Deployment and Operations

Configuring Fission to Run Functions as a Service

Cloudentity uses Fission to run Extension functions in a separate execution context to increase the security.

Fission Integration for FaaS

Cloudentity supports ability to execute the authorization policy logics as well as custom extensions scripts in a secure sandbox utilizing the Function as a Service (FaaS) approach. This capability is supported by utilizing fission environments.

Learn more

To learn more, visit fission Concepts documentation.

Prerequisites

  • Kubernetes cluster v1.16+
  • Kubernetes fission v1.15+
  • Helm v3.0+

Integrate Fission

Cloudentity deploys fission environment pods in an isolated namespace. This namespace must be precreated. By default acp-faas namespace is used. If you want to use private docker images like rego-env, docker secret registry must be added to that namespace.

Install Fission Using Helm

kubectl create namespace fission
kubectl create -k "github.com/fission/fission/crds/v1?ref=v1.16.0"
helm repo add fission-charts https://fission.github.io/fission-charts/
helm repo update
helm install --version v1.16.0 --namespace fission fission fission-charts/fission-all

Set Up Fission Workers For Cloudentity

kubectl create namespace acp-faas
kubectl create secret docker-registry docker.cloudentity.io \
  --namespace acp-faas \
  --docker-server=docker.cloudentity.io \
  --docker-username="$DOCKER_USR" \
  --docker-password="$DOCKER_PWD"

Enable Fission Integration

Configure your values.yaml file to enable Fission Integration and apply the changes:

fission:
  enabled: true
  namespace: acp-faas
  poolsize: 3
  resources:
    requests:
      cpu: 10m
      memory: 48Mi
    limits:
      cpu: 100m
      memory: 96Mi

Enabling fission creates the following resources:

  • Fission environments for Node.js and REGO
  • network policy that allows only public egress traffic from Fission environments

Network policy as well as common pods parameters like resources, tolerations, affinity, and more can be modified for fission pods. See values reference here

Verify

  1. Check if all fission pods are running.
kubectl get pods --namespace fission
  1. Check if all fission pool pods are working.
kubectl get pods --namespace acp-faas
  1. Login to the admin portal, navigate to Extensions > Scripts, create a script and try to execute it to check if everything works correctly.