Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The Open Service Mesh (OSM) add-on integrates with features provided by Azure and some open source projects.
Note
With the retirement of Open Service Mesh (OSM) by the Cloud Native Computing Foundation (CNCF), we recommend identifying your OSM configurations and migrating them to an equivalent Istio configuration. For information about migrating from OSM to Istio, see Migration guidance for Open Service Mesh (OSM) configurations to Istio.
Important
Integrations with open source projects aren't covered by the AKS support policy.
Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with one of the following solutions:
Note
At this time, Azure Gateway Ingress Controller (AGIC) only works for HTTP backends. If you configure OSM to use AGIC, AGIC won't be used for other backends, such as HTTPS and mTLS.
Important
You can't configure Azure Gateway Ingress Controller (AGIC) for HTTPS ingress.
Installing the AGIC ingress controller.
Create a namespace for the application service using the kubectl create ns
command.
kubectl create ns httpbin
Add the namespace to the mesh using the osm namespace add
OSM CLI command.
osm namespace add httpbin
Deploy the application service to the namespace using the kubectl apply
command.
export RELEASE_BRANCH=release-v1.2
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin
Verify the pods are up and running and have the envoy sidecar injected using the kubectl get pods
command.
kubectl get pods -n httpbin
Your output should look similar to the following example output:
NAME READY STATUS RESTARTS AGE
httpbin-7c6464475-9wrr8 2/2 Running 0 6d20h
List the details of the service using the kubectl get svc
command.
kubectl get svc -n httpbin
Your output should look similar to the following example output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpbin ClusterIP 10.0.92.135 <none> 14001/TCP 6d20h
Deploy the following Ingress
and IngressBackend
configurations to allow external clients to access the httpbin
service on port 14001
using the kubectl apply
command.
kubectl apply -f <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: httpbin
namespace: httpbin
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: httpbin
port:
number: 14001
---
kind: IngressBackend
apiVersion: policy.openservicemesh.io/v1alpha1
metadata:
name: httpbin
namespace: httpbin
spec:
backends:
- name: httpbin
port:
number: 14001 # targetPort of httpbin service
protocol: http
sources:
- kind: IPRange
name: 10.0.0.0/8
EOF
Verify the Ingress
object was successfully deployed using the kubectl get ingress
command and make note of the external IP address.
kubectl get ingress -n httpbin
Your output should look similar to the following example output:
NAME CLASS HOSTS ADDRESS PORTS AGE
httpbin <none> * 20.85.173.179 80 6d20h
Verify the IngressBackend
object was successfully deployed using the kubectl get ingressbackend
command.
kubectl get ingressbackend -n httpbin
Your output should look similar to the following example output:
NAME STATUS
httpbin committed
Verify you can access the httpbin
service using the external IP address of the ingress service and the following curl
command.
curl -sI http://<external-ip>/get
Confirm you receive a response with status 200
.
Metrics observability allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use Prometheus and Grafana for metrics observability, but those integrations aren't covered by the AKS support policy.
You can also integrate OSM with Azure Monitor.
Before you can enable metrics on your mesh to integrate with Azure Monitor, make sure you have the following prerequisites:
Enable metrics for a namespace in the mesh using the osm metrics enable
command.
osm metrics enable --namespace myappnamespace
Create a ConfigMap in the kube-system
namespace that enables Azure Monitor to monitor your namespaces. For example, create a monitor-configmap.yaml
with the following contents to monitor the myappnamespace
:
kind: ConfigMap
apiVersion: v1
data:
schema-version: v1
config-version: ver1
osm-metric-collection-configuration: |-
# OSM metric collection settings
[osm_metric_collection_configuration]
[osm_metric_collection_configuration.settings]
# Namespaces to monitor
monitor_namespaces = ["myappnamespace"]
metadata:
name: container-azm-ms-osmconfig
namespace: kube-system
Apply the ConfigMap using the kubectl apply
command.
kubectl apply -f monitor-configmap.yaml
Navigate to the Azure portal and select your AKS cluster.
Under Monitoring, select Logs.
In the Monitoring section, query the InsightsMetrics
table to view metrics in the enabled namespaces. For example, the following query shows the envoy metrics for the default namespace:
InsightsMetrics
| where Name contains "envoy"
| extend t=parse_json(Tags)
| where t.namespace == "default"
OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with Flagger for progressive delivery and Dapr for building applications. The OSM integrations with Flagger and Dapr aren't covered by the AKS support policy.
External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with Open Policy Agent (OPA), but that integration isn't covered by the AKS support policy.
OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called Tresor, which is used by default. Alternatively, OSM allows you to integrate with Hashicorp Vault and cert-manager, but those integrations aren't covered by the AKS support policy.
This article covered the Open Service Mesh (OSM) add-on integrations with features provided by Azure and some open source projects. To learn more about OSM, see About OSM in AKS.
Azure Kubernetes Service feedback
Azure Kubernetes Service is an open source project. Select a link to provide feedback:
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Azure Kubernetes Services Governance with Azure Policy - Training
In this module, we discuss how to use Azure Policy for Kubernetes to enforce rules and detect noncompliance in AKS clusters.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.