AKS with Linkerd Service Mesh

Securing internal traffic with Linkerd on AKS

Architecture

Linkerd Architecture: Control Plane vs Data Plane

What is a service mesh?

Articles in Series

  1. AKS with Azure Container Registry
  2. AKS with Calico network policies
  3. AKS with Linkerd service mesh (this article)
  4. AKS with Istio service mesh

Previous Article

Requirements

Required Tools

  • Azure CLI tool (az): command line tool that interacts with Azure API.
  • Kubernetes client tool (kubectl): command line tool that interacts with Kubernetes API
  • Helm (helm): command line tool for “templating and sharing Kubernetes manifests” (ref) that are bundled as Helm chart packages.
  • helm-diff plugin: allows you to see the changes made with helm or helmfile before applying the changes.
  • Helmfile (helmfile): command line tool that uses a “declarative specification for deploying Helm charts across many environments” (ref).
  • Linkerd CLI (linkerd): command line tool that can configure, deploy, verify linkerd environment and extensions.

Optional tools

  • POSIX shell (sh) such as GNU Bash (bash) or Zsh (zsh): these scripts in this guide were tested using either of these shells on macOS and Ubuntu Linux.
  • Docker (docker): command line tool to build, test, and push docker images.
  • SmallStep CLI (step): A zero trust swiss army knife for working with certificates

Project file structure

~/azure_linkerd
├── certs
│ ├── ca.crt
│ ├── ca.key
│ ├── issuer.crt
│ └── issuer.key
├── env.sh
└── examples
├── dgraph
│ ├── helmfile.yaml
│ └── network_policy.yaml
└── pydgraph
├── Dockerfile
├── Makefile
├── helmfile.yaml
├── load_data.py
├── requirements.txt
├── sw.nquads.rdf
└── sw.schema

Project Environment Variables

Provision Azure resources

Azure cloud resources

Verify AKS and KUBCONFIG

source env.shkubectl get all --all-namespaces

The Linkerd service mesh

Kubernetes Components

Generate Certificates

Republish Linkerd Images (optional)

Install Linkerd

kubectl get all --namespace linkerd

Install the Viz extension

linkerd viz install | kubectl apply -f -
kubectl get all --namespace linkerd-viz

Install the Jaeger extension

linkerd jaeger install | kubectl apply -f -
kubectl get all --namespace linkerd-jaeger

Access Viz Dashboard

linkerd viz dashboard &

The Dgraph service

Deploy Dgraph with Linkerd

kubectl get all --namespace "dgraph"

Service Profile

The pydgraph client

  1. Establish basic connectivity works (baseline)
  2. Apply a network policy to block all non-proxy traffic with Calico and verify connectivity no longer works.
  3. Inject a proxy into the pydgraph and verify connectivity through proxy works

Fetch build and deploy scripts

Build, push, and deploy the pydgraph client

Log into the pydgraph-client container

PYDGRAPH_POD=$(kubectl get pods \
--namespace pydgraph-client \
--output name
)
kubectl exec -ti \
--namespace
pydgraph-client ${PYDGRAPH_POD}\
--container pydgraph-client -- bash

Test 0 (Baseline): No Proxy

No proxy on pydgraph-client

HTTP check (no proxy)

curl ${DGRAPH_ALPHA_SERVER}:8080/health | jq

gRPC check (no proxy)

grpcurl -plaintext -proto api.proto \
${DGRAPH_ALPHA_SERVER}:9080 \
api.Dgraph/CheckVersion

Test 1: Add a network policy

Network Policy added to block traffic outside the mesh

Adding a network policy

Dgraph Network Policy for Linkerd (made with https://editor.cilium.io)
kubectl --filename ./examples/dgraph/network_policy.yaml apply

HTTP check (network policy applied)

curl ${DGRAPH_ALPHA_SERVER}:8080/health

gRPC check (network policy apply)

grpcurl -plaintext -proto api.proto \
${DGRAPH_ALPHA_SERVER}:9080 \
api.Dgraph/CheckVersion

Test 2: Inject Linkerd proxy side car

Inject the proxy in order to access Dgraph

View of containers (Lens tool https://k8slens.dev/)

HTTP check (proxy)

curl ${DGRAPH_ALPHA_SERVER}:8080/health | jq

gRPC check (proxy)

grpcurl -plaintext -proto api.proto \
${DGRAPH_ALPHA_SERVER}:9080 \
api.Dgraph/CheckVersion

Test 3: Listening to traffic steams

Viz Tap from the CLI

linkerd viz tap namespace/pydgraph-client

Viz Tap from the dashboard

  1. set the Namespace field to pydgraph-client
  2. set the Resource field to namespace/pydgraph-client
  3. click on the the [START] button

Generate Traffic

Observe the resulting traffic

Cleanup

az aks delete \
--resource-group $AZ_RESOURCE_GROUP \
--name $AZ_CLUSTER_NAME

Resources

Blog Source Code

Example Applications

General Service Mesh Articles

gRPC Load Balancing

Linkerd Documentation

About o11y (cloud native observability)

Service Mesh Traffic Access

Document Changes for Blog

  • 2021年9月4日 multiline code to gists, updated images
  • 2021年8月6日 Updated Linkerd architecture image

Conclusion

Load Balancing

Restricting Traffic

Final Thoughts

--

--

Linux NinjaPants Automation Engineering Mutant — exploring DevOps, o11y, k8s, progressive deployment (ci/cd), cloud native infra, infra as code

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joaquín Menchaca (智裕)

Linux NinjaPants Automation Engineering Mutant — exploring DevOps, o11y, k8s, progressive deployment (ci/cd), cloud native infra, infra as code