   name: api-service-target
    6.   namespace: default
    7. spec:
    8.   destination:
    9.     kind: ServiceAccount
    10.     name: api-service
    11.     namespace: default
    12.   rules:
    13.     - kind: TCPRoute
    14.       name: my-tcp-route
    15.   sources:
    16.     - kind: ServiceAccount
    17.       name: my-other-service
    18.       namespace: default
    20. ---
    21. apiVersion: specs.smi-spec.io/v1alpha3
    22. kind: TCPRoute
    23. metadata:
    24. spec: {}