fence

module
v0.0.0-...-f08dfda Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 10, 2024 License: Apache-2.0

README

Fence(中文

Fence is an open source project to automate the management of Istio custom resources Sidecar.

Backgroud

When there are too many services in the Service Mesh, the Envoy configuration is too large and new applications remain in Not Ready state for a long time. For this reason, Ops needs to manage the custom resource Sidecar and manually configure service dependencies for the application.

Fence has the ability to automatically fetch service dependencies and provide automatic management of the custom resource Sidecar.

Architecture

architecture

Performance Indicator

In a Kubenetes cluster with 250 pods, the XDS Response Bytes Max peaks at 450 kB/s and the Proxy Push Time peaks at 20s before Fence is enabled, and the XDS Response Bytes Max peaks at 27 kB/s and the Proxy Push Time peaks at 5s after Fence is enabled. In summary, enabling Fence to automatically manage Sidecar resources reduces the XDS Response Bytes Max peak by about 94% and the Proxy Push Time peak by about 75%.

Before Fence is enabled

xds requests size

After Fence is enabled

xds requests size

Install & Use

Use kubectl

kubectl create namespace fence
kubectl apply -f "https://raw.githubusercontent.com/hexiaodai/fence/0.1.0/deploy/fence.yaml"

Use helm

helm install fence --create-namespace -n fence oci://registry-1.docker.io/hejianmin/chart-fence --version 0.1.0

Fence has two ways to automate the management of custom resource Sidecars in a cluster:

Note: Fence does not manage Sidecar in the system namespace kube-system, istio-system.

  • Manage the entire cluster, this is the default behavior
kubectl -n fence set env deployment/fence AUTO_FENCE="true"
  • Specify a Namespace or Pod to manage
kubectl -n fence set env deployment/fence AUTO_FENCE="false"
# Namespace
kubectl label namespace ${namespace name} sidecar.fence.io=enabled
# Pod
kubectl label pods ${pod name} sidecar.fence.io=enabled
  • Specify a Namespace or Pod that does not need to be managed
# Namespace
kubectl label namespace ${namespace name} sidecar.fence.io=disable
# Pod
kubectl label pods ${pod name} sidecar.fence.io=disable

Directories

Path Synopsis
cmd
ctrl
proxy
internal
cache
cmd/ctrl
cmd/proxy
config
controller
healthz
istio
logging
metric
options
proxy
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.