Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

Configure WorkloadGroup and Sidecar

You will deploy the ratings application on an AWS EC2 instance and onboard it into the service mesh.

Create a WorkloadGroup

Execute the following command to create a WorkloadGroup:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadGroup
metadata:
  name: ratings
  namespace: bookinfo
  labels:
    app: ratings
spec:
  template:
    labels:
      app: ratings
      class: vm
      cloud: aws
    network: aws                      # (1)
    serviceAccount: bookinfo-ratings  # (2)
EOF

The field spec.template.network is set to a non-empty value to indicate to the Istio control plane that the VM you will create later has no direct connectivity to the Kubernetes Pods.

The field spec.template.serviceAccount declares that the workload have the identity of the service account bookinfo-ratings within the Kubernetes cluster. The service account bookinfo-ratings was created during the deployment of the Istio bookinfo example earlier

Create the Sidecar Configuration

Execute the following command to create a new sidecar configuration:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: bookinfo-ratings-no-iptables
  namespace: bookinfo
spec:
  workloadSelector:                  # (1)
    labels:
      app: ratings
      class: vm
  ingress:
  - defaultEndpoint: 127.0.0.1:9080  # (2)
    port:
      name: http
      number: 9080                   # (3)
      protocol: HTTP
  egress:
  - bind: 127.0.0.2                  # (4)
    port:
      name: http                     # REQUIRED
      number: 9080                   # (5)
      protocol: HTTP                 # REQUIRED
    hosts:
    - ./*                            # (6)
EOF

The above sidecar configuration will only apply to workloads that have the labels app=ratings and class=vm (1). The WorkloadGroup you have created has these labels.

Istio proxy will be configured to listen on <host IP>:9080 (3) and will forward incoming requests to the application that listens on 127.0.0.1:9080 (2).

And finally the proxy will be configured to listen on 127.0.0.2:9080 (4) (5) to proxy outgoing requests out of the application to other services (6) that have port 9080 (5).

Allow Workloads to Join the WorkloadGroup

You will need to create an OnboardingPolicy resource to explicitly authorize workloads deployed outside of Kubernetes to join the mesh.

First, obtain your AWS Account ID. If you do not know your AWS Account ID, see the AWS Account Docs for more details on how to find your ID.

If you already have your aws CLI setup, you can execute the following command:

AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

Then create an OnboardingPolicy to allow any AWS EC2 instance from your AWS Account ID to join any WorkloadGroup in the bookinfo namespace by executing the following command. Replace AWS_ACCOUNT_ID with the appropriate value.

cat <<EOF | kubectl apply -f -
apiVersion: authorization.onboarding.tetrate.io/v1alpha1
kind: OnboardingPolicy
metadata:
  name: allow-aws-vms
  namespace: bookinfo            # (1)
spec:
  allow:
  - workloads:
    - aws:
        accounts:
        - <AWS_ACCOUNT_ID>       # (2)
        ec2: {}                  # (3)
    onboardTo:
    - workloadGroupSelector: {}  # (4)
EOF

The above policy applies to any AWS EC2 instances (3) owned by the account specified in (2), and allows them to join any WorkloadGroup (4) in the namespace bookinfo (1)