Oracle Cloud Infrastructure Documentation

Set up Policies required for Service Mesh

Install the required OCI policies for Service Mesh.

Create Dynamic Group for Worker Nodes

The Service Mesh processes use the Instance Principals of the worker nodes in your cluster to invoke OCI APIs. To create policies later, define a dynamic group consisting of those instances. Assume you created your cluster in <your-cluster-compartment>.

  • From the console, go to Identity & Security under Identity select Dynamic Groups.
  • Click Create Dynamic Group.
  • Name your dynamic group: <your-dynamic-group>.
  • You have two options.
    1. Create your dynamic group using a compartment. 
      ANY {instance.compartment.id = '<your-cluster-compartment-id>'}
    2. Create the dynamic group with the specific instance IDs of cluster node pools. 
      ANY {instance.id = 'ocid1.instance.oc1.iad..aaa...'}
  • To save your group, click Create.
Note

Unless external policies are set, the Service Mesh processes run in any of the nodes in the node pool. Instead of creating a dynamic group with a rule for every node that is running a Service Mesh process, we recommend you use compartment ID as it requires one rule.

For more information on Service Mesh Processes, see: Service Mesh Processes

Create a Dynamic Group for Certificates Service

The Service Mesh service natively uses the Certificates Service to manage certificates. The Certificates Service needs permissions to use the key and vault services. Define a dynamic group consisting of the certificate-related resources.

  • From the console, go to Identity & Security under Identity select Dynamic Groups.
  • Click Create Dynamic Group.
  • Name your dynamic group: <your-certs-dynamic-group>.
  • Enter your rule: 
    ANY {resource.type='certificateauthority', resource.type='certificate'}
  • To save your group, click Create.

Create Policies for Certificates Service

Give permissions to the Certificates Service to use your keys and vault. Assume you created your key and vault in <your-vault-compartment>.

  • From the console, go to Identity & Security under Identity select Policies.
  • Click Create Policy.
  • Name your policy: <your-certificate-policy-name>.
  • Ensure that your compartment is selected.
  • Enter the following policies into the Policy Builder. 
    Allow dynamic-group <your-certs-dynamic-group> to use keys in compartment <your-vault-compartment>
Allow dynamic-group <your-certs-dynamic-group> to manage objects in compartment <your-vault-compartment>
  • To save your policy, click Create.

For more information on Certificates Service, see: Overview of Certificates

How do you want to Manage your Mesh?

The permissions required for the Service Mesh processes depend on how you manage your mesh. If you are a native Kubernetes user, we recommend you manage Service Mesh with kubectl. If you want to manage Service Mesh resources through the OCI APIs (OCI console, CLI, SDK, Terraform Provider) manage Service Mesh with OCI APIs.

Policies when Managing Service Mesh with kubectl

Install the required OCI policies for Service Mesh when managing with kubectl.

Policy Overview for Mesh Kubernetes Operator and Mesh Proxies

The Service Mesh Kubernetes operator creates Service Mesh resources when custom resources are created in your cluster. The Kubernetes operator needs permissions to manage Service Mesh resources. The Kubernetes operator uses the instance principals of the worker nodes to authenticate and authorize with the Service Mesh control plane. To enable secure communication, Service Mesh further creates certificates on your behalf from the certificate authority provided. The Service Mesh Proxies need permissions to connect with the Service Mesh backend and these policies enable that. Refer to the Application Security section for more information.

Note

The steps described in this section, use a four compartment approach to setting up Service Mesh. If you want a simpler setup, you can set up everything in a single <service-mesh-compartment>.

Create Policies for Service Mesh Kubernetes Operator and Mesh Proxies

Assume that your certificate authority is created in <your-certificate-compartment>. Using <your-dynamic-group>, create the policies that give <your-certficate-compartment> the required access for Service Mesh.

  • From the console, go to Identity & Security under Identity select Policies.
  • Click Create Policy.
  • Name your policy: <your-mesh-proxies-policy-name>.
  • Ensure that your compartment is selected.
  • Enter the following policies into the Policy Builder to enable Service Mesh access for the Mesh Kubernetes Operator and Mesh Proxies. 
    Allow dynamic-group <your-dynamic-group> to manage service-mesh-family in compartment <your-mesh-compartment>
  • To enable the Certificates access for the Service Mesh Kubernetes operator, enter the following policies into the Policy Builder. 
    Allow dynamic-group <your-dynamic-group> to read certificate-authority-family in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to use certificate-authority-delegates in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to manage leaf-certificate-family in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to manage certificate-authority-associations in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to manage certificate-associations in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to manage cabundle-associations in compartment <your-certificate-compartment>
  • To save your policy, click Create.

Policies when Managing Service Mesh with OCI APIs

Install the required OCI policies for Service Mesh when managing with OCI APIs.

Create your Mesh Operators Group

The Mesh Operators group provides permissions for managing Service Mesh and Certificates. Create a <your-mesh-operators> group and add users into the group.

  • From the console, go to Identity & Security under Identity select Groups.
  • Click Create Group.
  • Name your group: <your-mesh-operators>.
  • To save your group, click Create.
  • The detail page for your group is displayed. Add users to your group on this page.

Create Policies for Mesh Operators

To enable secure communication, Service mesh creates certificates on your behalf from the certificate authority. Refer to Application Security for more information. The certificate and associations are created in the compartment of the certificate authority. The Mesh Operators need permissions to manage Service Mesh and Certificate resources.

To do that, create the following policy. Assume that the certificate authority is created in <your-certificate-compartment> and mesh resources in <your-mesh-compartment>.

  • From the console, go to Identity & Security under Identity select Policies.
  • Click Create Policy.
  • Name your policy: <your-mesh-operator-policy-name>.
  • Ensure that your compartment is selected.
  • Enter the following policies into the Policy Builder. 
    Allow group <your-mesh-operators> to manage service-mesh-family in compartment <your-mesh-compartment>
Allow group <your-mesh-operators> to read certificate-authority-family in compartment <your-certificate-compartment>
Allow group <your-mesh-operators> to use certificate-authority-delegates in compartment <your-certificate-compartment>
Allow group <your-mesh-operators> to manage leaf-certificate-family in compartment <your-certificate-compartment>
Allow group <your-mesh-operators> to manage certificate-authority-associations in compartment <your-certificate-compartment>
Allow group <your-mesh-operators> to manage certificate-associations in compartment <your-certificate-compartment>
Allow group <your-mesh-operators> to manage cabundle-associations in compartment <your-certificate-compartment>
  • To save your policy, click Create.

Create Policies for Service Mesh Kubernetes Operator and Mesh Proxies

The Service Mesh Kubernetes operator reads the Service Mesh resources from the control plane. The Mesh Proxies connect to the Service Mesh backend to fetch configurations such as traffic routing, and security. Furthermore, mesh proxies need to access certificates, CA Bundles, and certificate authorities to enable secure communication.

To do that, create the following policy. Assume that the certificate authority is created in <your-certificate-compartment> and mesh resources in <your-mesh-compartment>.

  • From the console, go to Identity & Security under Identity select Policies.
  • Click Create Policy.
  • Name your policy: <your-mesh-processes-policy-name>.
  • Ensure that your compartment is selected.
  • Enter the following policies into the Policy Builder to enable Service Mesh access for the Mesh Kubernetes operator and the Mesh Proxies.
    Allow dynamic-group <your-dynamic-group> to read service-mesh-family in compartment <your-mesh-compartment>
  • To enable the Certificates access for the Mesh Proxies, enter the following policies into the Policy Builder. 
    Allow dynamic-group <your-dynamic-group> to read certificate-authority-family in compartment <your-certificate-compartment>
Allow dynamic-group <your-dynamic-group> to read leaf-certificate-family in compartment <your-certificate-compartment>
  • To save your policy, click Create.

Create Policies for Observability

Install the required OCI policies for Service Mesh observability.

Policies for Observability Overview

Service Mesh offers Observability features such as visibility into accessibility logs. These logs are available in <your-cluster-compartment> and are made available in OCI logging using the following policies. Using logs, Mesh Operators can use OCI Logging features to perform various operations such as aggregation and search.

Create Policies for Observability

To enable the logging agent to publish logs to OCI Logging, create the following policy.

  • From the console, go to Identity & Security under Identity select Policies.
  • Click Create Policy.
  • Name your policy: <your-mesh-observe-policy-name>.
  • Ensure that your compartment is selected.
  • Enter the following policies into the Policy Builder. 
    Allow dynamic-group <your-dynamic-group> to use metrics in compartment <your-cluster-compartment>
Allow dynamic-group <your-dynamic-group> to use log-content in compartment <your-cluster-compartment>
  • To save your policy, click Create.

Next: Set up Service Mesh for your Application using kubectl