Integrating Alibaba Cloud Knative with Service Mesh ASM: Architecture, Deployment, and Best Practices

Knative is a serverless framework built on Kubernetes that standardizes function, workload, and event-driven orchestration, offering low entry barriers, automated management, and observability. Istio extends Kubernetes to create a programmable service mesh, and when combined with Knative, it provides standardized traffic management, observability, and security for serverless workloads.

Working Principle

Knative decouples the service layer from the network layer using the KIngress resource. When a Knative Service is created, the Knative Serving Controller generates a KIngress resource, which the net‑istio controller converts into a VirtualService. The KIngress CRD contains all information needed to expose the service externally.

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  annotations:
    networking.internal.knative.dev/rollout: '{"configurations":[{"configurationName":"httpbin","percent":100,"revisions":[{"revisionName":"httpbin-00001","percent":100}],"stepParams":{}}]}'
    networking.knative.dev/ingress.class: istio.ingress.networking.knative.dev
    serving.knative.dev/creator: 1281429699509011-1724722123
    serving.knative.dev/lastModifier: 1281429699509011-1724722123
  labels:
    serving.knative.dev/route: httpbin
    serving.knative.dev/routeNamespace: default
    serving.knative.dev/service: httpbin
  name: httpbin
  namespace: default
spec:
  httpOption: Enabled
  rules:
  - hosts:
    - httpbin.default
    - httpbin.default.svc
    - httpbin.default.svc.cluster.local
    http:
      paths:
      - appendHeaders:
          Knative-Serving-Default-Route: "true"
        splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: httpbin-00001
          percent: 100
          serviceName: httpbin-00001
          serviceNamespace: default
          servicePort: 80
    visibility: ClusterLocal
  - hosts:
    - httpbin.default.example.com
    http:
      paths:
      - appendHeaders:
          Knative-Serving-Default-Route: "true"
        splits:
        - appendHeaders:
            Knative-Serving-Namespace: default
            Knative-Serving-Revision: httpbin-00001
          percent: 100
          serviceName: httpbin-00001
          serviceNamespace: default
          servicePort: 80
    visibility: ExternalIP

Alibaba Cloud Knative and ASM

Alibaba Cloud Container Service Knative fully complies with the open‑source Knative API while adding productized features such as one‑click deployment, a unified console, and managed core components (Knative Serving and Eventing) that reduce operational overhead.

Key product capabilities include:

One‑click deployment without needing to provision resources.

Managed gateways (ALB, MSE, ASM, Kourier) with automatic sidecar injection.

Seamless integration with Alibaba Cloud services (ECI, ECS, SLS, Prometheus, CI/CD, EventBridge, MNS).

Advanced features such as reserved instances, automatic scaling (HPA, KPA, AHPA), and rich traffic management.

Best Practices: Service Mesh‑Based Knative

Deploy Knative with ASM as the gateway, enable sidecar injection for the knative-serving and default namespaces, and use ASM plugins (e.g., reverse‑dns) to enhance routing, security, and observability.

Deployment Example – HelloWorld‑Go

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: registry.{REGION-ID}.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
        env:
        - name: TARGET
          value: "Knative"

After creating the service, retrieve the gateway address and test with:

curl -H "host: helloworld-go.default.example.com" http://
{gateway‑IP}

Expected output: Hello Knative!

Rate Limiting

ASM provides the ASMLocalRateLimiter CRD to declaratively limit traffic per Knative service. Example configuration limits the helloworld-go service to 60 requests every 2 seconds.

apiVersion: istio.alibabacloud.com/v1
kind: ASMLocalRateLimiter
metadata:
  name: helloworld
  namespace: istio-system
spec:
  configs:
  - limit:
      fill_interval:
        seconds: 2
      quota: 60
    match:
      vhost:
        name: helloworld-go.default.svc.cluster.local
        port: 80
    isGateway: true
    workloadSelector:
      labels:
        istio: ingressgateway

Apply with kubectl apply -f ratelimit.yaml and verify that the third request within a minute receives a 429 response.

Service‑Level Circuit Breaking

Use the ASMCircuitBreaker CRD to break traffic to a revision when slow requests exceed thresholds. The example targets the httpbin revision and returns a custom 498 response after five slow requests.

apiVersion: istio.alibabacloud.com/v1
kind: ASMCircuitBreaker
metadata:
  name: httpbin-delay
  namespace: knative-serving
spec:
  configs:
  - breaker_config:
      break_duration: 60s
      custom_response:
        body: "delay break!"
        header_to_add:
          x-envoy-overload: "true"
        status_code: 498
      max_slow_requests: 5
      min_request_amount: 2
      slow_request_rt: 0.5s
      window_size: 10s
    match:
      vhost:
        name: httpbin-00001-private.default.svc.cluster.local
        port: 8012
    workloadSelector:
      labels:
        app: activator

Deploy with kubectl apply -f asmcircuitbreak.yaml and observe the circuit break after repeated slow requests.

Host‑Level Circuit Breaking & Zone‑Aware Routing

Leverage native Istio DestinationRule for host‑level outlier detection and configure ASM to prefer same‑zone endpoints, providing resilience across availability zones.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin
  namespace: default
spec:
  host: httpbin-00001-private
  trafficPolicy:
    outlierDetection:
      baseEjectionTime: 20s
      consecutiveErrors: 3
      interval: 5s
      maxEjectionPercent: 100

Request Priority Scheduling

ASM’s traffic scheduling suite allows defining a QuotaSchedulingPolicy that limits request rates and assigns higher priority to specific user types.

apiVersion: istio.alibabacloud.com/v1
kind: QuotaSchedulingPolicy
metadata:
  name: quotascheduling
  namespace: istio-system
spec:
  quota_scheduler:
    bucket_capacity: 10
    fill_amount: 10
    rate_limiter:
      interval: 1s
    scheduler:
      workloads:
      - label_matcher:
          match_labels:
            http.request.header.user_type: guest
        parameters:
          priority: 50.0
        name: guest
      - label_matcher:
          match_labels:
            http.request.header.user_type: subscriber
        parameters:
          priority: 200.0
        name: subscriber
      selectors:
      - service: httpbin-00001-private.default.svc.cluster.local

Deploy with kubectl apply -f policy.yaml and validate using fortio load tests, observing lower latency and higher QPS for the higher‑priority subscriber traffic.

Observability

After injecting sidecars, ASM’s mesh topology view shows real‑time traffic flow, highlighting successful requests, rate‑limited responses, and circuit‑broken calls, enabling operators to quickly identify and troubleshoot issues.

Conclusion

The integration of Alibaba Cloud Knative with ASM delivers a powerful serverless platform that combines Knative’s zero‑ops experience with ASM’s robust traffic management, security, and observability, allowing enterprises to develop cloud‑native services with high availability and low operational overhead.