From 11312dcf084edc4046a01f33d31c977a94238e10 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Tue, 9 Feb 2021 18:11:45 -0500 Subject: [PATCH 01/13] topology --- _topic_map.yml | 4 ++++ modules/ossm-multitenant.adoc | 24 ++++--------------- service_mesh/v1x/ossm-deploy-mod.adoc | 9 +++++++ service_mesh/v1x/ossm-vs-community.adoc | 6 +++-- service_mesh/v2x/ossm-deploy-mod.adoc | 9 +++++++ service_mesh/v2x/ossm-vs-community.adoc | 18 ++++++++++++-- .../prepare-to-deploy-applications-ossm.adoc | 1 - 7 files changed, 46 insertions(+), 25 deletions(-) create mode 100644 service_mesh/v1x/ossm-deploy-mod.adoc create mode 100644 service_mesh/v2x/ossm-deploy-mod.adoc diff --git a/_topic_map.yml b/_topic_map.yml index 06cac54ea97d..51cc6fd8547c 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -2464,6 +2464,8 @@ Topics: File: customizing-installation-ossm - Name: Performance and scalability File: ossm-performance-scalability + - Name: Deployment models + File: ossm-deploy-mod - Name: Deploying applications on Service Mesh File: prepare-to-deploy-applications-ossm - Name: Data visualization and observability @@ -2495,6 +2497,8 @@ Topics: File: installing-ossm - Name: Customizing the installation File: customizing-installation-ossm + - Name: Deployment models + File: ossm-deploy-mod - Name: Deploying applications on Service Mesh File: prepare-to-deploy-applications-ossm - Name: Data visualization and observability diff --git a/modules/ossm-multitenant.adoc b/modules/ossm-multitenant.adoc index fa3494dc54e0..f0b19fe52b1c 100644 --- a/modules/ossm-multitenant.adoc +++ b/modules/ossm-multitenant.adoc @@ -1,23 +1,17 @@ //// Module included in the following assemblies: --ossm-vs-community.adoc +ossm-deploy-mod.adoc //// [id="ossm-multitenant-install_{context}"] = {ProductName} multitenant installation -Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. - -{ProductName} installs a multitenant control plane by default. You specify the projects that can access the {ProductShortName}, and isolate the {ProductShortName} from other control plane instances. +{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. [id="ossm-mt-vs-clusterwide_{context}"] -== Multitenancy versus cluster-wide installations - -The main difference between a multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployments, for example, Galley and Pilot. The components no longer use cluster-scoped Role Based Access Control (RBAC) resource `ClusterRoleBinding`. +== Multitenant installations -Every project in the `ServiceMeshMemberRoll` `members` list will have a `RoleBinding` for each service account associated with the control plane deployment and each control plane deployment will only watch those member projects. Each member project has a `maistra.io/member-of` label added to it, where the `member-of` value is the project containing the control plane installation. - -{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. The exact configuration differs depending on how OpenShift software-defined networking (SDN) is configured. See About OpenShift SDN for additional details. +{ProductName} configures each member project to ensure network access between the project, the control plane, and other member projects. The exact configuration differs depending on how OpenShift software-defined networking (SDN) is configured. See About OpenShift SDN for additional details. If the {product-title} cluster is configured to use the SDN plug-in: @@ -29,13 +23,3 @@ This also restricts ingress to only member projects. If you require ingress from ==== * *Multitenant*: {ProductName} joins the `NetNamespace` for each member project to the `NetNamespace` of the control plane project (the equivalent of running `oc adm pod-network join-projects --to control-plane-project member-project`). If you remove a member from the {ProductShortName}, its `NetNamespace` is isolated from the control plane (the equivalent of running `oc adm pod-network isolate-projects member-project`). - -* *Subnet*: No additional configuration is performed. - -[id="ossm-cluster-scoped-resources_{context}"] -== Cluster scoped resources - -Upstream Istio has two cluster scoped resources that it relies on. The `MeshPolicy` and the `ClusterRbacConfig`. These are not compatible with a multitenant cluster and have been replaced as described below. - -* _ServiceMeshPolicy_ replaces MeshPolicy for configuration of control-plane-wide authentication policies. This must be created in the same project as the control plane. -* _ServicemeshRbacConfig_ replaces ClusterRbacConfig for configuration of control-plane-wide role based access control. This must be created in the same project as the control plane. diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc new file mode 100644 index 000000000000..8f2ca63221aa --- /dev/null +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -0,0 +1,9 @@ +[id="ossm-deployment-models"] += Deployment models +include::modules/ossm-document-attributes.adoc[] +:context: ossm-deployment-models + + + +include::modules/ossm-multitenant.adoc[leveloffset=+1] + diff --git a/service_mesh/v1x/ossm-vs-community.adoc b/service_mesh/v1x/ossm-vs-community.adoc index e83eb0454fa2..8b68cf12f846 100644 --- a/service_mesh/v1x/ossm-vs-community.adoc +++ b/service_mesh/v1x/ossm-vs-community.adoc @@ -9,9 +9,11 @@ An installation of {ProductName} differs from upstream Istio community installat The current release of {ProductName} differs from the current upstream Istio community release in the following ways: -// The following include statements pull in the module files that comprise the assembly. +== Deployment models + +Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. For more information, see xref:../../service_mesh/v2x/ossm-deploy-mod.adoc[Deployment models]. -include::modules/ossm-multitenant.adoc[leveloffset=+1] +// The following include statements pull in the module files that comprise the assembly. include::modules/ossm-vs-istio-1x.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc new file mode 100644 index 000000000000..8f2ca63221aa --- /dev/null +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -0,0 +1,9 @@ +[id="ossm-deployment-models"] += Deployment models +include::modules/ossm-document-attributes.adoc[] +:context: ossm-deployment-models + + + +include::modules/ossm-multitenant.adoc[leveloffset=+1] + diff --git a/service_mesh/v2x/ossm-vs-community.adoc b/service_mesh/v2x/ossm-vs-community.adoc index 0829dfeb8836..66b68ea42c28 100644 --- a/service_mesh/v2x/ossm-vs-community.adoc +++ b/service_mesh/v2x/ossm-vs-community.adoc @@ -9,9 +9,23 @@ An installation of {ProductName} differs from upstream Istio community installat The current release of {ProductName} differs from the current upstream Istio community release in the following ways: -// The following include statements pull in the module files that comprise the assembly. +== Deployment models + +Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. + +The main difference between a multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. + +[id="ossm-cluster-scoped-resources_{context}"] +== Cluster scoped resources -include::modules/ossm-multitenant.adoc[leveloffset=+1] +Upstream Istio has two cluster scoped resources that it relies on. The `MeshPolicy` and the `ClusterRbacConfig`. These are not compatible with a multitenant cluster and have been replaced as described below. + +* _ServiceMeshPolicy_ replaces MeshPolicy for configuration of control-plane-wide authentication policies. This must be created in the same project as the control plane. +* _ServicemeshRbacConfig_ replaces ClusterRbacConfig for configuration of control-plane-wide role based access control. This must be created in the same project as the control plane. + +For more information, see xref:../../service_mesh/v2x/ossm-deploy-mod.adoc[Deployment models]. + +// The following include statements pull in the module files that comprise the assembly. include::modules/ossm-vs-istio.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc b/service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc index 917570c8606e..0735028e5863 100644 --- a/service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc +++ b/service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc @@ -18,7 +18,6 @@ Do not deploy applications within the {ProductShortName} control plane namespace * Review xref:../../service_mesh/v2x/installing-ossm.adoc#installing-ossm[Installing {ProductName}] - include::modules/ossm-control-plane-profiles.adoc[leveloffset=+1] include::modules/ossm-sidecar-injection.adoc[leveloffset=+1] From 8109ead4c3ad63554142a11ef6d326b44f833469 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Wed, 10 Feb 2021 12:43:47 -0500 Subject: [PATCH 02/13] fix ids --- service_mesh/v1x/ossm-deploy-mod.adoc | 4 ++-- service_mesh/v2x/ossm-deploy-mod.adoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index 8f2ca63221aa..64ce269e321d 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -1,7 +1,7 @@ -[id="ossm-deployment-models"] +[id="ossm-deployment-models-v1x"] = Deployment models include::modules/ossm-document-attributes.adoc[] -:context: ossm-deployment-models +:context: ossm-deployment-models-v1x diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index 8f2ca63221aa..324fc144b05b 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -1,7 +1,7 @@ -[id="ossm-deployment-models"] +[id="ossm-deployment-models-v2x"] = Deployment models include::modules/ossm-document-attributes.adoc[] -:context: ossm-deployment-models +:context: ossm-deployment-models-v2x From ce58b3ae108ccdb71052814b1e5a052fb0c92a2a Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Wed, 10 Feb 2021 18:36:15 -0500 Subject: [PATCH 03/13] reset --- modules/ossm-multitenant.adoc | 24 ++++++++++++++++++++---- service_mesh/v1x/ossm-deploy-mod.adoc | 1 - service_mesh/v1x/ossm-vs-community.adoc | 17 ++++++++--------- service_mesh/v2x/ossm-deploy-mod.adoc | 4 ---- service_mesh/v2x/ossm-vs-community.adoc | 18 ++---------------- 5 files changed, 30 insertions(+), 34 deletions(-) diff --git a/modules/ossm-multitenant.adoc b/modules/ossm-multitenant.adoc index f0b19fe52b1c..fa3494dc54e0 100644 --- a/modules/ossm-multitenant.adoc +++ b/modules/ossm-multitenant.adoc @@ -1,17 +1,23 @@ //// Module included in the following assemblies: -ossm-deploy-mod.adoc +-ossm-vs-community.adoc //// [id="ossm-multitenant-install_{context}"] = {ProductName} multitenant installation -{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. +Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. + +{ProductName} installs a multitenant control plane by default. You specify the projects that can access the {ProductShortName}, and isolate the {ProductShortName} from other control plane instances. [id="ossm-mt-vs-clusterwide_{context}"] -== Multitenant installations +== Multitenancy versus cluster-wide installations + +The main difference between a multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployments, for example, Galley and Pilot. The components no longer use cluster-scoped Role Based Access Control (RBAC) resource `ClusterRoleBinding`. -{ProductName} configures each member project to ensure network access between the project, the control plane, and other member projects. The exact configuration differs depending on how OpenShift software-defined networking (SDN) is configured. See About OpenShift SDN for additional details. +Every project in the `ServiceMeshMemberRoll` `members` list will have a `RoleBinding` for each service account associated with the control plane deployment and each control plane deployment will only watch those member projects. Each member project has a `maistra.io/member-of` label added to it, where the `member-of` value is the project containing the control plane installation. + +{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. The exact configuration differs depending on how OpenShift software-defined networking (SDN) is configured. See About OpenShift SDN for additional details. If the {product-title} cluster is configured to use the SDN plug-in: @@ -23,3 +29,13 @@ This also restricts ingress to only member projects. If you require ingress from ==== * *Multitenant*: {ProductName} joins the `NetNamespace` for each member project to the `NetNamespace` of the control plane project (the equivalent of running `oc adm pod-network join-projects --to control-plane-project member-project`). If you remove a member from the {ProductShortName}, its `NetNamespace` is isolated from the control plane (the equivalent of running `oc adm pod-network isolate-projects member-project`). + +* *Subnet*: No additional configuration is performed. + +[id="ossm-cluster-scoped-resources_{context}"] +== Cluster scoped resources + +Upstream Istio has two cluster scoped resources that it relies on. The `MeshPolicy` and the `ClusterRbacConfig`. These are not compatible with a multitenant cluster and have been replaced as described below. + +* _ServiceMeshPolicy_ replaces MeshPolicy for configuration of control-plane-wide authentication policies. This must be created in the same project as the control plane. +* _ServicemeshRbacConfig_ replaces ClusterRbacConfig for configuration of control-plane-wide role based access control. This must be created in the same project as the control plane. diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index 64ce269e321d..e5a8d496b93e 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -5,5 +5,4 @@ include::modules/ossm-document-attributes.adoc[] -include::modules/ossm-multitenant.adoc[leveloffset=+1] diff --git a/service_mesh/v1x/ossm-vs-community.adoc b/service_mesh/v1x/ossm-vs-community.adoc index 8b68cf12f846..0829dfeb8836 100644 --- a/service_mesh/v1x/ossm-vs-community.adoc +++ b/service_mesh/v1x/ossm-vs-community.adoc @@ -1,7 +1,7 @@ -[id="ossm-vs-community-v1x"] +[id="ossm-vs-community"] = Service Mesh and Istio differences -include::modules/ossm-document-attributes-1x.adoc[] -:context: ossm-vs-istio-v1x +include::modules/ossm-document-attributes.adoc[] +:context: ossm-vs-istio toc::[] @@ -9,14 +9,13 @@ An installation of {ProductName} differs from upstream Istio community installat The current release of {ProductName} differs from the current upstream Istio community release in the following ways: -== Deployment models +// The following include statements pull in the module files that comprise the assembly. -Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. For more information, see xref:../../service_mesh/v2x/ossm-deploy-mod.adoc[Deployment models]. +include::modules/ossm-multitenant.adoc[leveloffset=+1] -// The following include statements pull in the module files that comprise the assembly. +include::modules/ossm-vs-istio.adoc[leveloffset=+1] -include::modules/ossm-vs-istio-1x.adoc[leveloffset=+1] +include::modules/ossm-kiali-service-mesh.adoc[leveloffset=+2] -include::modules/ossm-kiali-service-mesh.adoc[leveloffset=+1] +include::modules/ossm-jaeger-service-mesh.adoc[leveloffset=+2] -include::modules/ossm-jaeger-service-mesh.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index 324fc144b05b..a31818e6face 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -3,7 +3,3 @@ include::modules/ossm-document-attributes.adoc[] :context: ossm-deployment-models-v2x - - -include::modules/ossm-multitenant.adoc[leveloffset=+1] - diff --git a/service_mesh/v2x/ossm-vs-community.adoc b/service_mesh/v2x/ossm-vs-community.adoc index 66b68ea42c28..0829dfeb8836 100644 --- a/service_mesh/v2x/ossm-vs-community.adoc +++ b/service_mesh/v2x/ossm-vs-community.adoc @@ -9,24 +9,10 @@ An installation of {ProductName} differs from upstream Istio community installat The current release of {ProductName} differs from the current upstream Istio community release in the following ways: -== Deployment models - -Whereas upstream Istio takes a single tenant approach, {ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane lifecycle. - -The main difference between a multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. - -[id="ossm-cluster-scoped-resources_{context}"] -== Cluster scoped resources - -Upstream Istio has two cluster scoped resources that it relies on. The `MeshPolicy` and the `ClusterRbacConfig`. These are not compatible with a multitenant cluster and have been replaced as described below. - -* _ServiceMeshPolicy_ replaces MeshPolicy for configuration of control-plane-wide authentication policies. This must be created in the same project as the control plane. -* _ServicemeshRbacConfig_ replaces ClusterRbacConfig for configuration of control-plane-wide role based access control. This must be created in the same project as the control plane. - -For more information, see xref:../../service_mesh/v2x/ossm-deploy-mod.adoc[Deployment models]. - // The following include statements pull in the module files that comprise the assembly. +include::modules/ossm-multitenant.adoc[leveloffset=+1] + include::modules/ossm-vs-istio.adoc[leveloffset=+1] include::modules/ossm-kiali-service-mesh.adoc[leveloffset=+2] From 2c1a9e71a9c180446e449a5bb49e06cb35122dce Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Thu, 11 Feb 2021 12:11:52 -0500 Subject: [PATCH 04/13] reset2 --- service_mesh/v1x/ossm-vs-community.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/service_mesh/v1x/ossm-vs-community.adoc b/service_mesh/v1x/ossm-vs-community.adoc index 0829dfeb8836..2cae21f67e65 100644 --- a/service_mesh/v1x/ossm-vs-community.adoc +++ b/service_mesh/v1x/ossm-vs-community.adoc @@ -1,7 +1,7 @@ -[id="ossm-vs-community"] +[id="ossm-vs-community-v1x"] = Service Mesh and Istio differences -include::modules/ossm-document-attributes.adoc[] -:context: ossm-vs-istio +include::modules/ossm-document-attributes-1x.adoc[] +:context: ossm-vs-istio-v1x toc::[] From 7874b8c20783bf522ffe09f1f90761363da4bb80 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Thu, 11 Feb 2021 18:01:06 -0500 Subject: [PATCH 05/13] reset fix --- service_mesh/v1x/ossm-vs-community.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service_mesh/v1x/ossm-vs-community.adoc b/service_mesh/v1x/ossm-vs-community.adoc index 2cae21f67e65..6bb302783d6c 100644 --- a/service_mesh/v1x/ossm-vs-community.adoc +++ b/service_mesh/v1x/ossm-vs-community.adoc @@ -13,7 +13,7 @@ The current release of {ProductName} differs from the current upstream Istio com include::modules/ossm-multitenant.adoc[leveloffset=+1] -include::modules/ossm-vs-istio.adoc[leveloffset=+1] +include::modules/ossm-vs-istio-1x.adoc[leveloffset=+1] include::modules/ossm-kiali-service-mesh.adoc[leveloffset=+2] From 3571e70d2cc5777d9b8ff435ec4bcf4131323ce3 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Thu, 11 Feb 2021 18:44:12 -0500 Subject: [PATCH 06/13] add modules --- modules/ossm-deploy-mod-clus.adoc | 12 ++++++++++++ modules/ossm-deploy-mod-multi.adoc | 11 +++++++++++ service_mesh/v1x/ossm-deploy-mod.adoc | 10 +++++++--- service_mesh/v2x/ossm-deploy-mod.adoc | 11 +++++++++-- 4 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 modules/ossm-deploy-mod-clus.adoc create mode 100644 modules/ossm-deploy-mod-multi.adoc diff --git a/modules/ossm-deploy-mod-clus.adoc b/modules/ossm-deploy-mod-clus.adoc new file mode 100644 index 000000000000..f25d47c370f9 --- /dev/null +++ b/modules/ossm-deploy-mod-clus.adoc @@ -0,0 +1,12 @@ +// Module included in the following assemblies: +// +// * service_mesh/v1x/ossm-deploy-mod-v1x.adoc +// * service_mesh/v2x/ossm-deploy-mod-v2x.adoc + +[id="ossm-deploy-mod-clus_{context}"] += Cluster-wide service mesh + +{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. + +== Cluster-wide control plane + diff --git a/modules/ossm-deploy-mod-multi.adoc b/modules/ossm-deploy-mod-multi.adoc new file mode 100644 index 000000000000..4c92f994fe46 --- /dev/null +++ b/modules/ossm-deploy-mod-multi.adoc @@ -0,0 +1,11 @@ +// Module included in the following assemblies: +// +// * service_mesh/v1x/ossm-deploy-mod-v1x.adoc +// * service_mesh/v2x/ossm-deploy-mod-v2x.adoc + +[id="ossm-deploy-mod-clus_{context}"] += Multitenant service mesh + +{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. + +== Multitennant control plane diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index e5a8d496b93e..f363e603b7ab 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -1,8 +1,12 @@ -[id="ossm-deployment-models-v1x"] +[id="ossm-deploy-mod-v1x"] = Deployment models include::modules/ossm-document-attributes.adoc[] -:context: ossm-deployment-models-v1x - +:context: ossm-deploy-mod-v1x +{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. +{ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane. A multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. +include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] + +include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] \ No newline at end of file diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index a31818e6face..f358af4ec3bf 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -1,5 +1,12 @@ -[id="ossm-deployment-models-v2x"] +[id="ossm-deploy-mod-v2x"] = Deployment models include::modules/ossm-document-attributes.adoc[] -:context: ossm-deployment-models-v2x +:context: ossm-deploy-mod-v2x +{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. + +{ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane. A multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. + +include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] + +include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] \ No newline at end of file From ff5bc076d0f650cd2679436baa36a651b66fc790 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Fri, 12 Feb 2021 14:05:52 -0500 Subject: [PATCH 07/13] fix and update --- modules/ossm-deploy-mod-clus.adoc | 2 +- modules/ossm-deploy-mod-multi.adoc | 5 +++-- service_mesh/v1x/ossm-deploy-mod.adoc | 6 ++---- service_mesh/v2x/ossm-deploy-mod.adoc | 6 ++---- 4 files changed, 8 insertions(+), 11 deletions(-) diff --git a/modules/ossm-deploy-mod-clus.adoc b/modules/ossm-deploy-mod-clus.adoc index f25d47c370f9..10c5c425dfdf 100644 --- a/modules/ossm-deploy-mod-clus.adoc +++ b/modules/ossm-deploy-mod-clus.adoc @@ -8,5 +8,5 @@ {ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. -== Cluster-wide control plane +== Cluster-wide resources diff --git a/modules/ossm-deploy-mod-multi.adoc b/modules/ossm-deploy-mod-multi.adoc index 4c92f994fe46..d14ee482134e 100644 --- a/modules/ossm-deploy-mod-multi.adoc +++ b/modules/ossm-deploy-mod-multi.adoc @@ -3,9 +3,10 @@ // * service_mesh/v1x/ossm-deploy-mod-v1x.adoc // * service_mesh/v2x/ossm-deploy-mod-v2x.adoc -[id="ossm-deploy-mod-clus_{context}"] +[id="ossm-deploy-mod-multi_{context}"] = Multitenant service mesh {ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. -== Multitennant control plane +== Multitennant resources + diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index f363e603b7ab..0d8f77f82559 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -3,10 +3,8 @@ include::modules/ossm-document-attributes.adoc[] :context: ossm-deploy-mod-v1x -{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. - -{ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane. A multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. +{ProductName} supports independent control planes in the cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] -include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] \ No newline at end of file +include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index f358af4ec3bf..5b841827581d 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -3,10 +3,8 @@ include::modules/ossm-document-attributes.adoc[] :context: ossm-deploy-mod-v2x -{ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. - -{ProductName} supports multiple independent control planes within the cluster. {ProductName} uses a multitenant operator to manage the control plane. A multitenant installation and a cluster-wide installation is the scope of privileges used by the control plane deployment, Istiod. +{ProductName} supports independent control planes in the cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] -include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] \ No newline at end of file +include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] From e7327094fb1669f602cd666ddd73171dc2e38ddb Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Fri, 12 Feb 2021 18:14:36 -0500 Subject: [PATCH 08/13] right direction --- modules/ossm-deploy-mod-clus.adoc | 3 ++- modules/ossm-deploy-mod-multi.adoc | 3 ++- service_mesh/v1x/ossm-deploy-mod.adoc | 4 ++-- service_mesh/v2x/ossm-deploy-mod.adoc | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/ossm-deploy-mod-clus.adoc b/modules/ossm-deploy-mod-clus.adoc index 10c5c425dfdf..be58ccd7dcb9 100644 --- a/modules/ossm-deploy-mod-clus.adoc +++ b/modules/ossm-deploy-mod-clus.adoc @@ -6,7 +6,8 @@ [id="ossm-deploy-mod-clus_{context}"] = Cluster-wide service mesh -{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. +Your service mesh can to include all of the namespaces in your cluster. A cluster-scoped service mesh can promote reusability and help you manage resources across the cluster. == Cluster-wide resources +Create a `RequestAuthentication` or `PeerAuthentication` in the control plane namespace to manage \ No newline at end of file diff --git a/modules/ossm-deploy-mod-multi.adoc b/modules/ossm-deploy-mod-multi.adoc index d14ee482134e..bf801fd040c1 100644 --- a/modules/ossm-deploy-mod-multi.adoc +++ b/modules/ossm-deploy-mod-multi.adoc @@ -6,7 +6,8 @@ [id="ossm-deploy-mod-multi_{context}"] = Multitenant service mesh -{ProductName} installs a multitenant control plane by default. You can specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. +Typical service mesh deployments use a single control plane to configure communication between services in the mesh. Multitennant deployments specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. == Multitennant resources +You can create your multitennant cluster by adding a `ServiceMeshMemberRole` resource to your dataplane namespace. diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index 0d8f77f82559..225d43440a7b 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -1,9 +1,9 @@ [id="ossm-deploy-mod-v1x"] -= Deployment models += Deployment topology models include::modules/ossm-document-attributes.adoc[] :context: ossm-deploy-mod-v1x -{ProductName} supports independent control planes in the cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. +{ProductName} supports independent control planes in a cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index 5b841827581d..969a241bc2a5 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -1,5 +1,5 @@ [id="ossm-deploy-mod-v2x"] -= Deployment models += Deployment topology models include::modules/ossm-document-attributes.adoc[] :context: ossm-deploy-mod-v2x From 0f4621d0b7068d9686b84034a07e8f472ef17e4c Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Mon, 15 Feb 2021 11:33:29 -0500 Subject: [PATCH 09/13] add resources --- modules/ossm-deploy-mod-clus.adoc | 5 +++-- modules/ossm-deploy-mod-multi.adoc | 19 ++++++++++++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/modules/ossm-deploy-mod-clus.adoc b/modules/ossm-deploy-mod-clus.adoc index be58ccd7dcb9..234929da838b 100644 --- a/modules/ossm-deploy-mod-clus.adoc +++ b/modules/ossm-deploy-mod-clus.adoc @@ -6,8 +6,9 @@ [id="ossm-deploy-mod-clus_{context}"] = Cluster-wide service mesh -Your service mesh can to include all of the namespaces in your cluster. A cluster-scoped service mesh can promote reusability and help you manage resources across the cluster. +Your service mesh can include all of the namespaces in your cluster. A cluster-scoped service mesh can promote reusability and help you manage resources across the cluster. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a cluster-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. == Cluster-wide resources -Create a `RequestAuthentication` or `PeerAuthentication` in the control plane namespace to manage \ No newline at end of file +A `RequestAuthentication` or `PeerAuthentication` resource define who can access a service or workflow. See Configuring Role Based Access Control (RBAC) in Security for more information about how to create and deploy the `RequestAuthentication` or `PeerAuthentication` resources. In a multitennant deployment, you would deploy those resources in the data plane project. In a cluster-wide deployment, you can deploy those resources in the control plane project to grant permissions on specific workflows or namespaces. + diff --git a/modules/ossm-deploy-mod-multi.adoc b/modules/ossm-deploy-mod-multi.adoc index bf801fd040c1..a9a886853461 100644 --- a/modules/ossm-deploy-mod-multi.adoc +++ b/modules/ossm-deploy-mod-multi.adoc @@ -10,4 +10,21 @@ Typical service mesh deployments use a single control plane to configure communi == Multitennant resources -You can create your multitennant cluster by adding a `ServiceMeshMemberRole` resource to your dataplane namespace. +You can create your multitennant cluster by adding a `ServiceMeshMemberRole` resource to your control plane project, which is usually `istio-system`. The `ServiceMeshMemberRole` resource associates the projects in the list with one control plane. Your `ServiceMeshMemberRole` resource can contain can contain one or more projects that make up a service mesh. + +.`ServiceMeshMemberRole` resource example + +[source,yaml] +---- +apiVersion: maistra.io/v1 +kind: ServiceMeshMemberRoll +metadata: + name: default + namespace: istio-system +spec: + members: + # a list of projects joined into the service mesh + - bookinfo + - another-project-name +---- + From 1c25ae9ca35c7603be5687ef8815505d73b0680a Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Mon, 15 Feb 2021 12:40:27 -0500 Subject: [PATCH 10/13] talked to Rob --- modules/ossm-deploy-mod-clus.adoc | 14 -------------- modules/ossm-deploy-mod-mesh.adoc | 16 ++++++++++++++++ modules/ossm-deploy-mod-multi.adoc | 4 ++-- service_mesh/v1x/ossm-deploy-mod.adoc | 2 +- service_mesh/v2x/ossm-deploy-mod.adoc | 4 ++-- 5 files changed, 21 insertions(+), 19 deletions(-) delete mode 100644 modules/ossm-deploy-mod-clus.adoc create mode 100644 modules/ossm-deploy-mod-mesh.adoc diff --git a/modules/ossm-deploy-mod-clus.adoc b/modules/ossm-deploy-mod-clus.adoc deleted file mode 100644 index 234929da838b..000000000000 --- a/modules/ossm-deploy-mod-clus.adoc +++ /dev/null @@ -1,14 +0,0 @@ -// Module included in the following assemblies: -// -// * service_mesh/v1x/ossm-deploy-mod-v1x.adoc -// * service_mesh/v2x/ossm-deploy-mod-v2x.adoc - -[id="ossm-deploy-mod-clus_{context}"] -= Cluster-wide service mesh - -Your service mesh can include all of the namespaces in your cluster. A cluster-scoped service mesh can promote reusability and help you manage resources across the cluster. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a cluster-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. - -== Cluster-wide resources - -A `RequestAuthentication` or `PeerAuthentication` resource define who can access a service or workflow. See Configuring Role Based Access Control (RBAC) in Security for more information about how to create and deploy the `RequestAuthentication` or `PeerAuthentication` resources. In a multitennant deployment, you would deploy those resources in the data plane project. In a cluster-wide deployment, you can deploy those resources in the control plane project to grant permissions on specific workflows or namespaces. - diff --git a/modules/ossm-deploy-mod-mesh.adoc b/modules/ossm-deploy-mod-mesh.adoc new file mode 100644 index 000000000000..1a867efc1297 --- /dev/null +++ b/modules/ossm-deploy-mod-mesh.adoc @@ -0,0 +1,16 @@ +// Module included in the following assemblies: +// +// * service_mesh/v1x/ossm-deploy-mod-v1x.adoc +// * service_mesh/v2x/ossm-deploy-mod-v2x.adoc + +[id="ossm-deploy-mod-clus_{context}"] += Mesh-wide deployment + +Your service mesh can include all of the namespaces in your mesh. A mesh-scoped service mesh can promote reusability and help you manage resources across the mesh. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a mesh-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. + +Start by enabling the default peer authentication by configuring the data plane mTLS. + +== Mesh-wide resources + +A `RequestAuthentication` or `PeerAuthentication` resource define who can access a service or workflow. See Configuring Role Based Access Control (RBAC) in Security for more information about how to create and deploy the `RequestAuthentication` or `PeerAuthentication` resources. In a multitennant deployment, you would deploy those resources in the data plane project. In a mesh-wide deployment, you can deploy those resources in the control plane project to grant permissions on specific workflows or namespaces. + diff --git a/modules/ossm-deploy-mod-multi.adoc b/modules/ossm-deploy-mod-multi.adoc index a9a886853461..03165ebfd1b5 100644 --- a/modules/ossm-deploy-mod-multi.adoc +++ b/modules/ossm-deploy-mod-multi.adoc @@ -4,13 +4,13 @@ // * service_mesh/v2x/ossm-deploy-mod-v2x.adoc [id="ossm-deploy-mod-multi_{context}"] -= Multitenant service mesh += Multitenant deployment Typical service mesh deployments use a single control plane to configure communication between services in the mesh. Multitennant deployments specify the projects that can access the {ProductShortName} and isolate the {ProductShortName} from other control plane instances. == Multitennant resources -You can create your multitennant cluster by adding a `ServiceMeshMemberRole` resource to your control plane project, which is usually `istio-system`. The `ServiceMeshMemberRole` resource associates the projects in the list with one control plane. Your `ServiceMeshMemberRole` resource can contain can contain one or more projects that make up a service mesh. +You can create your multitennant service mesh by adding a `ServiceMeshMemberRole` resource to your control plane project, which is usually `istio-system`. The `ServiceMeshMemberRole` resource associates the projects in the list with one control plane. Your `ServiceMeshMemberRole` resource can contain can contain one or more projects that make up a service mesh. .`ServiceMeshMemberRole` resource example diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index 225d43440a7b..c50cd26645aa 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -7,4 +7,4 @@ include::modules/ossm-document-attributes.adoc[] include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] -include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] +include::modules/ossm-deploy-mod-mesh.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index 969a241bc2a5..7e76d053b392 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -3,8 +3,8 @@ include::modules/ossm-document-attributes.adoc[] :context: ossm-deploy-mod-v2x -{ProductName} supports independent control planes in the cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. +{ProductName} supports independent control planes. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] -include::modules/ossm-deploy-mod-clus.adoc[leveloffset=+1] +include::modules/ossm-deploy-mod-mesh.adoc[leveloffset=+1] From e4cb7256f9febff84bb3f23b2c71b0dc59a281e7 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Tue, 16 Feb 2021 16:29:02 -0500 Subject: [PATCH 11/13] update --- modules/ossm-deploy-mod-mesh.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ossm-deploy-mod-mesh.adoc b/modules/ossm-deploy-mod-mesh.adoc index 1a867efc1297..dbd7974c5ba9 100644 --- a/modules/ossm-deploy-mod-mesh.adoc +++ b/modules/ossm-deploy-mod-mesh.adoc @@ -6,7 +6,7 @@ [id="ossm-deploy-mod-clus_{context}"] = Mesh-wide deployment -Your service mesh can include all of the namespaces in your mesh. A mesh-scoped service mesh can promote reusability and help you manage resources across the mesh. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a mesh-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. +Your service mesh can include all of the namespaces in your mesh. A mesh-scoped deployment can promote reusability and help you manage resources across the mesh. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a mesh-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. Start by enabling the default peer authentication by configuring the data plane mTLS. From dcb3cb4abced677be440dc32156ecfa107ff414c Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Tue, 23 Feb 2021 08:44:55 -0500 Subject: [PATCH 12/13] remove mesh-wide --- modules/ossm-deploy-mod-mesh.adoc | 16 ---------------- service_mesh/v2x/ossm-deploy-mod.adoc | 3 +-- 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 modules/ossm-deploy-mod-mesh.adoc diff --git a/modules/ossm-deploy-mod-mesh.adoc b/modules/ossm-deploy-mod-mesh.adoc deleted file mode 100644 index dbd7974c5ba9..000000000000 --- a/modules/ossm-deploy-mod-mesh.adoc +++ /dev/null @@ -1,16 +0,0 @@ -// Module included in the following assemblies: -// -// * service_mesh/v1x/ossm-deploy-mod-v1x.adoc -// * service_mesh/v2x/ossm-deploy-mod-v2x.adoc - -[id="ossm-deploy-mod-clus_{context}"] -= Mesh-wide deployment - -Your service mesh can include all of the namespaces in your mesh. A mesh-scoped deployment can promote reusability and help you manage resources across the mesh. While the most typical deployment is a multitennant deployment, where a {ProductShortName} control plane manages multiple projects, a mesh-wide model can satisfy security, policy or performance requirements instead of dividing the mesh into projects. - -Start by enabling the default peer authentication by configuring the data plane mTLS. - -== Mesh-wide resources - -A `RequestAuthentication` or `PeerAuthentication` resource define who can access a service or workflow. See Configuring Role Based Access Control (RBAC) in Security for more information about how to create and deploy the `RequestAuthentication` or `PeerAuthentication` resources. In a multitennant deployment, you would deploy those resources in the data plane project. In a mesh-wide deployment, you can deploy those resources in the control plane project to grant permissions on specific workflows or namespaces. - diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index 7e76d053b392..a3f25f83d8fa 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -6,5 +6,4 @@ include::modules/ossm-document-attributes.adoc[] {ProductName} supports independent control planes. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] - -include::modules/ossm-deploy-mod-mesh.adoc[leveloffset=+1] + From e59b68e1548d5ac7094b8e1acad063d414bd6894 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Tue, 23 Feb 2021 10:05:45 -0500 Subject: [PATCH 13/13] remove v1 --- service_mesh/v1x/ossm-deploy-mod.adoc | 2 -- service_mesh/v2x/ossm-deploy-mod.adoc | 1 - 2 files changed, 3 deletions(-) diff --git a/service_mesh/v1x/ossm-deploy-mod.adoc b/service_mesh/v1x/ossm-deploy-mod.adoc index c50cd26645aa..f7134bb6ac02 100644 --- a/service_mesh/v1x/ossm-deploy-mod.adoc +++ b/service_mesh/v1x/ossm-deploy-mod.adoc @@ -6,5 +6,3 @@ include::modules/ossm-document-attributes.adoc[] {ProductName} supports independent control planes in a cluster. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] - -include::modules/ossm-deploy-mod-mesh.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-deploy-mod.adoc b/service_mesh/v2x/ossm-deploy-mod.adoc index a3f25f83d8fa..5ba64748e5e4 100644 --- a/service_mesh/v2x/ossm-deploy-mod.adoc +++ b/service_mesh/v2x/ossm-deploy-mod.adoc @@ -6,4 +6,3 @@ include::modules/ossm-document-attributes.adoc[] {ProductName} supports independent control planes. In a typical service mesh deployment, a control plane configures policies and routes traffic, while one or several data planes manage sidecars, which are intelligent proxies that intercept and control traffic. By creating a `ServiceMeshMemberRoll` resource, the control plane can set the policies for many data planes in different projects or namespaces. {ProductName} configures each member project to ensure network access between itself, the control plane, and other member projects. include::modules/ossm-deploy-mod-multi.adoc[leveloffset=+1] -