You can monitor traffic between services and configure certain security policies and features in Tanzu Service Mesh's global namespaces. There are three types of auto discovery: API discovery, PII data discovery, and user discovery. When creating a global namespace, you can activate any or all of these auto discovery options.
Prerequisites
Onboard the clusters where your services are deployed to Tanzu Service Mesh. For a global namespace, you must onboard at least two clusters.
Know the Kubernetes namespaces in your clusters that hold the services of your application.
Learn more about Tanzu Service Mesh and global namespace in About Tanzu Service Mesh Concepts.
For more information on how to create a global namespace for your application services, see Connect Services Across Clusters with a Global Namespace.
Procedure
- On the Autodiscovery page of the New Global Namepace wizard, you can activate any or all of these: API Discovery, PII Data Discovery, and User Discovery.
- API Discovery. It is required to observe and monitor API traffic between services in the GNS and configure API Security policies. If you wish to activate the API Discovery option, follow these steps:
- Activate the API Discovery toggle.
- Select all services or specific services. Service Types (internal/public) can also be specified.
- (Optional) In the Advanced Settings, you can add one or more endpoint discovery patterns.
In the screenshot below:
Hostname is of the form service:port number.
Regex patterncheckout[1-2]* discovers only checkout1, checkout2 endpoints, Regex pattern and [a-z_]+/.jpg discovers only .jpg images from a to z.
All related paths will be grouped in this common template /vendor/[param1]/css/[param2]. The endpoint in Kibana will look like /vendor/[vendorId]/css/[cssId] if there are two endpoints such as /vendor/font-awesome/css/font-awesome.min.css and /vendor/bootstrap/css/bootstrap.min.css.
Generation Id is added to reset previously existing data.
- (Optional) In Mime Types to ignore, add one or more mime types (such as image/png, text/css) that can be ignored while discovering APIs.
- In Response Codes for Schema Discovery, either choose Default Response Codes or Specify Response Codes to enter desired response codes.
- PII Data Discovery. It is required to observe and monitor data in flight between services in the GNS and configure data security policies. If you wish to activate the PII Data Discovery option, follow these steps:
- Activate the PII Data Discovery toggle.
- Select all services or specific services. Service Types (internal/public) can also be specified.
- Select the PII Data Group Types from the given options.
- (Optional) In the Advanced Settings, selct the Mime Types to ignore. Add one or more mime types (such as image/png, text/css) that can be ignored while discovering PII data.
- In Performance Optimization, activate Detection mode to only detect the PII data without enforcing the data policies. When Detection mode is not selected, the system will operate in Enforcement mode.
- User Discovery. It is required required to observe and monitor user activity between the services in the GNS, and to configure user security. If you wish to activate the User Discovery option, follow these steps:
- Activate the User Discovery toggle.
- Select all services or specific services. Service Types (internal/public) can also be specified.
- To add an extraction type: In the Identity Source Types, select the Type (user ID, session ID, or logout), Direction, URL, From and Format.
Results
The auto discovery options have been activated successfully.