multicluster traffic management (#10486)

* multicluster traffic management * restructure * locality section * restructure #2 * remove locality * top level headers * touchup * s/subsettings/subset/ * blanks * Update content/en/docs/ops/configuration/traffic-management/multicluster/index.md Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/ops/configuration/traffic-management/multicluster/index.md Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/ops/configuration/traffic-management/multicluster/index.md Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/ops/configuration/traffic-management/multicluster/index.md Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
2022-01-11 09:06:28 -06:00 · 2022-01-11 09:06:28 -06:00 · 337c78b076
parent 6b4cbe9160
commit 337c78b076
5 changed files with 142 additions and 0 deletions
--- a/.spelling
+++ b/.spelling
@ -579,6 +579,7 @@ mysql
 mysqldb
 Nambiar
 namespace
+namespaced
 namespaces
 Naser
 natively
--- a/content/en/docs/ops/configuration/traffic-management/multicluster/index.md
+++ b/content/en/docs/ops/configuration/traffic-management/multicluster/index.md
@ -0,0 +1,124 @@
+---
+title: Multi-cluster Traffic Management
+description: How to configure how traffic is distributed among clusters in the mesh.
+weight: 70
+keywords: [traffic-management,multicluster]
+owner: istio/wg-networking-maintainers
+test: no
+---
+
+Within a multicluster mesh, traffic rules specific to the cluster topology may be desirable. This document describes
+a few ways to manage traffic in a multicluster mesh. Before reading this guide:
+
+1. Read [Deployment Models](/docs/ops/deployment/deployment-models/#multiple-clusters)
+1. Make sure your deployed services follow the concept of {{< gloss "namespace sameness" >}}namespace sameness{{< /gloss >}}.
+
+## Keeping traffic in-cluster
+
+In some cases the default cross-cluster load balancing behavior is not desirable. To keep traffic "cluster-local" (i.e.
+traffic sent from `cluster-a` will only reach destinations in `cluster-a`), mark hostnames or wildcards as `clusterLocal`
+using [`MeshConfig.serviceSettings`](/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ServiceSettings-Settings).
+
+For example, you can enforce cluster-local traffic for an individual service, all services in a particular namespace, or globally for all services in the mesh, as follows:
+
+{{< tabset category-name="meshconfig" >}}
+
+{{< tab name="per-service" category-value="service" >}}
+
+{{< text yaml >}}
+serviceSettings:
+- settings:
+    clusterLocal: true
+  hosts:
+  - "mysvc.myns.svc.cluster.local"
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="per-namespace" category-value="namespace" >}}
+
+{{< text yaml >}}
+serviceSettings:
+- settings:
+    clusterLocal: true
+  hosts:
+  - "*.myns.svc.cluster.local"
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="global" category-value="global" >}}
+
+{{< text yaml >}}
+serviceSettings:
+- settings:
+    clusterLocal: true
+  hosts:
+  - "*"
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+## Partitioning Services {#partitioning-services}
+
+[`DestinationRule.subsets`](/docs/reference/config/networking/destination-rule/#Subset) allows partitioning a service
+by selecting labels. These labels can be the labels from Kubernetes metadata, or from [built-in labels](/docs/reference/config/labels/).
+One of these built-in labels, `topology.istio.io/cluster`, in the subset selector for a `DestinationRule` allows
+creating per-cluster subsets.
+
+{{< text yaml >}}
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: mysvc-per-cluster-dr
+spec:
+  host: mysvc.myns.svc.cluster.local
+  subsets:
+  - name: cluster-1
+    labels:
+      topology.istio.io/cluster: cluster-1
+  - name: cluster-2
+    labels:
+      topology.istio.io/cluster: cluster-2
+{{< /text >}}
+
+Using these subsets you can create various routing rules based on the cluster such as [mirroring](/docs/tasks/traffic-management/mirroring/)
+or [shifting](/docs/tasks/traffic-management/traffic-shifting/).
+
+This provides another option to create cluster-local traffic rules by restricting the destination subset in a `VirtualService`:
+
+{{< text yaml >}}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: mysvc-cluster-local-vs
+spec:
+  hosts:
+  - mysvc.myns.svc.cluster.local
+  http:
+  - name: "cluster-1-local"
+    match:
+    - sourceLabels:
+        topology.istio.io/cluster: "cluster-1"
+    route:
+    - destination:
+        host: mysvc.myns.svc.cluster.local
+        subset: cluster-1
+  - name: "cluster-2-local"
+    match:
+    - sourceLabels:
+        topology.istio.io/cluster: "cluster-2"
+    route:
+    - destination:
+        host: mysvc.myns.svc.cluster.local
+        subset: cluster-2
+{{< /text >}}
+
+Using subset-based routing this way to control cluster-local traffic, as opposed to
+[`MeshConfig.serviceSettings`](/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ServiceSettings-Settings),
+has the downside of mixing service-level policy with topology-level policy.
+For example, a rule that sends 10% of traffic to `v2` of a service will need twice the
+number of subsets (e.g., `cluster-1-v2`, `cluster-2-v2`).
+This approach is best limited to situations where more granular control of cluster-based routing is needed.
--- a/content/en/docs/ops/deployment/deployment-models/index.md
+++ b/content/en/docs/ops/deployment/deployment-models/index.md
@ -120,6 +120,11 @@ You can configure inter-cluster communication based on the
 example, if two clusters reside on the same underlying network, you can enable
 cross-cluster communication by simply configuring firewall rules.

+Within a multicluster mesh, all services are shared by default, according to the
+concept of {{< gloss "namespace sameness" >}}namespace sameness{{< /gloss >}}.
+[Traffic management rules](/docs/ops/configuration/traffic-management/multicluster)
+provide fine-grained control over the behavior of multicluster traffic.
+
 ### DNS with multiple clusters

 When a client application makes a request to some host, it must first perform a
--- a/content/en/docs/reference/glossary/namespace-sameness.md
+++ b/content/en/docs/reference/glossary/namespace-sameness.md
@ -0,0 +1,9 @@
+---
+title: Namespace Sameness
+test: n/a
+---
+
+Within a multicluster mesh, [namespace sameness](https://github.com/kubernetes/community/blob/master/sig-multicluster/namespace-sameness-position-statement.md)
+applies and all namespaces with a given name are considered to be the same namespace. If multiple clusters contain a
+`Service` with the same namespaced name, they will be recognized as a single combined service. By default, traffic is
+load-balanced across all clusters in the mesh for a given service.
--- a/content/en/docs/releases/bugs/index.md
+++ b/content/en/docs/releases/bugs/index.md
@ -38,6 +38,9 @@ all of the relevant state from your Kubernetes cluster:

 Then attach the produced `bug-report.tgz` with your reported problem.

+If your mesh spans multiple clusters, run `istioctl bug-report` against each cluster, specifying the `--context`
+or `--kubeconfig` flags.
+
 {{< tip >}}
 The `istioctl bug-report` command is only available with `istioctl` version `1.8.0` and higher but it can be used to also collect the information from an older Istio version installed in your cluster.
 {{< /tip >}}