apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
name: default
spec:
members:
# a list of projects that should be joined into the service mesh
# for example, to add the bookinfo project
- bookinfoTo associate a project that contains your application with a Maistra Control Plane, two methods are supported:
Specify the project in a ServiceMeshMemberRoll object.
Add a ServiceMeshMember object to the project.
The ServiceMeshMemberRoll resource configures which projects belong to a control plane.
Only projects listed in the ServiceMeshMemberRoll will be affected by the control plane.
Any number of projects can be added, but a project may not exist in more than one control plane.
This resource must be created in the same project as the ServiceMeshControlPlane resource
and must be named default. An example resource can be seen below:
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
name: default
spec:
members:
# a list of projects that should be joined into the service mesh
# for example, to add the bookinfo project
- bookinfoThere might be configurations where routes to pods are no longer working after adding a project to a control plane. Please see the network policy trouble shooting guide to solve the problem.
When the ServiceMeshMember is created, it causes the project to be added to
the ServiceMeshMemberRoll within the control plane project it references.
An example resource can be seen below:
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
name: default
spec:
members:
# a list of projects that should be joined into the service mesh
# for example, to add the bookinfo project
- bookinfoUnlike the ServiceMeshMemberRoll resource, which is created by the service mesh
administrator, ServiceMeshMember resources are created by service mesh users.
While project administrators are automatically given permission to create the
ServiceMeshMember resource in their project, they are not allowed to point it
to any ServiceMeshControlPlane until the service mesh administrator explicitly
grants access to the service mesh using RBAC. This is done by modifying the
mesh-users RoleBinding in the control plane project to specify the users and
groups which should be granted access.
The mesh-users RoleBinding is created by the Maistra operator after the administrator
creates the ServiceMeshControlPlane resource, but the administrator can also
create it beforehand (for example, in the same oc apply operation as the
ServiceMeshControlPlane resource).
An example of the RoleBinding is shown below:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: control-plane-namespace
name: mesh-users
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mesh-user
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alice