fence

module

v0.0.0-...-66e36ac Latest Latest Go to latest Published: Sep 15, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hexiaodai/fence

Links

Open Source Insights

README ¶

Fence（中文）

Fence is an open source project to automate the management of Istio custom resources Sidecar.

Backgroud

When there are too many services in the Service Grid, the Envoy configuration is too large and new applications remain in Not Ready state for a long time. For this reason, Ops needs to manage the custom resource Sidecar and manually configure service dependencies for the application.

Fence has the ability to automatically fetch service dependencies and provide automatic management of the custom resource Sidecar.

Architecture

architecture

Performance Indicator

In a Kubenetes cluster with 250 pods, the XDS Response Bytes Max peaks at 450 kB/s and the Proxy Push Time peaks at 20s before Fence is enabled, and the XDS Response Bytes Max peaks at 27 kB/s and the Proxy Push Time peaks at 5s after Fence is enabled. In summary, enabling Fence to automatically manage Sidecar resources reduces the XDS Response Bytes Max peak by about 94% and the Proxy Push Time peak by about 75%.

Before Fence is enabled

xds requests size

After Fence is enabled

xds requests size

Install & Use

Use kubectl

kubectl create namespace fence
kubectl apply -f "https://raw.githubusercontent.com/hexiaodai/fence/0.1.0/deploy/fence.yaml"

Use helm

helm install fence --create-namespace -n fence oci://registry-1.docker.io/hejianmin/chart-fence --version 0.1.0

Fence has two ways to automate the management of custom resource Sidecars in a cluster:

Note: Fence does not manage Sidecar in the system namespace kube-system, istio-system.

Manage the entire cluster, this is the default behavior

kubectl -n fence set env deployment/fence AUTO_FENCE="true"

Specify a Namespace or Pod to manage

kubectl -n fence set env deployment/fence AUTO_FENCE="false"
# Namespace
kubectl label namespace ${namespace name} sidecar.fence.io=enabled
# Pod
kubectl label pods ${pod name} sidecar.fence.io=enabled

Specify a Namespace or Pod that does not need to be managed

# Namespace
kubectl label namespace ${namespace name} sidecar.fence.io=disable
# Pod
kubectl label pods ${pod name} sidecar.fence.io=disable

Directories ¶

Path	Synopsis
cmd
ctrl
proxy
internal
cache
cmd/ctrl
cmd/proxy
config
controller
healthz
istio
logging
metric
options
proxy
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL