ExternalWorkload
ExternalWorkload API reference.
Proto: external_workload.proto
Package: networking.gloo.solo.io
Create an in-mesh identity for workloads that are external to a Kubernetes workload cluster to enable routing to and from those workloads in Gloo Mesh. For example, after you onboard a VM to Gloo Mesh, you might create an ExternalWorkload to represent a set of workloads that run on the virtual machine or bare metal instance. When an ExternalWorkload is defined for a given workspace, it can be referenced in:
- VirtualDestination resources, as an upstream destination
- AccessPolicy resources, as an allowed client
- AccessPolicy resources targeting external workloads that match workload selectors
Example
This example provisions an identity for services that listen on port 5000
and that run either on a GCP VM that uses the specified cloud IAM service account, or
an AWS VM that is in the specified security group ID.
The identity is created in the vm-config
namespace of the workload-cluster
.
apiVersion: networking.gloo.solo.io/v2alpha1
kind: ExternalWorkload
metadata:
labels:
app: http-server
version: v1
name: http-server
namespace: vm-config
spec:
connectedClusters:
workload-cluster: vm-config
identitySelector:
gcp:
- serviceAccount: <GCP_VM_service_account>
aws:
- securityGroupId: <AWS_security_group_id>
ports:
- name: http
number: 5000
ExternalWorkloadReport
The resources that the applied resource selects.
Field | Description |
---|---|
workspaces | (repeated ExternalWorkloadReport.WorkspacesEntry ) |
appliedDestinationPolicies | (repeated ExternalWorkloadReport.AppliedDestinationPoliciesEntry )A map of policy GVK to policy references for all the policies that are applied on this resource. |
ownerWorkspace | (string )The name of the workspace that owns the ExternalWorkload. |
ExternalWorkloadReport.AppliedDestinationPoliciesEntry
Field | Description |
---|---|
key | (string ) |
value | (common.gloo.solo.io.AppliedDestinationPortPolicies ) |
ExternalWorkloadReport.WorkspacesEntry
Field | Description |
---|---|
key | (string ) |
value | (common.gloo.solo.io.Report ) |
ExternalWorkloadSpec
Specifications for the external workload.
Field | Description |
---|---|
ports | (repeated ExternalWorkloadSpec.Port )Ports that the external workloads listen on. |
identitySelector | (ExternalWorkloadSpec.IdentitySelector )The conditions under which an external workload is selected. For example, you might select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account> . This field is optional when you use a join token to attest the external workload. If you specify multiple identity selectors, an external workload is selected when at least one of the selectors matches. |
connectedClusters | (repeated ExternalWorkloadSpec.ConnectedClustersEntry )A map of cluster names to the namespace within the cluster that the external workload is registered in. To scope the external workload to multiple registered clusters, multiple cluster-namespace pairs can be specified. However, within a cluster, only a single namespace can be used to register the external workload. |
readinessProbe | (ExternalWorkloadSpec.Probe )Optional: Readiness probe for the external workload. |
ExternalWorkloadSpec.ConnectedClustersEntry
Field | Description |
---|---|
key | (string ) |
value | (string ) |
ExternalWorkloadSpec.IdentitySelector
The conditions under which an external workload is selected. For example, you might
select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account>
.
This field is optional when you use a join token to attest the external workload.
If you specify multiple selectors, an external workload is selected when at least
one of the selectors matches.
Field | Description |
---|---|
aws | (repeated ExternalWorkloadSpec.IdentitySelector.AWS )Optional: Selector for external workloads running in AWS. |
gcp | (repeated ExternalWorkloadSpec.IdentitySelector.GCP )Optional: Selector for external workloads running in GCP. |
azure | (repeated ExternalWorkloadSpec.IdentitySelector.Azure )Optional: Selector for external workloads running in Azure. |
joinTokenSpiffeId | (repeated string )Optional: Selector for external workloads using a join token. Specifies the SPIFFE ID associated with the join token. |
ExternalWorkloadSpec.IdentitySelector.AWS
Selector for external workloads that run in AWS. If multiple fields are specified, an external workload is selected only when all match.
Field | Description |
---|---|
iamRole | (string )Optional: The IAM role within the instance profile of the external workload. |
securityGroupName | (string )Optional: The name of the security group associated with the external workload. |
securityGroupId | (string )Optional: The ID of the security group associated with the external workload. |
imageId | (string )Optional: The ID of the AMI used to launch the external workload. |
instanceId | (string )Optional: The ID of the external workload instance. |
zone | (string )Optional: The availability zone in which the external workload is running. |
region | (string )Optional: The region where the external workload is running. |
tag | (ExternalWorkloadSpec.IdentitySelector.AWS.Tag )The tag applied as a key to the external workload. |
ExternalWorkloadSpec.IdentitySelector.AWS.Tag
The tag applied as a key-value pair to the external workload.
Field | Description |
---|---|
key | (string )The key of the tag. |
value | (string )The value of the tag. |
ExternalWorkloadSpec.IdentitySelector.Azure
Selector for external workloads that run in Azure. If multiple fields are specified, an external workload is selected only when all match.
Field | Description |
---|---|
subscriptionId | (string )Optional: The subscription ID of the external workload. |
securityGroup | (string )Optional: The name of the security group associated with the external workload. If specified, the resourceGroup field must also be specified. |
virtualNetwork | (string )Optional: The name of the virtual network the external workload belongs to. If specified, the resourceGroup field must also be specified. |
subnet | (string )Optional: The name of the subnet in the virtual network the external workload belongs to. If specified, the resourceGroup and virtualNetwork fields must also be specified. |
name | (string )Optional: The name of the external workload instance. If specified, the resourceGroup field must also be specified. |
resourceGroup | (string )Optional: The resource group the external workload belongs to. The resource group does not act as a selector, but is used in conjunction with the other fields. Must be specified if the securityGroup , virtualNetwork , subnet , or name fields are specified. |
ExternalWorkloadSpec.IdentitySelector.GCP
Selector for external workloads that run in GCP. If multiple fields are specified, an external workload is selected only when all match.
Field | Description |
---|---|
serviceAccount | (string )Optional: The service account associated with the external workload. |
name | (string )Optional: Name of the external workload instance. |
tag | (string )Optional: The tag applied as a key to the external workload. |
projectId | (string )Optional: The ID of the project containing the external workload. |
zone | (string )Optional: The availability zone in which the external workload is running. |
label | (ExternalWorkloadSpec.IdentitySelector.GCP.Label )Optional: The label applied as a key-value pair to the external workload. The value for the key is optional. |
ExternalWorkloadSpec.IdentitySelector.GCP.Label
The label applied as a key-value pair to the external workload. The value for the key is optional.
Field | Description |
---|---|
key | (string )The key of the label. |
value | (string )The value of the label. |
ExternalWorkloadSpec.Port
The port on the backing external workload.
Field | Description |
---|---|
name | (string )The logical name assigned to the port. |
protocol | (string )The protocol of the port. Supported protocols: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS |
number | (uint32 )The port number. Must be in the range 1 - 65535. |
ExternalWorkloadSpec.Probe
A health check to perform against an external workload to determine whether it is ready to receive traffic.
Field | Description |
---|---|
initialDelaySeconds | (google.protobuf.UInt32Value )Optional: Number of seconds after the external workload startup before the probes are initiated. Defaults to 0 seconds. |
timeoutSeconds | (google.protobuf.UInt32Value )Optional: Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second. |
periodSeconds | (google.protobuf.UInt32Value )How often (in seconds) to perform the probe. Defaults to 10 seconds. Minimum value is 1 second. |
successThreshold | (google.protobuf.UInt32Value )Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. |
failureThreshold | (google.protobuf.UInt32Value )Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. |
httpGet | (ExternalWorkloadSpec.Probe.HTTPGetConfig )Configuration for an HTTP probe request. |
tcpSocket | (ExternalWorkloadSpec.Probe.TCPSocketConfig )Configuration for a TCP socket probe. |
exec | (ExternalWorkloadSpec.Probe.ExecConfig )Configuration for an exec command probe. |
ExternalWorkloadSpec.Probe.ExecConfig
Configuration for an exec command probe.
Field | Description |
---|---|
command | (repeated string )Command to run. An exit status of zero (0) is considered healthy, and a non-zero status is considered unhealthy. |
ExternalWorkloadSpec.Probe.HTTPGetConfig
Configuration for an HTTP GET probe request.
Field | Description |
---|---|
port | (uint32 )Number of the port to access. Must be in the range 1 - 65535. |
path | (string )Optional: Path to access on the HTTP server. |
scheme | (ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme )Optional: Scheme to use for connecting to the host. Defaults to HTTP. |
httpHeaders | (repeated ExternalWorkloadSpec.Probe.HTTPHeader )Optional: Custom headers to set in the request. HTTP allows repeated headers. |
ExternalWorkloadSpec.Probe.HTTPHeader
A custom header to use in HTTP probes.
Field | Description |
---|---|
name | (string )The header field name. |
value | (string )The header field value. |
ExternalWorkloadSpec.Probe.TCPSocketConfig
Configuration for a TCP socket probe.
Field | Description |
---|---|
host | (string )Optional: Host to connect to. Defaults to localhost . |
port | (uint32 )Number of the port to access. Must be in the range 1 - 65535. |
ExternalWorkloadStatus
The status of the ExternalWorkload after it is applied to your Gloo environment.
Field | Description |
---|---|
common | (common.gloo.solo.io.Status )The state and workspace conditions of the applied resource. |
numAppliedPolicies | (repeated ExternalWorkloadStatus.NumAppliedPoliciesEntry )A map of policy GVK to the number of policies that are applied on this resource, sorted by GVK. |
ownedByWorkspace | (string )Name of the workspace that owns this ExternalWorkload |
ExternalWorkloadStatus.NumAppliedPoliciesEntry
Field | Description |
---|---|
key | (string ) |
value | (uint32 ) |
ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme
Scheme to use for connecting to the host.
Name | Number | Description |
---|---|---|
HTTP | 0 | Use the http:// scheme for the connection. |
HTTPS | 1 | Use the https:// scheme for the connection. |