osm

README

Open Service Mesh (OSM)

Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Guided by 4 core principles:

1. Simple to understand and contribute to
2. Effortless to install, maintain, and operate
3. Painless to troubleshoot
4. Easy to configure via SMI

Overview

OSM runs an Envoy based control plane on Kubernetes, can be configured with SMI APIs and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.

Features of OSM:

1. More easily and transparently configure traffic shifting for deployments
2. Secure service to service communication by enabling mTLS
3. Define and execute fine grained access control policies for services
4. Observability and insights into application metrics for debugging and monitoring services
5. Integrate with external certificate management services/solutions with a pluggable interface.
6. Onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy.

Note: This project is a work in progress. See the demo instructions to get a sense of what we've accomplished and are working on.

OSM Design

Read more about the high level goals, design and architecture here.

Getting Started

Prerequisites

• Kubernetes cluster running Kubernetes v1.15.0 or greater
• A private container registry (temporary requirement as this is currently a private repo)

Install

The simplest way of installing open service mesh on a Kubernetes cluster is by using the osm CLI.

Download the osm binary from the Releases page.

See the installation guide for more detailed options.

Managing Services Using OSM

On-boarding services to the OSM managed service mesh

To on-board a service to the OSM managed service mesh, OSM first needs to be configured to monitor the namespace the service belongs to. This can be done by labeling the namespace with the mesh name as follows.

$ kubectl label namespace <namespace> openservicemesh.io/monitored-by=<mesh-name>

The same can be done using the osm cli tool.

$ bin/osm namespace add --mesh-name <mesh-name> <namespace-name>

The mesh-name is a unique identifier assigned to an osm-controller instance during install to identify and manage manage a mesh instance.

The mesh-name should follow RFC 1123 DNS Label constraints. The mesh-name must:

• contain at most 63 characters
• contain only lowercase alphanumeric characters or '-'
• start with an alphanumeric character
• end with an alphanumeric character

After a namespace is labeled for monitoring, new services deployed in a monitored namespace will be a part of the service mesh and OSM will perform automatic sidecar injection for newly created PODs in that namespace.

Disabling automatic sidecar injection

Since the sidecar is automatically injected for PODs belonging to a monitored namespace, PODs that are not a part of the service mesh but belong to a monitored namespace should be configured to not have the sidecar injected. This can be achieved by any of the following ways.

• Deploying PODs that are not a part of the service mesh in namespaces that are not monitored by OSM
• Explicitly annotating PODs with sidecar injection as disabled: "openservicemesh.io/sidecar-injection": "disabled"

Adding existing services to be managed by a new OSM instance

Currently OSM only supports automatic sidecar injection for newly created PODs. Thus, existing services will need to be enabled for monitoring as described above, and then the PODs will need to be redeployed. This workflow will be simplified once OSM supports manual sidecar injection.

Un-managing namespaces

To stop OSM from monitoring a namespace, remove the monitoring label from the namespace.

$ kubectl label namespace <namespace> openservicemesh.io/monitored-by-

The same can be done using the osm cli tool.

$ bin/osm namespace remove --mesh-name <mesh-name> <namespace-name>

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. See CODE_OF_CONDUCT.MD for further details.

License

This software is covered under the MIT license. You can read the license here.