Advanced Traffic Management in AKS: Implementing Canary Deployments with Open Service Mesh (OSM)
Chigozie OzoemenaTable of contents
Introduction
We will demonstrate how to perform a traffic split between two Kubernetes services. Specifically, we’ll divide the traffic sent to the root bookstore service between the bookstore-v1 and bookstore-v2 backends, also referred to as leaf services.
Requirements
Azure subscription
VS Code
Azure CLI
Configure Traffic Split between Two Services
- First create a resource group inside your Azure portal by running
az group create -l [region] -n [resource-group-name]
- Create Azure Kubernetes Service (AKS) cluster by running
az aks create -g [resource-group-name] -n [cluster-name] -a open-service-mesh --generate-ssh-keys
The -a switch is used to add any add-ons, and in this case, to install Open Service Mesh.
Set the default group to the resource group created by running
az configure --defaults group=[resource-group-name]Merge your credentials with your local profile using
az aks get-Credentials --name [aks-name]
- Check your current context to be sure it is set to your aks cluster
kubectl config current-context
- Create three namespaces: bookstore, bookbuyer and bookwarehouse.
kubectl create ns bookbuyer
kubectl create ns bookstore
kubectl create ns bookwarehouse
- Confirm that the namespaces were created using
kubectl get ns
Add the namespaces to the open service mesh control plane by going to the Azure portal, opening your AKS cluster, and clicking Add
Select the three namespaces and click Add
Confirm that the namespaces has been added.
Deploy three bookstore apps using the yaml file located here
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookbuyer.yaml
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookstore.yaml
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookwarehouse.yaml
- In order to see the changes in action, use one of the pods in any of the namespaces, I will be using bookbuyer. To do this, run
kubectl get pod -n bookbuyer
Copy the name of the pod and use
kubectl port-forward [name-of-pod] -n bookbuyer 8081:14001to map the app to your local machine on port 8081.Open your browser and search for
localhost:8081this piped via the terminal.
As you can see, the version 1 of the app is seeing traffic which is simulated by the app.
NOTE: The OSM traffic policy is set to deny by default. We can see the services talking to each other and the bookbuyer service is able to access bookstore app.
Turn enablePermissiveTrafficPolicyMode off using Azure portal. Navigate to your AKS in Azure portal and select Open Service Mesh and click Edit configuration
Change it to false and click Review+create
Tick confirm manifest changes and select Save
As soon as you save the manifest changes, back on the portal, transaction stops.
You can fix this by applying allow traffic policy which explicitly allow traffic across these services using
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1.yaml
If you check your localhost browser, you will notice that the sales has resumed.
Run the last command which is deploying the version 2 of the bookstore using
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/apps/bookstore-v2.yaml
Traffic is now directed to version 2 of the bookstore app.
Deploy the SMI TrafficSplit policy to route 100% of the traffic from the root bookstore service to the bookstore-v1 service backend. This ensures that all traffic is initially served by version v1 of the bookstore app, which corresponds to the pods behind bookstore-v1. Later, the TrafficSplit configuration will be updated to gradually route a portion of the traffic to version v2 via the bookstore-v2 service.
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/split/traffic-split-v1.yaml
- The count for the books sold from the bookstore-v2 browser window should stop incrementing. This is because the current traffic split policy is weighted 100 for bookstore-v1 which exludes pods backing the bookstore-v2 service. You can verify the traffic split policy by running the following and viewing the Backends properties:
kubectl describe trafficsplit bookstore-split -n bookstore
- Update the SMI Traffic Split policy to direct 50 percent of the traffic sent to the root bookstore service to the bookstore service and 50 perfect to bookstore-v2 service by adding the bookstore-v2 backend to the spec and modifying the weight fields.
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/split/traffic-split-50-50.yaml
- Update the bookstore-split TrafficSplit to configure all traffic to go to bookstore-v2:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/split/traffic-split-v2.yaml
Subscribe to my newsletter
Read articles from Chigozie Ozoemena directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Chigozie Ozoemena
Chigozie Ozoemena
Hi there! 👋 I'm Daniel Ozoemena, a passionate Cloud Solution Architect and DevOps Engineer dedicated to building scalable, secure, and innovative cloud solutions. With hands-on experience in Azure, AWS, and Google Cloud Platform, I specialize in deploying infrastructure as code, automating workflows, and optimizing system reliability. Driven by a love for problem-solving, I constantly explore new technologies and best practices to deliver impactful results. Beyond the cloud, I enjoy mentoring, blogging about tech insights, and contributing to open-source projects. When I'm not automating deployments or creating secure virtual networks, you can find me playing chess, learning about AI, or brainstorming solutions to real-world challenges. Let’s connect and grow together on this tech journey! 🚀