ExternalWorkload
ExternalWorkload API reference.
Proto: external_workload.proto
Package: networking.gloo.solo.io
Create an in-mesh identity for workloads that are external to a Kubernetes workload cluster to enable routing to and from those workloads in Gloo Mesh. For example, after you onboard a VM to Gloo Mesh Enterprise, you might create an ExternalWorkload to represent a set of workloads that run on the virtual machine or bare metal instance. When an ExternalWorkload is defined for a given workspace, it can be referenced in:
- VirtualDestination resources, as an upstream destination
- AccessPolicy resources, as an allowed client
- AccessPolicy resources targeting external workloads that match workload selectors
Example
This example provisions an identity for services that listen on port 5000
and that run either on a GCP VM that uses the specified cloud IAM service account, or
an AWS VM that is in the specified security group ID.
The identity is created in the vm-config namespace of the workload-cluster.
apiVersion: networking.gloo.solo.io/v2alpha1
kind: ExternalWorkload
metadata:
labels:
app: http-server
version: v1
name: http-server
namespace: vm-config
spec:
connectedClusters:
workload-cluster: vm-config
identitySelector:
gcp:
- serviceAccount: <GCP_VM_service_account>
aws:
- securityGroupId: <AWS_security_group_id>
ports:
- name: http
number: 5000
ExternalWorkloadReport
The resources that the applied resource selects.
| Field | Description |
|---|---|
workspaces | (repeated ExternalWorkloadReport.WorkspacesEntry) |
appliedDestinationPolicies | (repeated ExternalWorkloadReport.AppliedDestinationPoliciesEntry)A map of policy GVK to policy references for all the policies that are applied on this resource. |
ownerWorkspace | (string)The name of the workspace that owns the ExternalWorkload. |
ExternalWorkloadReport.AppliedDestinationPoliciesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.AppliedDestinationPortPolicies) |
ExternalWorkloadReport.WorkspacesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.Report) |
ExternalWorkloadSpec
Specifications for the external workload.
| Field | Description |
|---|---|
ports | (repeated ExternalWorkloadSpec.Port)Ports that the external workloads listen on. |
identitySelector | (ExternalWorkloadSpec.IdentitySelector)The conditions under which an external workload is selected. For example, you might select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account>. This field is optional when you use a join token to attest the external workload. If you specify multiple identity selectors, an external workload is selected when at least one of the selectors matches. |
connectedClusters | (repeated ExternalWorkloadSpec.ConnectedClustersEntry)A map of cluster names to the namespace within the cluster that the external workload is registered in. To scope the external workload to multiple registered clusters, multiple cluster-namespace pairs can be specified. However, within a cluster, only a single namespace can be used to register the external workload. |
readinessProbe | (ExternalWorkloadSpec.Probe)Optional: Readiness probe for the external workload. |
ExternalWorkloadSpec.ConnectedClustersEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
ExternalWorkloadSpec.IdentitySelector
The conditions under which an external workload is selected. For example, you might
select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account>.
This field is optional when you use a join token to attest the external workload.
If you specify multiple selectors, an external workload is selected when at least
one of the selectors matches.
| Field | Description |
|---|---|
aws | (repeated ExternalWorkloadSpec.IdentitySelector.AWS)Optional: Selector for external workloads running in AWS. |
gcp | (repeated ExternalWorkloadSpec.IdentitySelector.GCP)Optional: Selector for external workloads running in GCP. |
azure | (repeated ExternalWorkloadSpec.IdentitySelector.Azure)Optional: Selector for external workloads running in Azure. |
joinToken | (ExternalWorkloadSpec.IdentitySelector.JoinToken)Optional: Join token configuration to attest the external workload. |
ExternalWorkloadSpec.IdentitySelector.AWS
Selector for external workloads that run in AWS. If multiple fields are specified, an external workload is selected only when all match.
| Field | Description |
|---|---|
iamRole | (string)Optional: The IAM role within the instance profile of the external workload. |
securityGroupName | (string)Optional: The name of the security group associated with the external workload. |
securityGroupId | (string)Optional: The ID of the security group associated with the external workload. |
imageId | (string)Optional: The ID of the AMI used to launch the external workload. |
instanceId | (string)Optional: The ID of the external workload instance. |
zone | (string)Optional: The availability zone in which the external workload is running. |
region | (string)Optional: The region where the external workload is running. |
tag | (ExternalWorkloadSpec.IdentitySelector.AWS.Tag)The tag applied as a key to the external workload. |
ExternalWorkloadSpec.IdentitySelector.AWS.Tag
The tag applied as a key-value pair to the external workload.
| Field | Description |
|---|---|
key | (string)The key of the tag. |
value | (string)The value of the tag. |
ExternalWorkloadSpec.IdentitySelector.Azure
Selector for external workloads that run in Azure. If multiple fields are specified, an external workload is selected only when all match.
| Field | Description |
|---|---|
subscriptionId | (string)Optional: The subscription ID of the external workload. |
securityGroup | (string)Optional: The name of the security group associated with the external workload. If specified, the resourceGroup field must also be specified. |
virtualNetwork | (string)Optional: The name of the virtual network the external workload belongs to. If specified, the resourceGroup field must also be specified. |
subnet | (string)Optional: The name of the subnet in the virtual network the external workload belongs to. If specified, the resourceGroup and virtualNetwork fields must also be specified. |
name | (string)Optional: The name of the external workload instance. If specified, the resourceGroup field must also be specified. |
resourceGroup | (string)Optional: The resource group the external workload belongs to. The resource group does not act as a selector, but is used in conjunction with the other fields. Must be specified if the securityGroup, virtualNetwork, subnet, or name fields are specified. |
ExternalWorkloadSpec.IdentitySelector.GCP
Selector for external workloads that run in GCP. If multiple fields are specified, an external workload is selected only when all match.
| Field | Description |
|---|---|
serviceAccount | (string)Optional: The service account associated with the external workload. |
name | (string)Optional: Name of the external workload instance. |
tag | (string)Optional: The tag applied as a key to the external workload. |
projectId | (string)Optional: The ID of the project containing the external workload. |
zone | (string)Optional: The availability zone in which the external workload is running. |
label | (ExternalWorkloadSpec.IdentitySelector.GCP.Label)Optional: The label applied as a key-value pair to the external workload. The value for the key is optional. |
ExternalWorkloadSpec.IdentitySelector.GCP.Label
The label applied as a key-value pair to the external workload. The value for the key is optional.
| Field | Description |
|---|---|
key | (string)The key of the label. |
value | (string)The value of the label. |
ExternalWorkloadSpec.IdentitySelector.JoinToken
| Field | Description |
|---|---|
enable | (bool)Optional: Enable the use of join tokens to attest the external workload. Defaults to false. |
ExternalWorkloadSpec.Port
The port on the backing external workload.
| Field | Description |
|---|---|
name | (string)The logical name assigned to the port. |
protocol | (string)The protocol of the port. Supported protocols: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS |
number | (uint32)The port number. Must be in the range 1 - 65535. |
ExternalWorkloadSpec.Probe
A health check to perform against an external workload to determine whether it is ready to receive traffic.
| Field | Description |
|---|---|
initialDelaySeconds | (google.protobuf.UInt32Value)Optional: Number of seconds after the external workload startup before the probes are initiated. Defaults to 0 seconds. |
timeoutSeconds | (google.protobuf.UInt32Value)Optional: Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second. |
periodSeconds | (google.protobuf.UInt32Value)Optional: How often (in seconds) to perform the probe. Defaults to 10 seconds. Minimum value is 1 second. |
successThreshold | (google.protobuf.UInt32Value)Optional: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. |
failureThreshold | (google.protobuf.UInt32Value)Optional: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. |
httpGet | (ExternalWorkloadSpec.Probe.HTTPGetConfig)Configuration for an HTTP probe request. |
tcpSocket | (ExternalWorkloadSpec.Probe.TCPSocketConfig)Configuration for a TCP socket probe. |
exec | (ExternalWorkloadSpec.Probe.ExecConfig)Configuration for an exec command probe. |
ExternalWorkloadSpec.Probe.ExecConfig
Configuration for an exec command probe.
| Field | Description |
|---|---|
command | (repeated string)Command to run. An exit status of zero (0) is considered healthy, and a non-zero status is considered unhealthy. |
ExternalWorkloadSpec.Probe.HTTPGetConfig
Configuration for an HTTP GET probe request.
| Field | Description |
|---|---|
port | (uint32)Number of the port to access. Must be in the range 1 - 65535. |
path | (string)Optional: Path to access on the HTTP server. |
scheme | (ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme)Optional: Scheme to use for connecting to the host. Defaults to HTTP. |
httpHeaders | (repeated ExternalWorkloadSpec.Probe.HTTPHeader)Optional: Custom headers to set in the request. HTTP allows repeated headers. |
ExternalWorkloadSpec.Probe.HTTPHeader
A custom header to use in HTTP probes.
| Field | Description |
|---|---|
name | (string)The header field name. |
value | (string)The header field value. |
ExternalWorkloadSpec.Probe.TCPSocketConfig
Configuration for a TCP socket probe.
| Field | Description |
|---|---|
host | (string)Optional: Host to connect to. Defaults to localhost. |
port | (uint32)Number of the port to access. Must be in the range 1 - 65535. |
ExternalWorkloadStatus
The status of the ExternalWorkload after it is applied to your Gloo environment.
| Field | Description |
|---|---|
common | (common.gloo.solo.io.Status)The state and workspace conditions of the applied resource. |
numAppliedPolicies | (repeated ExternalWorkloadStatus.NumAppliedPoliciesEntry)A map of policy GVK to the number of policies that are applied on this resource, sorted by GVK. |
ownedByWorkspace | (string)Name of the workspace that owns this ExternalWorkload |
ExternalWorkloadStatus.NumAppliedPoliciesEntry
| Field | Description |
|---|---|
key | (string) |
value | (uint32) |
ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme
Scheme to use for connecting to the host.
| Name | Number | Description |
|---|---|---|
HTTP | 0 | Use the http:// scheme for the connection. |
HTTPS | 1 | Use the https:// scheme for the connection. |