ASM UMN 20260316 version

Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>

docs/asm/umn/asm_01_0020.html

@@ -7,9 +7,9 @@
 <div class="section" id="asm_01_0020__en-us_topic_0000001542706401_section1486314595204"><h4 class="sectiontitle">Constraints</h4><ul id="asm_01_0020__en-us_topic_0000001542706401_ul186475910202"><li id="asm_01_0020__en-us_topic_0000001542706401_li1786417596203">ASM depends on the domain name resolution of CoreDNS. Before creating a service mesh for a cluster, ensure that the cluster has required resources and CoreDNS is running normally.</li><li id="asm_01_0020__li133817361244">The components of Istio 1.13 and 1.15 cannot run on nodes running CentOS or EulerOS 2.5. When creating a service mesh, do not specify these types of nodes as master nodes.</li></ul>
 </div>
 <div class="section" id="asm_01_0020__en-us_topic_0000001542706401_section201371027102715"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0020__en-us_topic_0000001542706401_ol1158918434276"><li id="asm_01_0020__en-us_topic_0000001542706401_li184614499427"><span>Log in to the ASM console.</span></li><li id="asm_01_0020__en-us_topic_0000001542706401_li125894431271"><span>Click <strong id="asm_01_0020__b205391310114513">Create Mesh</strong> in the upper right corner.</span></li><li id="asm_01_0020__en-us_topic_0000001542706401_li135891543162714"><span>Configure the following parameters.</span><p><ul id="asm_01_0020__en-us_topic_0000001542706401_ul75901043202711"><li id="asm_01_0020__en-us_topic_0000001542706401_li2092711501216"><strong id="asm_01_0020__en-us_topic_0000001542706401_b1094850142211">Mesh Edition</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p4479132261213">Only service meshes of the Basic edition are supported for commercial use.</p>
-</li><li id="asm_01_0020__en-us_topic_0000001542706401_li35901243162718"><strong id="asm_01_0020__b1101751604">Mesh Name</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590743152711">Enter a service mesh name, which consists of 4 to 64 characters. It must start with a lowercase letter and cannot end with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.</p>
+</li><li id="asm_01_0020__en-us_topic_0000001542706401_li35901243162718"><strong id="asm_01_0020__b22496209">Mesh Name</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590743152711">Enter a service mesh name, which consists of 4 to 64 characters. It must start with a lowercase letter and cannot end with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p11590144316275">Each name in the same account must be unique. After a service mesh is created, the name cannot be modified.</p>
-</li><li id="asm_01_0020__en-us_topic_0000001542706401_li3590184362716"><strong id="asm_01_0020__b1115042375">Istio Version</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590144310274">Select the Istio version supported by the service mesh.</p>
+</li><li id="asm_01_0020__en-us_topic_0000001542706401_li3590184362716"><strong id="asm_01_0020__b1611790005">Istio Version</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590144310274">Select the Istio version supported by the service mesh.</p>
 </li><li id="asm_01_0020__li20991123625914"><strong id="asm_01_0020__b54661518132116">Enable IPv6</strong><p id="asm_01_0020__p04381549215">Conditions for enabling IPv4/IPv6 dual stack for a service mesh</p>
 
 <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="asm_01_0020__table11439754142117" frame="border" border="1" rules="all"><thead align="left"><tr id="asm_01_0020__row1743955417212"><th align="left" class="cellrowborder" valign="top" width="12.379999999999999%" id="mcps1.3.4.2.3.2.1.4.3.1.6.1.1"><p id="asm_01_0020__p1643985417218">Service Mesh Edition</p>
@@ -42,19 +42,19 @@
 <div class="note" id="asm_01_0020__note18440654152111"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0020__ul1744075432120"><li id="asm_01_0020__li1744055413210"><strong id="asm_01_0020__b11396256101815">Enable IPv6</strong> is only available in Basic service meshes based on Istio 1.18 or later.</li><li id="asm_01_0020__li194404548216">IPv4/IPv6 dual stack cannot be enabled for a service mesh whose Istio version is upgraded to 1.18 or later.</li></ul>
 <ul id="asm_01_0020__ul144085482119"><li id="asm_01_0020__li1344010549212">IPv4/IPv6 dual stack cannot be disabled once it is enabled for a service mesh. IPv4/IPv6 dual stack cannot be enabled for an existing service mesh.</li></ul>
 </div></div>
-</li><li id="asm_01_0020__en-us_topic_0000001542706401_li4590154315271"><strong id="asm_01_0020__b1657068806">Cluster</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p4590184313278">Select the cluster from the cluster list or enter the cluster name in the upper right corner of the list to search for the cluster. You can only select the clusters whose versions are supported by the current service mesh version.</p>
-</li><li id="asm_01_0020__en-us_topic_0000001542706401_li159044311277"><strong id="asm_01_0020__b871656394">Mesh Control Plane Node</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p125902437272">The control plane components of a Basic service mesh are installed in your cluster. You need to select a node for installing the control plane. If HA is required, you can select two or more nodes from different AZs.</p>
+</li><li id="asm_01_0020__en-us_topic_0000001542706401_li4590154315271"><strong id="asm_01_0020__b1825392822">Cluster</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p4590184313278">Select the cluster from the cluster list or enter the cluster name in the upper right corner of the list to search for the cluster. You can only select the clusters whose versions are supported by the current service mesh version.</p>
+</li><li id="asm_01_0020__en-us_topic_0000001542706401_li159044311277"><strong id="asm_01_0020__b553295356">Mesh Control Plane Node</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p125902437272">The control plane components of a Basic service mesh are installed in your cluster. You need to select a node for installing the control plane. If HA is required, you can select two or more nodes from different AZs.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p1959024392713">A selected node will be labeled with <strong id="asm_01_0020__b12113195612363">istio:master</strong>, and the components will be scheduled to that node.</p>
 </li><li id="asm_01_0020__li17225629125"><strong id="asm_01_0020__b182161818152520">Observability Configuration</strong><ul id="asm_01_0020__ul162251921123"><li id="asm_01_0020__li1522512214127"><strong id="asm_01_0020__b1443315218391">Tracing</strong><p id="asm_01_0020__p015131035712"><strong id="asm_01_0020__b1314122314192">Enable Call Chain</strong>: If this option is enabled, you can use distributed tracing to track requests in the service mesh.</p>
 <p id="asm_01_0020__p3225124129">- <strong id="asm_01_0020__b1649171110292">Sampling Rate</strong>: The number of requests generated by the tracing service/The total number of requests</p>
 <p id="asm_01_0020__p722519210123">- <strong id="asm_01_0020__b13853258294">Version</strong>: tracing service. If you select <strong id="asm_01_0020__b1028517591813">Third-party Jaeger/Zipkin service</strong>, you need to set <strong id="asm_01_0020__b613018597425">Service Address</strong> and <strong id="asm_01_0020__b665636154317">Service Port</strong>, which indicate the address and port number used by the third-party tracing service to receive requests.</p>
-<div class="note" id="asm_01_0020__note122518211219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0020__ul1522613251216"><li id="asm_01_0020__li112261223127">Only Istio 1.15 or later support the third-party tracing service.</li><li id="asm_01_0020__li142761222131512">If you want to use the third-party Jaeger or Zipkin service, install it first. Then, obtain the service address.</li><li id="asm_01_0020__li1622612111211">The default service ports of Jaeger and Zipkin are both 9411. If you create a custom service port during Jaeger or Zipkin installation, replace <strong id="asm_01_0020__b1161449123214">Service Port</strong> with the actual value.</li></ul>
+<div class="note" id="asm_01_0020__note122518211219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0020__ul1522613251216"><li id="asm_01_0020__li112261223127">Only Istio 1.15 and later versions support third-party tracing services.</li><li id="asm_01_0020__li142761222131512">If you want to use the third-party Jaeger or Zipkin service, install it first. Then, obtain the service address.</li><li id="asm_01_0020__li1622612111211">The default service ports of Jaeger and Zipkin are both 9411. If you create a custom service port during Jaeger or Zipkin installation, replace <strong id="asm_01_0020__b1161449123214">Service Port</strong> with the actual value.</li></ul>
 </div></div>
 </li></ul>
 </li></ul>
-</p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li185901043112713"><span>(Optional) Specify advanced settings.</span><p><ul id="asm_01_0020__en-us_topic_0000001542706401_ul195914431277"><li id="asm_01_0020__en-us_topic_0000001542706401_li105911243172720"><strong id="asm_01_0020__b1108310788">Namespace Injection Settings</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p0591154316270">Select a namespace and label it with <strong id="asm_01_0020__b0190101221818">istio-injection=enabled</strong>. After being restarted, all pods in the namespace will be automatically injected with istio-proxy sidecars.</p>
+</p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li185901043112713"><span>(Optional) Specify advanced settings.</span><p><ul id="asm_01_0020__en-us_topic_0000001542706401_ul195914431277"><li id="asm_01_0020__en-us_topic_0000001542706401_li105911243172720"><strong id="asm_01_0020__b337428543">Namespace Injection Settings</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p0591154316270">Select a namespace and label it with <strong id="asm_01_0020__b0190101221818">istio-injection=enabled</strong>. After being restarted, all pods in the namespace will be automatically injected with istio-proxy sidecars.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p1459184332714">If you do not configure namespace injection, you can inject a sidecar on the <strong id="asm_01_0020__b1960806132112">Sidecar Management</strong> tab (<strong id="asm_01_0020__b86087612111">Mesh Configuration</strong> &gt; <strong id="asm_01_0020__b196087611215">Sidecar Management</strong>) after the service mesh is created. For details, see <a href="asm_01_0041.html#asm_01_0041__section65931513505">Injecting a Sidecar</a>.</p>
-</li><li id="asm_01_0020__en-us_topic_0000001542706401_li1059184310276"><strong id="asm_01_0020__b109080228">Restart Existing Services</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p12591144362715"><span><img id="asm_01_0020__image879324619490" src="en-us_image_0000001920032153.png"></span>: The pods of existing services in the namespace will be restarted, which will temporarily interrupt your services. The istio-proxy sidecars can be automatically injected to the pods of existing services only after the pods are restarted.</p>
+</li><li id="asm_01_0020__en-us_topic_0000001542706401_li1059184310276"><strong id="asm_01_0020__b1505440256">Restart Existing Services</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p12591144362715"><span><img id="asm_01_0020__image879324619490" src="en-us_image_0000001920032153.png"></span>: The pods of existing services in the namespace will be restarted, which will temporarily interrupt your services. The istio-proxy sidecars can be automatically injected to the pods of existing services only after the pods are restarted.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p195911343162718"><span><img id="asm_01_0020__en-us_topic_0000001542706401_image1736110311031" src="en-us_image_0000001494249996.png"></span>: The istio-proxy sidecars cannot be automatically injected into the pods of existing services. You need to manually restart the pods on the CCE console to inject the sidecars.</p>
 </li><li id="asm_01_0020__li103761117176"><strong id="asm_01_0020__b161488533415">Traffic Interception Settings</strong><div class="note" id="asm_01_0020__note9376117978"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0020__p2376181712720">By default, sidecars intercept all inbound and outbound traffic of pods. You can modify the default traffic rules in <strong id="asm_01_0020__b134331479345">Traffic Interception Settings</strong>.</p>
 </div></div>
@@ -67,9 +67,9 @@
 <p id="asm_01_0020__p11377181717712"><strong id="asm_01_0020__b20653518442">Outbound IP Ranges</strong>: IP address ranges separated by commas (,) in CIDR format. You can use this field to specify the IP ranges that will be included or excluded for outbound traffic redirection.</p>
 <ul id="asm_01_0020__ul1337716172078"><li id="asm_01_0020__li1377417579"><strong id="asm_01_0020__b39502030153411">Include only specified IP ranges</strong> means that the traffic from specified IP ranges will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0020__ul14377181711717"><li id="asm_01_0020__li3377171710719"><strong id="asm_01_0020__b393303213347">Exclude only specified IP ranges</strong> means that the traffic from IP ranges except the specified IP ranges will be redirected to the sidecar.</li></ul>
-</li><li id="asm_01_0020__li1611138125316"><strong id="asm_01_0020__b308289121">Resource Tags</strong><p id="asm_01_0020__p1711128135317">Enter the tag key and tag value. A maximum of 20 tags can be added.</p>
+</li><li id="asm_01_0020__li1611138125316"><strong id="asm_01_0020__b896573998">Resource Tags</strong><p id="asm_01_0020__p1711128135317">Enter the tag key and tag value. A maximum of 20 tags can be added.</p>
 </li></ul>
-</p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li859154318271"><span>Review the service mesh configuration in <strong id="asm_01_0020__b298934016">Configuration List</strong> on the right of the page and click <strong id="asm_01_0020__b1869262857">Submit</strong>.</span><p><p id="asm_01_0020__en-us_topic_0000001542706401_p13591174382714">It takes about 1 to 3 minutes to create a service mesh. If the service mesh status changes from <strong id="asm_01_0020__b1089376003">Installing</strong> to <strong id="asm_01_0020__b341929893">Running</strong>, the service mesh is successfully created.</p>
+</p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li859154318271"><span>Review the service mesh configuration in <strong id="asm_01_0020__b1410335113">Configuration List</strong> on the right of the page and click <strong id="asm_01_0020__b250962436">Submit</strong>.</span><p><p id="asm_01_0020__en-us_topic_0000001542706401_p13591174382714">It takes about 1 to 3 minutes to create a service mesh. If the service mesh status changes from <strong id="asm_01_0020__b1250689906">Installing</strong> to <strong id="asm_01_0020__b1089094307">Running</strong>, the service mesh is successfully created.</p>
 <div class="note" id="asm_01_0020__en-us_topic_0000001542706401_note14591184342712"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0020__en-us_topic_0000001542706401_p1459119432275">When the service mesh is enabled, the following operations are performed:</p>
 <ul id="asm_01_0020__en-us_topic_0000001542706401_ul859134311276"><li id="asm_01_0020__en-us_topic_0000001542706401_li195911043152719">Helm orchestrates the application into a Release as the resource of the service mesh control plane.</li></ul>
 </div></div>

docs/asm/umn/asm_01_0041.html

@@ -5,12 +5,15 @@
 <div class="section" id="asm_01_0041__section65931513505"><a name="asm_01_0041__section65931513505"></a><a name="section65931513505"></a><h4 class="sectiontitle">Injecting a Sidecar</h4><p id="asm_01_0041__p1820212632111">You can view the namespace and cluster that the injected sidecar belongs to. If no sidecar has been injected or you need to inject sidecars for more namespaces, perform the following operations:</p>
 <ol id="asm_01_0041__ol13641175216560"><li id="asm_01_0041__li683575385614"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0041__li987742619292"><span>In the navigation pane, choose <strong id="asm_01_0041__b23024965310246">Mesh Configuration</strong>. Then, click the <strong id="asm_01_0041__b79698741510246">Sidecar Management</strong> tab.</span></li><li id="asm_01_0041__li122863200343"><span>Click <strong id="asm_01_0041__b212025475310246">Sidecar Management</strong>, select a namespace, determine whether enable <strong id="asm_01_0041__b34328513417">Restart Existing Services</strong>, and click <strong id="asm_01_0041__b163426572510246">OK</strong>.</span><p><p id="asm_01_0041__p5867153384619">Parameter description:</p>
 <ul id="asm_01_0041__ul1213414267113"><li id="asm_01_0041__li151346264113"><strong id="asm_01_0041__b162639501293">Namespace</strong>: Select one or more namespaces. The system adds labels for namespaces based on Istio versions.<ul id="asm_01_0041__ul715833017173"><li id="asm_01_0041__li115810307178"><strong id="asm_01_0041__b93355351461">istio-injection=enabled</strong> can be used in Istio 1.13.9-r3 and earlier versions, as well as Istio 1.15.5-r2 and earlier versions.</li></ul>
-<ul id="asm_01_0041__ul196772518187"><li id="asm_01_0041__li6677853189"><strong id="asm_01_0041__b5658241104719">istio.io/rev=&lt;revision&gt;</strong> can be used in Istio later than 1.13.9-r3, Istio later than 1.15.5-r2, and all Istio 1.18 versions.</li></ul>
+<ul id="asm_01_0041__ul196772518187"><li id="asm_01_0041__li6677853189"><strong id="asm_01_0041__b5658241104719">istio.io/rev=&lt;revision&gt;</strong> can be used in Istio later than 1.13.9-r3, Istio later than 1.15.5-r2, all Istio 1.18 versions, and all Istio 1.28 versions.</li></ul>
 </li><li id="asm_01_0041__li1283731219"><strong id="asm_01_0041__b176898850910246">Restart Existing Services</strong><p id="asm_01_0041__p16974516217"><span><img id="asm_01_0041__image1251935012150" src="en-us_image_0000001930216052.png"></span>: Enabling <strong id="asm_01_0041__b178031814163717">Restart Existing Services</strong> will restart the pods of existing services and temporarily interrupt your services. New pods will have istio-proxy sidecars automatically injected.</p>
 <ul id="asm_01_0041__ul1893924912361"><li id="asm_01_0041__li149404492367">If you select a new namespace, an automatic injection label is added. After all pods running the Deployment in that namespace are restarted, the istio-proxy sidecars will be automatically injected into new pods.</li></ul>
 <ul id="asm_01_0041__ul330205410366"><li id="asm_01_0041__li5302135413618">If you deselect a namespace, the automatic injection label is deleted. After all pods running the Deployment in that namespace are restarted, new pods do not have istio-proxy sidecars.</li></ul>
 <ul id="asm_01_0041__ul157408585364"><li id="asm_01_0041__li074055833619">If there are pods that are not injected with sidecars in selected namespaces, all pods running the Deployment will be restarted to inject sidecars. If all pods have sidecars injected, the pods will not be restarted.</li></ul>
-<p id="asm_01_0041__p45731657222"><span><img id="asm_01_0041__image1736110311031" src="en-us_image_0000001256463368.png"></span>: When you do not enable <strong id="asm_01_0041__b198411563510">Restart Existing Services</strong>, the istio-proxy sidecars cannot be automatically injected into the pods of existing services. In this case, you need to manually restart the pods on the CCE console to inject the sidecars. This parameter affects only existing services. If the namespaces are labeled with <strong id="asm_01_0041__b1545117533412">istio-injection=enabled</strong>, sidecars will be automatically injected into new pods.</p>
+<p id="asm_01_0041__p45731657222"><span><img id="asm_01_0041__image1736110311031" src="en-us_image_0000001256463368.png"></span>: The istio-proxy sidecars cannot be automatically injected into the pods of existing services. You need to manually restart the pods on the CCE console to inject the sidecars. This parameter affects only existing services. If the namespaces are labeled with <strong id="asm_01_0041__b1545117533412">istio-injection=enabled</strong> or <strong id="asm_01_0041__b95971230195613">istio.io/rev=&lt;revision&gt;</strong>, sidecars will be automatically injected into new pods.</p>
+<div class="caution" id="asm_01_0041__note1035861813226"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="asm_01_0041__p191121442193617">This module does not provide the function of restarting services in a specific namespace. If a namespace is not selected, the automatic injection label will be removed from the namespace. After the workload in the namespace is restarted, the istio-proxy sidecar will not be automatically injected.</p>
+<p id="asm_01_0041__p735815185225">To inject a sidecar into a workload in a specified namespace, ensure that the namespace is selected and enabled. Then, go to the <strong id="asm_01_0041__b106411057172819">Workloads</strong> page of the CCE cluster console, select the workload, and choose <strong id="asm_01_0041__b173501542913">More</strong> &gt; <strong id="asm_01_0041__b156784815297">Redeploy</strong>. After the workload is restarted, the istio-proxy sidecar is automatically injected.</p>
+</div></div>
 </li><li id="asm_01_0041__li975935132613"><strong id="asm_01_0041__b4935192843517">Traffic Interception Settings</strong><div class="note" id="asm_01_0041__note130182311537"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0041__p5301112325320">By default, sidecars intercept all inbound and outbound traffic of pods. You can modify the default traffic rules in <strong id="asm_01_0041__b15949143017359">Traffic Interception Settings</strong>.</p>
 </div></div>
 <p id="asm_01_0041__p10174123175619"><strong id="asm_01_0041__b97421432123511">Inbound Ports</strong>: Inbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for inbound traffic redirection.</p>
@@ -23,7 +26,8 @@
 <ul id="asm_01_0041__ul13301528313"><li id="asm_01_0041__li5311221939"><strong id="asm_01_0041__b922854213514">Include only specified IP ranges</strong> means that the traffic from specified IP ranges will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0041__ul112121251130"><li id="asm_01_0041__li42121455318"><strong id="asm_01_0041__b19623164303511">Exclude only specified IP ranges</strong> means that the traffic from IP ranges except the specified IP ranges will be redirected to the sidecar.</li></ul>
 </li></ul>
-<div class="note" id="asm_01_0041__note1279618584133"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0041__ul97451116162713"><li id="asm_01_0041__li1974521615271">If the system displays a message indicating that modification of namespace injection is not enabled in the following clusters, you need to run the <strong id="asm_01_0041__b11447123395415">kubectl</strong> command to enable namespace injection. For details, see <a href="asm_faq_0036.html">How Do I Enable Namespace Injection for a Cluster?</a>.</li><li id="asm_01_0041__li12746181642719">After sidecar injection is enabled for a namespace of a cluster, sidecars are automatically injected for pods of all workloads in the namespace. If you do not want to inject sidecars for some workloads, see <a href="asm_faq_0037.html">How Do I Disable Sidecar Injection for Workloads?</a>.</li></ul>
+<div class="note" id="asm_01_0041__note1279618584133"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0041__ul3174175111130"><li id="asm_01_0041__li151741951141317">For details about why sidecar injection failed, see .</li></ul>
+<ul id="asm_01_0041__ul97451116162713"><li id="asm_01_0041__li1974521615271">If ASM displays a message indicating that modification of namespace injection is not enabled in the following clusters, you need to run the <strong id="asm_01_0041__b11447123395415">kubectl</strong> command to enable namespace injection. For details, see <a href="asm_faq_0036.html">How Do I Enable Namespace Injection for a Cluster?</a></li><li id="asm_01_0041__li12746181642719">After sidecar injection is enabled for a namespace of a cluster, sidecars are automatically injected for pods of all workloads in the namespace. If you do not want to inject sidecars for some workloads, see <a href="asm_faq_0037.html">How Do I Disable Sidecar Injection for Workloads?</a></li></ul>
 </div></div>
 </p></li></ol>
 </div>

docs/asm/umn/asm_01_0124.html

@@ -1,7 +1,7 @@
 <a name="asm_01_0124"></a><a name="asm_01_0124"></a>
 
 <h1 class="topictitle1">Features in v1.18</h1>
-<div id="body0000001737146797"><ul id="asm_01_0124__ul1742120185319"><li id="asm_01_0124__li1842160195316">Istio 1.18 is supported.</li><li id="asm_01_0124__li1036314425311">CCE Turbo clusters v1.25, v1.27, v1.28, v1.29, and v1.30, as well as v1.31 are supported.</li><li id="asm_01_0124__li6393101715319">CCE clusters v1.25, v1.27, v1.28, v1.29, and v1.30, as well as v1.31 are supported.</li><li id="asm_01_0124__li1910522175320">Kubernetes Gateway API is supported.</li></ul>
+<div id="body0000001737146797"><ul id="asm_01_0124__ul1742120185319"><li id="asm_01_0124__li1842160195316">Istio 1.18 is supported.</li><li id="asm_01_0124__li1036314425311">CCE Turbo clusters v1.25, v1.27, v1.28, v1.29, v1.30, and v1.31, as well as v1.32 and v1.33 are supported.</li><li id="asm_01_0124__li6393101715319">CCE clusters v1.25, v1.27, v1.28, v1.29, v1.30, and v1.31 , as well as v1.32 and v1.33 are supported.</li><li id="asm_01_0124__li1910522175320">Kubernetes Gateway API is supported.</li></ul>
 <p id="asm_01_0124__p58433415527">For details, visit <a href="https://istio.io/latest/news/releases/1.18.x/" target="_blank" rel="noopener noreferrer">https://istio.io/latest/news/releases/1.18.x/</a>.</p>
 </div>
 <div>

docs/asm/umn/asm_01_0141.html

@@ -0,0 +1,17 @@
+<a name="asm_01_0141"></a><a name="asm_01_0141"></a>
+
+<h1 class="topictitle1">Using IAM to Grant Access to ASM</h1>
+<div id="body0000002494975758"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="asm_01_0145.html">Using IAM Roles or Policies to Grant Access to ASM</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="asm_01_0146.html">Using IAM Identity Policies to Grant Access to ASM</a></strong><br>
+</li>
+</ul>
+
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
+</div>
+</div>
+

docs/asm/umn/asm_01_0145.html

@@ -0,0 +1,66 @@
+<a name="asm_01_0145"></a><a name="asm_01_0145"></a>
+
+<h1 class="topictitle1">Using IAM Roles or Policies to Grant Access to ASM</h1>
+<div id="body0000002526896091"><p id="asm_01_0145__en-us_topic_0000001489537442_p198079372297">System-defined permissions in  provided by <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management (IAM)</a> let you control access to ASM. With IAM, you can:</p>
+<ul id="asm_01_0145__en-us_topic_0000001489537442_ul1848820457453"><li id="asm_01_0145__en-us_topic_0000001489537442_li348974516454">Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing ASM resources.</li><li id="asm_01_0145__en-us_topic_0000001489537442_li11681126173515">Grant users only the permissions required to perform a given task based on their job responsibilities.</li><li id="asm_01_0145__en-us_topic_0000001489537442_li12185165313915">Entrust an account or a cloud service to perform efficient O&amp;M on your ASM resources.</li></ul>
+<p id="asm_01_0145__en-us_topic_0000001489537442_p14662743155318">If your account meets your permissions requirements, you can skip this section.</p>
+<p id="asm_01_0145__en-us_topic_0000001489537442_p158501603165"><a href="#asm_01_0145__en-us_topic_0000001489537442_fig1351611812271">Figure 1</a> shows the process flow of role/policy-based authorization.</p>
+<div class="section" id="asm_01_0145__en-us_topic_0000001489537442_section17723185741610"><h4 class="sectiontitle">Prerequisites</h4><p id="asm_01_0145__en-us_topic_0000001489537442_p17286682272">Before granting permissions to user groups, learn about system-defined permissions in  for ASM. To grant permissions for other services, learn about all <a href="https://docs.otc.t-systems.com/permissions/index.html" target="_blank" rel="noopener noreferrer">permissions</a> supported by IAM.</p>
+</div>
+<div class="section" id="asm_01_0145__en-us_topic_0000001489537442_section1189416161520"><h4 class="sectiontitle">Process Flow</h4><div class="fignone" id="asm_01_0145__en-us_topic_0000001489537442_fig1351611812271"><a name="asm_01_0145__en-us_topic_0000001489537442_fig1351611812271"></a><a name="en-us_topic_0000001489537442_fig1351611812271"></a><span class="figcap"><b>Figure 1 </b>Process of granting ASM permissions using role/policy-based authorization</span><br><span><img id="asm_01_0145__en-us_topic_0000001489537442_image35161382273" src="en-us_image_0000002526896489.png"></span></div>
+<ol id="asm_01_0145__en-us_topic_0000001489537442_ol10176191312813"><li id="asm_01_0145__en-us_topic_0000001489537442_li10176121316284"><a name="asm_01_0145__en-us_topic_0000001489537442_li10176121316284"></a><a name="en-us_topic_0000001489537442_li10176121316284"></a>On the IAM console, <a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">create a user group and assign permissions to it</a>.<p id="asm_01_0145__en-us_topic_0000001489537442_p41762137286">Create a user group on the IAM console, and assign the <strong id="asm_01_0145__b18180133023513">ASM ReadOnlyAccess</strong> permissions to the group.</p>
+</li><li id="asm_01_0145__en-us_topic_0000001489537442_li181761413162818"><a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Create an IAM user and add it to the user group</a>.<p id="asm_01_0145__en-us_topic_0000001489537442_p16177613182816">On the IAM console, create a user and add it to the user group created in <a href="#asm_01_0145__en-us_topic_0000001489537442_li10176121316284">1</a>.</p>
+</li><li id="asm_01_0145__en-us_topic_0000001489537442_li1177513202816"><a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0032.html" target="_blank" rel="noopener noreferrer">Log in as the IAM user</a> and verify permissions.<p id="asm_01_0145__en-us_topic_0000001489537442_p1317741312289">In the authorized region, perform the following operations:</p>
+<ul id="asm_01_0145__en-us_topic_0000001489537442_ul1692751312242"><li id="asm_01_0145__en-us_topic_0000001489537442_li205729227246">Choose <strong id="asm_01_0145__b1623482611425">Service List</strong> &gt; <strong id="asm_01_0145__b11306103015437">Application Service Mesh</strong>. Click <strong id="asm_01_0145__b2155175674318">Buy Mesh</strong> on the ASM console. If a message appears indicating that you have insufficient permissions to perform the operation, the <strong id="asm_01_0145__b7209151616449">ASM ReadOnlyAccess</strong> policy is in effect.</li><li id="asm_01_0145__en-us_topic_0000001489537442_li1857212212418">Choose another service from <strong id="asm_01_0145__b1545117611422">Service List</strong>. If a message appears indicating that you have insufficient permissions to access the service, the <strong id="asm_01_0145__b104520624218">ASM ReadOnlyAccess</strong> policy is in effect.</li></ul>
+</li></ol>
+</div>
+<div class="section" id="asm_01_0145__en-us_topic_0000001489537442_section7529733164812"><h4 class="sectiontitle">Example Custom Policies</h4><p id="asm_01_0145__p576211773818">You can create custom policies to supplement the system-defined policies of ASM. For details about actions supported in custom policies, see .</p>
+<p id="asm_01_0145__en-us_topic_0000001489537442_p1391019913815">To create a custom policy, choose either visual editor or JSON.</p>
+<ul id="asm_01_0145__en-us_topic_0000001489537442_ul1146431393818"><li id="asm_01_0145__en-us_topic_0000001489537442_li5764181518386">Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.</li><li id="asm_01_0145__en-us_topic_0000001489537442_li546410135389">JSON: Create a JSON policy or edit an existing one.</li></ul>
+<p id="asm_01_0145__p2477135725615">For details, see .</p>
+<p id="asm_01_0145__p10716518386">The following lists examples of common ASM custom policies.</p>
+<ul id="asm_01_0145__en-us_topic_0000001489537442_ul2504185715494"><li id="asm_01_0145__en-us_topic_0000001489537442_li5504357164912">Example 1: Grant permissions to create service meshes.<pre class="screen" id="asm_01_0145__en-us_topic_0000001489537442_screen48273211535">{
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "asm:mesh:create"
+            ]
+        }
+    ]
+}</pre>
+</li><li id="asm_01_0145__en-us_topic_0000001489537442_li3652938178">Example 2: Grant permissions to deny service mesh deletion.<p id="asm_01_0145__en-us_topic_0000001489537442_p1892813119464"><a name="asm_01_0145__en-us_topic_0000001489537442_li3652938178"></a><a name="en-us_topic_0000001489537442_li3652938178"></a>A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.</p>
+<pre class="screen" id="asm_01_0145__en-us_topic_0000001489537442_screen39281011144617">{
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Action": [
+                "asm:mesh:createGateway"
+            ]
+        }
+    ]
+}</pre>
+</li><li id="asm_01_0145__en-us_topic_0000001489537442_li8475316125413">Example 3: Create a custom policy containing multiple actions.<p id="asm_01_0145__en-us_topic_0000001489537442_p466319313484"><a name="asm_01_0145__en-us_topic_0000001489537442_li8475316125413"></a><a name="en-us_topic_0000001489537442_li8475316125413"></a>A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). Example policy containing actions of multiple services:</p>
+<pre class="screen" id="asm_01_0145__screen125841914164916">{
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cce:cluster:create"
+                "asm:mesh:create"
+            ]
+        }
+    ]
+}</pre>
+</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0141.html">Using IAM to Grant Access to ASM</a></div>
+</div>
+</div>
+

docs/asm/umn/asm_01_0146.html

@@ -0,0 +1,70 @@
+<a name="asm_01_0146"></a><a name="asm_01_0146"></a>
+
+<h1 class="topictitle1">Using IAM Identity Policies to Grant Access to ASM</h1>
+<div id="body0000002494976322"><p id="asm_01_0146__en-us_topic_0000001543558165_p198079372297">System-defined permissions in  provided by <a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management (IAM)</a> let you control access to ASM. With IAM, you can:</p>
+<ul id="asm_01_0146__en-us_topic_0000001543558165_ul1848820457453"><li id="asm_01_0146__en-us_topic_0000001543558165_li348974516454">Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing ASM resources.</li><li id="asm_01_0146__en-us_topic_0000001543558165_li11681126173515">Grant users only the permissions required to perform a given task based on their job responsibilities.</li><li id="asm_01_0146__en-us_topic_0000001543558165_li12185165313915">Entrust an account or a cloud service to perform efficient O&amp;M on your ASM resources.</li></ul>
+<p id="asm_01_0146__en-us_topic_0000001543558165_p14662743155318">If your account meets your permissions requirements, you can skip this section.</p>
+<p id="asm_01_0146__en-us_topic_0000001543558165_p158501603165"><a href="#asm_01_0146__en-us_topic_0000001543558165_fig1351611812271">Figure 1</a> shows the process flow of identity policy-based authorization.</p>
+<div class="section" id="asm_01_0146__en-us_topic_0000001543558165_section17723185741610"><h4 class="sectiontitle">Prerequisites</h4><p id="asm_01_0146__en-us_topic_0000001543558165_p17286682272">Before granting permissions, learn about system-defined permissions in . To grant permissions for other services, learn about all <a href="https://docs.otc.t-systems.com/permissions/index.html" target="_blank" rel="noopener noreferrer">permissions</a> supported by IAM.</p>
+</div>
+<div class="section" id="asm_01_0146__en-us_topic_0000001543558165_section1189416161520"><h4 class="sectiontitle">Process Flow</h4><div class="fignone" id="asm_01_0146__en-us_topic_0000001543558165_fig1351611812271"><a name="asm_01_0146__en-us_topic_0000001543558165_fig1351611812271"></a><a name="en-us_topic_0000001543558165_fig1351611812271"></a><span class="figcap"><b>Figure 1 </b>Process of granting ASM permissions using identity policy-based authorization</span><br><span><img id="asm_01_0146__en-us_topic_0000001543558165_image35161382273" src="en-us_image_0000002526896571.png"></span></div>
+<ol id="asm_01_0146__en-us_topic_0000001543558165_ol10176191312813"><li id="asm_01_0146__en-us_topic_0000001543558165_li10176121316284">On the IAM console, .<p id="asm_01_0146__en-us_topic_0000001543558165_p41762137286"><a name="asm_01_0146__en-us_topic_0000001543558165_li10176121316284"></a><a name="en-us_topic_0000001543558165_li10176121316284"></a>Create a user or user group on the IAM console.</p>
+</li><li id="asm_01_0146__en-us_topic_0000001543558165_li16925112804614"> (<strong id="asm_01_0146__b15261138162215">ASMReadOnlyPolicy</strong> as an example) to the user or user group.</li><li id="asm_01_0146__en-us_topic_0000001543558165_li1177513202816"><a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0032.html" target="_blank" rel="noopener noreferrer">Log in as the IAM user</a> and verify permissions.<p id="asm_01_0146__en-us_topic_0000001543558165_p1317741312289">In the authorized region, perform the following operations:</p>
+<ul id="asm_01_0146__en-us_topic_0000001543558165_ul1692751312242"><li id="asm_01_0146__en-us_topic_0000001543558165_li205729227246">Choose <strong id="asm_01_0146__b160142117265">Service List</strong> &gt; <strong id="asm_01_0146__b760112213264">Application Service Mesh</strong>. Click <strong id="asm_01_0146__b1660272114269">Buy Mesh</strong> on the ASM console. If a message appears indicating that you have insufficient permissions to perform the operation, <strong id="asm_01_0146__b160262182618">ASMReadOnlyPolicy</strong> is in effect.</li><li id="asm_01_0146__en-us_topic_0000001543558165_li1857212212418">Choose another service from <strong id="asm_01_0146__b113084327264">Service List</strong>. If a message appears indicating that you have insufficient permissions to access the service, <strong id="asm_01_0146__b030863242611">ASMReadOnlyPolicy</strong> is in effect.</li></ul>
+</li></ol>
+</div>
+<div class="section" id="asm_01_0146__en-us_topic_0000001543558165_section7529733164812"><h4 class="sectiontitle">Example Custom Identity Policies</h4><p id="asm_01_0146__p19154121744816">You can create custom identity policies to supplement the system-defined identity policies of ASM. For details about actions supported in custom identity policies, see .</p>
+<p id="asm_01_0146__en-us_topic_0000001543558165_p1391019913815">To create a custom identity policy, choose either visual editor or JSON.</p>
+<ul id="asm_01_0146__en-us_topic_0000001543558165_ul1146431393818"><li id="asm_01_0146__en-us_topic_0000001543558165_li5764181518386">Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.</li><li id="asm_01_0146__en-us_topic_0000001543558165_li546410135389">JSON: Create a JSON policy or edit an existing one.</li></ul>
+<p id="asm_01_0146__p160623765212">For details, see .</p>
+<p id="asm_01_0146__p17139055195519">When creating a custom identity policy, use the Resource element to specify the resources the identity policy applies to and use the Condition element (service-specific condition keys) to control when the identity policy is in effect. For details about the supported resource types and condition keys, see .</p>
+<p id="asm_01_0146__p310122114562">The following provides examples of custom ASM identity policies.</p>
+<ul id="asm_01_0146__en-us_topic_0000001543558165_ul2504185715494"><li id="asm_01_0146__en-us_topic_0000001543558165_li5504357164912">Example 1: Grant permissions to create service meshes.<pre class="screen" id="asm_01_0146__en-us_topic_0000001543558165_screen25351137165916">{
+    "Version": "5.0",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "asm:mesh:create",
+                "asm:mesh:createGateway"
+            ]
+        }
+    ]
+}</pre>
+</li><li id="asm_01_0146__en-us_topic_0000001543558165_li8475316125413">Example 2: Create a custom identity policy containing multiple actions.<p id="asm_01_0146__en-us_topic_0000001543558165_p164313514480"><a name="asm_01_0146__en-us_topic_0000001543558165_li8475316125413"></a><a name="en-us_topic_0000001543558165_li8475316125413"></a></p>
+<p id="asm_01_0146__en-us_topic_0000001543558165_p466319313484">A custom identity policy can contain the actions of one or more services. Example identity policy containing multiple actions:</p>
+<pre class="screen" id="asm_01_0146__en-us_topic_0000001543558165_screen46646311485">{
+    "Version": "5.0",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "asm:mesh:create",
+                "asm:mesh:createGateway"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "evs:volumes:create",
+                "evs:volumes:list"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecs:cloudServers:createServers",
+                "ecs:cloudServers:listServersDetails"
+            ]
+        }
+    ]
+}</pre>
+</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0141.html">Using IAM to Grant Access to ASM</a></div>
+</div>
+</div>
+

docs/asm/umn/asm_pd_0001.html

@@ -4,8 +4,6 @@
 <div id="body39451090"></div>
 <div>
 <ul class="ullinks">
-<li class="ulchildlink"><strong><a href="asm_productdesc_0017.html">Infographic for ASM</a></strong><br>
-</li>
 <li class="ulchildlink"><strong><a href="asm_productdesc_0001.html">Introduction</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_productdesc_0002.html">Advantages</a></strong><br>
@@ -14,6 +12,8 @@
 </li>
 <li class="ulchildlink"><strong><a href="asm_productdesc_0004.html">Notes and Constraints</a></strong><br>
 </li>
+<li class="ulchildlink"><strong><a href="asm_productdesc_0019.html">Permissions</a></strong><br>
+</li>
 <li class="ulchildlink"><strong><a href="asm_productdesc_0005.html">Basic Concepts</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_productdesc_0006.html">Recommended Node Specifications</a></strong><br>

docs/asm/umn/asm_productdesc_0004.html

@@ -16,7 +16,7 @@
 </tr>
 <tr id="asm_productdesc_0004__row2060314173555"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.1.3.2.3.1.1 "><p id="asm_productdesc_0004__p760391712553">1.18</p>
 </td>
-<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.1.3.2.3.1.2 "><p id="asm_productdesc_0004__p14822277556">v1.25, v1.27, v1.28, v1.29, v1.30, or v1.31</p>
+<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.1.3.2.3.1.2 "><p id="asm_productdesc_0004__p14822277556">v1.25, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, or v1.33</p>
 </td>
 </tr>
 </tbody>

docs/asm/umn/asm_productdesc_0017.html

@@ -1,12 +0,0 @@
-<a name="asm_productdesc_0017"></a><a name="asm_productdesc_0017"></a>
-
-<h1 class="topictitle1">Infographic for ASM</h1>
-<div id="body0000001209484931"><p id="asm_productdesc_0017__p1289416386116"></p>
-<p id="asm_productdesc_0017__p837613199456"><span><img id="asm_productdesc_0017__image73201388158" src="en-us_image_0000002043652974.png"></span></p>
-</div>
-<div>
-<div class="familylinks">
-<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_pd_0001.html">Service Overview</a></div>
-</div>
-</div>
-

docs/asm/umn/asm_qs_0002.html

@@ -1,6 +1,6 @@
 <a name="asm_qs_0002"></a><a name="asm_qs_0002"></a>
 
-<h1 class="topictitle1">Enabling Istio for a Cluster </h1>
+<h1 class="topictitle1">Enabling Istio for a Cluster</h1>
 <div id="body0000001168400759"></div>
 <div>
 <ul class="ullinks">

docs/asm/umn/en-us_topic_0000001627845328.html

@@ -10,6 +10,8 @@
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0016.html">Application Service Mesh</a></strong><br>
 </li>
+<li class="ulchildlink"><strong><a href="asm_01_0141.html">Using IAM to Grant Access to ASM</a></strong><br>
+</li>
 <li class="ulchildlink"><strong><a href="asm_01_0017.html">Creating a Service Mesh</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0023.html">Mesh Management</a></strong><br>