Selector
See also Selector reference
Selectors are used by flow control and observability components instantiated by Aperture Agents like Classifiers, Flux Meters and Load Scheduler. Selectors define scoping rules that decide how these components should select flows for their operations.
A Selector consists of:
- Control Point (required)
- Label Matcher (optional)
- Agent Group (optional)
- Service (optional)
Control Point
Control points are similar to feature flags. They identify the location in the code or data plane (web servers, service meshes, API gateways, and so on) where flow control decisions are applied. They're defined by developers using the SDKs or configured when integrating with API Gateways or Service Meshes.
In the above diagram, each service has HTTP or gRPC control points. Every
incoming API request to a service is a flow at its ingress
control point.
Likewise, every outgoing request from a service is a flow at its egress
control point.
In addition, the Frontend
service has feature control points identifying
recommendations and live-update features inside the Frontend
service's
code.
The Control Point definition does not care about which particular entity (like a pod) is handling a particular flow. A single Control Point covers all the entities belonging to the same service.
Use the aperturectl flow-control control-points
CLI command to
list active control points.
Label Matcher
The Label Matcher optionally narrows down the selected flow based on conditions on Labels.
There are multiple ways to define a label matcher. The simplest way is to provide a map of labels for exact-match:
label_matcher:
match_labels:
http.method: GET
Matching expression trees can also be used to define more complex conditions, including regular expression matching. Refer to Label Matcher reference for further details.
Example
service: checkout.myns.svc.cluster.local
agent_group: default
control_point: ingress
label_matcher:
match_labels:
user_tier: gold
Agent Group
The Agent Group and Service are optional constructs that help scale Aperture configuration in complex environments, such as Kubernetes, or in multi-cluster installations.
In standalone Aperture Agent deployments (not co-located with any service), the Control Points alone can be used to match flows to policies and that deployment can be used as a feature flag decision service serving remote flow control requests.
Agent Group is a flexible label that defines a collection of agents that operate as peers. For example, an Agent Group can be a Kubernetes cluster name in the case of DaemonSet deployment, or it can be a service name for sidecar deployments.
Agent Group defines the scope of agent-to-agent synchronization, with agents within the group forming a peer-to-peer network to synchronize fine-grained state per-label global counters that are used for rate-limiting purposes. Additionally, all agents within an Agent Group instantiate the same set of flow control components as published by the controller.
Service
A service in Aperture is similar to services tracked in Kubernetes or Consul. Services in Aperture are usually referred by their fully qualified domain names (FQDN).
A service is a collection of entities delivering a common functionality, such as checkout, billing and so on. Aperture maintains a mapping of entity IP addresses to service names. For each flow control decision request sent by an entity, Aperture looks up the service name and then decides which flow control components to execute.
An entity (Kubernetes pod, VM) might belong to multiple services.
any
: Can be used in a policy to match all services
Aperture Agents perform automated discovery of services and entities in environments such as Kubernetes and watch for any changes. Service and entity entries can also be created manually through configuration.
Services in Aperture are scoped within Agent Groups, creating two level hierarchies, e.g.:
In this example, there are two independent db.mynamespace.svc.cluster.local
services.
For single-cluster deployments, a single default
Agent Group can be used:
as another extreme, if Agent Groups already group entities into logical services, the Agent Group can be treated as a service to match flows to policies (useful when installing as a sidecar):
Agent Group name together with Service name determine the service to select flows from.
Gateways Integration
Aperture can be integrated with Gateways to control traffic before that is routed to the upstream service. Gateways can be configured to send flow control requests to Aperture for every incoming request.
As the requests to Aperture are sent from the Gateway, the service selector has
to be configured to match the Gateway's service. For example, if the Gateway
controller is running with service name nginx-server
in namespace nginx
, for
upstream service having location/route as /service1
, the selector should be
configured as follows:
service: nginx-server.nginx.svc.cluster.local
agent_group: default
control_point: service1
label_matcher:
match_labels:
http.target: "/service1"
Also, if the control point is configured uniquely for each location/route, the
control_point
field alone can be used to match the upstream service and the
rest of the fields can be omitted:
agent_group: default
control_point: service1
Filtering out liveness/health probes, and metrics endpoints
Liveness and health probes are essential for checking the health of the application, and metrics endpoints are necessary for monitoring its performance. However, these endpoints do not contribute to the overall latency of the service, and if included in latency calculations, they might cause requests to be rejected, leading to unnecessary pod restarts.
To prevent these issues, traffic to these endpoints can be filtered out by
matching expressions. In the example below, flows with http.target
starting
with /health, /live, or /ready, and User Agent starting with kube-probe/1.23
are filtered out.
service: checkout.myns.svc.cluster.local
agent_group: default
control_point: ingress
label_matcher:
match_expressions:
- key: http.target
operator: NotIn
values:
- /health
- /live
- /ready
- /metrics
- key: http.user_agent
operator: NotIn
values:
- kube-probe/1.23
Filtering out traffic to these endpoints can prevent unnecessary pod restarts and ensure that the application is available to handle real user traffic
Other flows can be filtered out by matching on different keys and operators,
such as http.method
with NotIn
operator and GET
value. For more
information on how to configure the Label Matcher, see the Label Matcher
reference.
Remember that while these endpoints might have a low latency, they should not be included in the overall latency of the service. Filtering them out can help improve the accuracy of latency calculations and prevent requests from being rejected.