Add a K8s Stack / Service Mesh / Ingress¶
Performing Iter8 experiments requires RBAC rules, which are contained in this Kustomize folder and are installed as part of the Iter8 installation.
Enable Iter8 experiments over a new K8s stack by extending these RBAC rules.
Step 1: Fork Iter8¶
Fork the Iter8 GitHub repo. Locally clone your forked repo.
For the rest of this document, $ITER8
will refer to the root of your local Iter8 repo.
Step 2: Edit kustomization.yaml
¶
cd $ITER8/install/core/rbac/stacks
Edit kustomization.yaml
to add your K8s stack. At the time of writing, it contains the following stacks:
resources:
- iter8-knative
- iter8-istio
- iter8-kfserving
- iter8-seldon
- iter8-linkerd
# -iter8-<your stack> # add your stack here
Step 3: Create subfolder¶
mkdir iter8-<your stack>
cp iter8-kfserving/kustomization.yaml iter8-<your stack>/kustomization.yaml
Step 4: Create RBAC rules¶
cd iter8-<your stack>
Suppose Iter8 experiments on your stack involves manipulation of two types of resources:
- The
foo
resource belonging to the API groupbar.my.org
. - The Istio virtual service resource.
Note:
Foo
andbar
are merely placeholders. It can be replaced by any standard K8s resource type likedeployment
orservice
, or a custom resource type, as required.
Create RBAC rules that will enable Iter8 to manipulate foo
resources and Istio virtual service resources during experiments. You can do so by creating roles.yaml
and rolebindings.yaml
files as follows.
roles.yaml
# This cluster role enables manipulation of foo resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: foo-for-<your stack>
rules:
- apiGroups:
- bar.my.org
resources:
- foo
verbs:
- get
- list
- patch
- update
- create
- delete
- watch
---
# This cluster role enables manipulation of Istio virtual services
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vs-for-<your stack>
rules:
- apiGroups:
- networking.istio.io
resources:
- virtualservices
verbs:
- get
- list
- patch
- update
- create
- delete
- watch
rolebindings.yaml
# This cluster role binding enables Iter8 controller and task runner to manipulate
# foo resources in any namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: foo-for-<your stack>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: foo-for-<your stack>
subjects:
- kind: ServiceAccount
name: controller
- kind: ServiceAccount
name: handlers
---
# This role binding enables Iter8 controller and handler to manipulate
# Istio virtual services in any namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vs-for-<your stack>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vs-for-<your stack>
subjects:
- kind: ServiceAccount
name: controller
- kind: ServiceAccount
name: handlers
You can also refer to the Istio, KFServing, Knative, and Seldon examples.
Step 5: Update RBAC rules¶
Update the RBAC rules that are applied to the Kubernetes cluster as part of the Iter8 installation.
Step 6: Submit PR¶
Sign your commit and submit your pull request to the Iter8 repo.