C Integrating Aspen with CNC Policy

Perform the following steps to integrate Aspen service mesh with CNC Policy:

1. To create a privileged pod security policy for PCF namespace pcfaspen, create a YAML file (pcf.priv.yaml) using the following sample code:

   # permit access to all service accounts in the namespace.
   apiVersion:rbac.authorization.k8s.io/v1
   kind:RoleBinding
   metadata:
     name:"psp:pcfaspen:cs-restricted"
     namespace:"pcfaspen"
   roleRef:
     kind:ClusterRole
     apiGroup:rbac.authorization.k8s.io
     name:"psp:privileged"
   subjects:- kind:Group
     apiGroup:rbac.authorization.k8s.io
     name:"system:serviceaccounts"

2. Add the destination-rule for mysql, prometheus and nf1stub services to let pcfaspen namespace be enabled with ISTIO-Injection. To do so, create a YAML file (aspendestinationrule.yaml) using the following sample code:

   apiVersion: networking.istio.io/v1alpha3
   kind: DestinationRule
   metadata:
     name: mysql-mysql
     namespace: pcfaspen
   spec:
     host: "mysql.mysql.mysqlaspen.svc.cluster.local"
     trafficPolicy:
       tls:
         mode: DISABLE
   
   ---
   
   apiVersion: networking.istio.io/v1alpha3
   kind: DestinationRule
   metadata:
     name: prometheus
     namespace: pcfaspen
   spec:
     host: "prometheus-server.infra.svc.cluster.local"
     trafficPolicy:
       tls:
         mode: DISABLE
   
   ---
   
   apiVersion: networking.istio.io/v1alpha3
   kind: DestinationRule
   metadata:
     name: nf1stub
     namespace: pcfaspen
   spec:
     host: "nf1stub.ocats.svc.cluster.local"
     trafficPolicy:
       tls:
         mode: DISABLE

   Apply the configuration in aspendestinationrule.yaml file by entering following command:

   kubectl apply -f aspendestinationrule.yaml

   Note:

   You may ignore these destination roles if you are deploying Aspen without mTLS.

   Then, run the following command in every MySQL node:

   mysqladmin -h 127.0.0.1 -u "username" -p "password" flush-hosts

3. Create namespace pcfaspen by running the following command:

   kubectl create ns pcfaspen
   kubectl label --overwrite namespace pcfaspen istio-injection=enabled

4. Create secret for privileged and application database user by running the following commands:

   kubectl create -f priv-secret.yaml -n pcfaspen;
   kubectl create -f secret.yaml -n pcfaspen;

5. Create privileged pod security policy for namespace created in step 3.

   kubectl create -f pcf.priv.yaml -n pcfaspen;

6. Then, perform steps 2-4 under Installation Tasks to install CNC Policy package.
7. Set the initContainerEnable flag to false in the custom value file of occnp.

   global:
           initContainerEnable: false

   See Customizing Cloud Native Core Policy for detailed instructions on how to customize the custom value file of occnp.

8. Run the following helm command:

   helm3 install pcfaspen occnp/  -n pcfaspen -f occnp-1.7.3-custom-values-occnp.yaml

9. Add policy to make cm-service enable the traffic for both encrypted as well as clear-text. To do so, create a YAML file (aspenpolicy.yaml) using the following sample code:

   apiVersion: "authentication.istio.io/v1alpha1"
   kind: Policy
   metadata:
     name: cmservice
     namespace: pcfaspen
   spec:
     targets:
     - name: pcfaspen-occnp-config-mgmt
     peers:
     - mtls:
         mode: PERMISSIVE

   Apply the configuration in aspenpolicy.yaml file by entering following command:

   kubectl apply -f aspenpolicy.yaml

10. Add service entry for stub service to avoid accessing the pod ID directly. To do so, create a YAML file (AspenServiceEntry.yaml) using the following sample code:

    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: ats-stubaccess
      namespace: ocats
    spec:
      addresses:
      - 10.233.67.12
      hosts:
      - nf1stub.ocats.svc.cluster.local
      location: MESH_EXTERNAL
      ports:
      - name: http
        number: 8080
        protocol: HTTP
      resolution: NONE

    Apply the configuration in AspenServiceEntry.yaml file by entering following command:

    kubectl apply -f AspenServiceEntry.yaml

Verify Aspen service mesh

After successfully installing Aspen mesh, make sure to verify:

• All pods contain sidecar proxy container by running the following command:

  kubectl describe pod <pod-name> -n <namespace>

  Note:

  Perform this step for all pods.
• Internal traffic flowing between PCF services under the PCF namespace.

  Note:

  To perform this step, you must sign in to Aspen user interface.

Disabling Aspen service mesh

To disable Aspen service mesh, perform the following steps:

1. Run kubectl label command by removing last enabled value and keeping empty label for PCF namespace:

   kubectl label --overwrite namespace <pcf-namespace> istio-injection=

2. Restart all PCF pods. The new pods will contain only service containers.

   kubectl delete pods --all <pcf-namespace>