我的书签
添加书签
移除书签Multi-cluster Federated Services
Linkerd’s multicluster extension can create federated services which act as a union of multiple services in different clusters with the same name and namespace. By sending traffic to the federated service, that traffic will be load balanced among all endpoints of that service in all linked clusters. This allows the client to be cluster agnostic, balance traffic across multiple clusters, and be resiliant to the failure of any individual cluster.
Federated services send traffic directly to the pods of the member services rather than through a gateway. Therefore, federated services have the same requirements as pod-to-pod multicluster services:
- The clusters must be on a flat network. In other words, pods from one cluster must be able to address and connect to pods in the other cluster.
- The clusters must have the same trust root.
- Any clients connecting to the federated service must be meshed.
This guide will walk you through creating a federated service to load balance traffic to a service which exists in multiple clusters. A federated service can include services from any number of clusters, but in this guide we’ll create a federated service for a service that spans 3 clusters.
Prerequisites
- Three clusters. We will refer to them as
west,east, andnorthin this guide. - The clusters must be on a flat network. In other words, pods from one cluster must be able to address and connect to pods in the other cluster.
- Each of these clusters should be configured as
kubectlcontexts. We’d recommend you use the nameswest,east, andnorthso that you can follow along with this guide. It is easy to rename contexts withkubectl, so don’t feel like you need to keep them all named this way forever.
Step 1: Installing Linkerd and Linkerd-Viz
First, install Linkerd and Linkerd-Viz into all three clusters, as described in the multicluster guide. Make sure to take care that all clusters share a common trust anchor.
Step 2: Installing Linkerd-Multicluster
We will install the multicluster extension into all three clusters. We can install without the gateway because federated services use direct pod-to-pod communication.
> linkerd --context west multicluster install --gateway=false | kubectl --context west apply -f -> linkerd --context west check> linkerd --context east multicluster install --gateway=false | kubectl --context east apply -f -> linkerd --context east check> linkerd --context north multicluster install --gateway=false | kubectl --context north apply -f -> linkerd --context north check
Step 3: Linking the Clusters
We use the linkerd multicluster link command to link the east and north cluster to the west cluster. This is exactly the same as in the regular Multicluster guide except that we pass the --gateway=false flag to create a Link which doesn’t require a gateway.
> linkerd --context east multicluster link --cluster-name=east --gateway=false | kubectl --context west apply -f -> linkerd --context north multicluster link --cluster-name=north --gateway=false | kubectl --context west apply -f -> linkerd --context west check
Step 4: Deploy a Service
For our guide, we’ll deploy the bb service, which is a simple server that just returns a static response. We deploy it into all three clusters but configure each one with a different response string so that we can tell the responses apart:
> cat <<EOF | linkerd --context east inject - | kubectl --context east apply -f ----apiVersion: v1kind: Namespacemetadata:name: mc-demo---apiVersion: apps/v1kind: Deploymentmetadata:name: bbnamespace: mc-demospec:replicas: 1selector:matchLabels:app: bbtemplate:metadata:labels:app: bbspec:containers:- name: terminusimage: buoyantio/bb:v0.0.6args:- terminus- "--h1-server-port=8080"- "--response-text=hello from east\n"ports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: bbnamespace: mc-demospec:ports:- name: httpport: 8080targetPort: 8080selector:app: bbEOF> cat <<EOF | linkerd --context north inject - | kubectl --context north apply -f ----apiVersion: v1kind: Namespacemetadata:name: mc-demo---apiVersion: apps/v1kind: Deploymentmetadata:name: bbnamespace: mc-demospec:replicas: 1selector:matchLabels:app: bbtemplate:metadata:labels:app: bbspec:containers:- name: terminusimage: buoyantio/bb:v0.0.6args:- terminus- "--h1-server-port=8080"- "--response-text=hello from north\n"ports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: bbnamespace: mc-demospec:ports:- name: httpport: 8080targetPort: 8080selector:app: bbEOF> cat <<EOF | linkerd --context west inject - | kubectl --context west apply -f ----apiVersion: v1kind: Namespacemetadata:name: mc-demo---apiVersion: apps/v1kind: Deploymentmetadata:name: bbnamespace: mc-demospec:replicas: 1selector:matchLabels:app: bbtemplate:metadata:labels:app: bbspec:containers:- name: terminusimage: buoyantio/bb:v0.0.6args:- terminus- "--h1-server-port=8080"- "--response-text=hello from west\n"ports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: bbnamespace: mc-demospec:ports:- name: httpport: 8080targetPort: 8080selector:app: bbEOF
Step 5: Label the services
We now set a label on the services to indicate that they should join a federated service.
> kubectl --context east -n mc-demo label svc/bb mirror.linkerd.io/federated=member> kubectl --context north -n mc-demo label svc/bb mirror.linkerd.io/federated=member> kubectl --context west -n mc-demo label svc/bb mirror.linkerd.io/federated=member
You should immediately see a federated service created in the west cluster:
> kubectl --context west -n mc-demo get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEbb-federated ClusterIP 10.43.56.245 <none> 8080/TCP 114s
We can also check the status subresource of each of the Link resources to see which services have joined federated services or if there are any errors.
> kubectl --context west -n linkerd-multicluster get link/east -ojsonpath='{.status.federatedServices}' | jq .[{"conditions": [{"lastTransitionTime": "2024-11-07T19:53:01Z","localRef": {"group": "","kind": "Service","name": "bb-federated","namespace": "mc-demo"},"message": "","reason": "Mirrored","status": "True","type": "Mirrored"}],"controllerName": "linkerd.io/service-mirror","remoteRef": {"group": "","kind": "Service","name": "bb","namespace": "mc-demo"}}]> kubectl --context west -n linkerd-multicluster get link/north -ojsonpath='{.status.federatedServices}' | jq .[{"conditions": [{"lastTransitionTime": "2024-11-07T19:53:06Z","localRef": {"group": "","kind": "Service","name": "bb-federated","namespace": "mc-demo"},"message": "","reason": "Mirrored","status": "True","type": "Mirrored"}],"controllerName": "linkerd.io/service-mirror","remoteRef": {"group": "","kind": "Service","name": "bb","namespace": "mc-demo"}}]
Step 6: Send some traffic!
We’ll create a deployment that uses curl to generate traffic to the bb-federated service.
> cat <<EOF | linkerd --context west inject - | kubectl --context west apply -f ----apiVersion: apps/v1kind: Deploymentmetadata:name: trafficnamespace: mc-demospec:replicas: 1selector:matchLabels:app: traffictemplate:metadata:labels:app: trafficspec:containers:- args:- -c- |while truedo curl -s http://bb-federated:8080echosleep 1donecommand:- /bin/shimage: curlimages/curlname: trafficEOF
Looking at the logs from this deployment, we can see that the federated service is distributing requests across all three clusters:
> kubectl --context west -n mc-demo logs deploy/traffic -c traffic{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-407945949","payload":"hello from east\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-420928530","payload":"hello from west\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-433442439","payload":"hello from north\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-445418175","payload":"hello from west\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-457469540","payload":"hello from west\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-469729132","payload":"hello from west\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-481971153","payload":"hello from west\n"}{"requestUID":"in:http-sid:terminus-grpc:-1-h1:8080-496032705","payload":"hello from east\n"}...
Next Steps
We now have a federated service that balances traffic accross services in three clusters. Additional clusters can be added simply by linking the new cluster and adding the mirror.linkerd.io/federated=member label to the services that you wish to add to the federated service. Similarly, services can be removed from the federated service at any time by removing the label.
You may notice that the bb-federated federated service exists only in the west cluster and not in the east or north clusters. This is because Links are directional and to keep this guide simple, we only linked north and east to west, and not the other way around. If we were to create links in both directions between all three clusters, we would get a bb-federated service in all three clusters.
Troubleshooting
- The first step of troubleshooting should be to run the
linkerd checkcommand in each of the clusters. In particular, look for thelinkerd-multiclusterchecks and ensure that all linked clusters are listed:
linkerd-multicluster--------------------√ Link CRD exists√ Link resources are valid* east* north√ remote cluster access credentials are valid* east* north√ clusters share trust anchors* east* north√ service mirror controller has required permissions* east* north√ service mirror controllers are running* east* north
- Check the
statussubresource of the Link resource. If any services failed to join the federated service, they will appear as an error here. - If a service that should join a federated service is not present in the Link
status, ensure that the service matches the federated service label selector (mirror.linkerd.io/federated=memeberby default). - Use the
linkerd diagnostics endpointscommand to see all of the endpoints in a federated service:
> linkerd --context west diagnostics endpoints bb-federated.mc-demo.svc.cluster.local:8080NAMESPACE IP PORT POD SERVICEmc-demo 10.42.0.108 8080 bb-85f9bbc898-j7fbq bb.mc-demomc-demo 10.23.1.43 8080 bb-7d9f44c6fd-9s848 bb.mc-demomc-demo 10.23.0.42 8080 bb-74c6c64948-j5drn bb.mc-demo
