Application Protocol Selection

OSM is capable of routing different application protocols such as HTTP, TCP, and gRPC differently. The following guide describes how to configure service ports to specify the application protocol to use for traffic filtering and routing.

Configuring the application protocol

Kubernetes services expose one or more ports. A port exposed by an application running the service can serve a specific application protocol such as HTTP, TCP, gRPC etc. Since OSM filters and routes traffic for different application protocols differently, a configuration on the Kubernetes service object is necessary to convey to OSM how traffic directed to a service port must be routed.

In order to determine the application protocol served by a service’s port, OSM expects the appProtocol field on the service’s port to be set.

OSM supports the following application protocols for service ports:

  1. http: For HTTP based filtering and routing of traffic
  2. tcp: For TCP based filtering and routing of traffic
  3. tcp-server-first: For TCP based filtering and routing of traffic where the server initiates communication with a client, such as mySQL, PostgreSQL, and others
  4. gRPC: For HTTP2 based filtering and routing of gRPC traffic

The application protocol configuration described is applicable to both SMI and Permissive traffic policy modes.

Examples

Consider the following SMI traffic access and traffic specs policies:

  • A TCPRoute resource named tcp-route that specifies the port TCP traffic should be allowed on.
  • An HTTPRouteGroup resource named http-route that specifies the HTTP routes for which HTTP traffic should be allowed.
  • A TrafficTarget resource named test that allows pods in the service account sa-2 to access pods in the service account sa-1 for the specified TCP and HTTP rules.
  1. kind: TCPRoute
  2. metadata:
  3.   name: tcp-route
  4. spec:
  5.   matches:
  6.     ports:
  7.     - 8080
  8. ---
  9. kind: HTTPRouteGroup
  10. metadata:
  11.   name: http-route
  12. spec:
  13.   matches:
  14.   - name: version
  15.     pathRegex: "/version"
  16.     methods:
  17.     - GET
  18. ---
  19. kind: TrafficTarget
  20. metadata:
  21.   name: test
  22.   namespace: default
  23. spec:
  24.   destination:
  25.     kind: ServiceAccount
  26.     name: sa-1 # There are 2 services under this service account:  service-1 and service-2
  27.     namespace: default
  28.   rules:
  29.   - kind: TCPRoute
  30.     name: tcp-route
  31.   - kind: HTTPRouteGroup
  32.     name: http-route
  33.   sources:
  34.   - kind: ServiceAccount
  35.     name: sa-2
  36.     namespace: default

Kubernetes service resources should explicitly specify the application protocol being served by the service’s ports using the appProtocol field.

A service service-1 backed by a pod in service account sa-1 serving http application traffic should be defined as follows:

  1. kind: Service
  2. metadata:
  3.   name: service-1
  4.   namespace: default
  5. spec:
  6.   ports:
  7.   - port: 8080
  8.     name: some-port
  9.     appProtocol: http

A service service-2 backed by a pod in service account sa-1 serving raw tcp application traffic shold be defined as follows:

  1. kind: Service
  2. metadata:
  3.   name: service-2
  4.   namespace: default
  5. spec:
  6.   ports:
  7.   - port: 8080
  8.     name: some-port
  9.     appProtocol: tcp