Slide 1

Slide 1 text

THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD CONNECTIVITY COMPANY Kong Mesh入門編 施文翰(Wenhan Shi) – Solutions Engineer Oct, 2022

Slide 2

Slide 2 text

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

Slide 3

Slide 3 text

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. ● Kong Mesh Intro ● Deploy Kong mesh ● Deploy Demo Counter app ● Secure Demo Counter app ● Apply Traffic permissions ● Apply Deployment Strategies Agenda

Slide 4

Slide 4 text

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Kong Mesh Intro

Slide 5

Slide 5 text

5 THE CLOUD CONNECTIVITY COMPANY Kong Proprietary and Confidential Application design is evolving NETWORK TRAFFIC L4/L7 DISTRIBUTED MONOLITH DECOUPLING APIS AND MICROSERVICES WE’RE JUST HERE!

Slide 6

Slide 6 text

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. CLASSIC API GATEWAY MODERN API GATEWAY FULL SERVICE CONNECTIVITY MONOLITHIC APP API API MANAGEMENT CLIENT PRIVATE TRAFFIC PUBLIC TRAFFIC GW DP CLIENT PUBLIC TRAFFIC GW DP API APP API APP API APP API APP API APP GW DP GW DP GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2

Slide 7

Slide 7 text

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. Connect services end-to-end • Integrate into the Kong Enterprise platform for Full stack connectivity • Securely expose and manage the full-lifecycle of APIs and North-South communication using GW • Manage the cross-cutting concerns and East-West communication with Mesh Data Center 1 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Client Edge Data Center 2 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Kong Gateway

Slide 8

Slide 8 text

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. API Gateway or Service Mesh? Support mobile apps Onboard external partners, customers or users High reliability for mission critical apps Zero-trust security / high compliance Observability for detailed visibility into service behavior Ensure reliability Ensure security Gain visibility NA NA YOU NEED A “Service Connectivity Platform” API GATEWAY SERVICE MESH Expose services (Edge, mesh-app, mesh-mesh) Full lifecycle API management Service – service communication NA Integration for full stack connectivity API Gateway with integration

Slide 9

Slide 9 text

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. Kuma Technology ENVOY PROXY

Slide 10

Slide 10 text

THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION

Slide 11

Slide 11 text

THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING

Slide 12

Slide 12 text

THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE

Slide 13

Slide 13 text

THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS

Slide 14

Slide 14 text

THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS KONG MESH

Slide 15

Slide 15 text

THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. Why Kong Mesh? Multi-Mesh And Easy To Use & Scale Universal (K8s + VMs), Attribute-Based Policies & More Built-in Multi Zone Connectivity Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Restrict access and encrypt all traffic by default to only complete transactions when identity is verified Out of the box connectivity for multi-cluster, multi-cloud and multi-platform deployments across the world

Slide 16

Slide 16 text

THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. ● One click deployment, one click attribute-based policies Start, Secure and Scale with Ease ● Turnkey universal service mesh with built-in multi-zone connectivity ● Multi-mesh support for scalability across the organization Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Service Discovery Global Kong Mesh Control plane Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster

Slide 17

Slide 17 text

THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. Run anywhere Manage service meshes natively in Kubernetes using CRDs Deploy the service mesh across any environment, including multi-cluster, multi-cloud and multi-platform OR start with a service mesh in VM environments and migrate to Kubernetes at your own pace Service Mesh Container-based Microservices Service Mesh Container-based Microservices VM-based Monolith VM-based Monolith

Slide 18

Slide 18 text

THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo - Deployment Kong Mesh - Deployment Demo APP - Secure Demo APP with mTLS (zero trust) - Apply Traffic permissions - Apply Deployment Strategies

Slide 19

Slide 19 text

THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Deployment Kong Mesh

Slide 20

Slide 20 text

THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 Deployment mode Standalone Multiple Zone

Slide 21

Slide 21 text

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Use kumactl to deploy Kong Mesh # Download Kong Mesh $ curl -L https://docs.konghq.com/mesh/installer.sh | sh - # Deploy Control Plane $ kong-mesh-1.9.1/bin/kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - # Verify $ kubectl get pod -n kong-mesh-system NAME READY STATUS RESTARTS AGE kong-mesh-control-plane-5ff698786d-2cckg 1/1 Running 0 61s $ kubectl get meshes NAME AGE default 1m

Slide 22

Slide 22 text

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Access GUI ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 91s # expose control plane as nodeport and use 30001 port ❯ kubectl expose deployment kong-mesh-control-plane -n kong-mesh-system --type=NodePort --name=kongmesh-cp --port 5681 service/kongmesh-cp exposed ❯ kubectl patch service kongmesh-cp -n kong-mesh-system --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":30001}]' ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 92s kongmesh-cp NodePort 10.43.110.195 5681:30001/TCP 2s

Slide 23

Slide 23 text

THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 Access GUI http://:/gui to access the GUI

Slide 24

Slide 24 text

THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 Access control plane via kumactl # configure kumactl to use the exposed IP address to control your mesh ❯ kumactl config control-planes add --name=kongmesh-cp \ --address=http://:30001 ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 17m

Slide 25

Slide 25 text

THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 Deployment Demo APP

Slide 26

Slide 26 text

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Counter app • A front-end and a Redis database to store counters. • The front-end is a simple display that allows you to increment a counter. • The Redis database stores the current count. FRONTEND- APP KUMA-DP KUMA-DP REDIS

Slide 27

Slide 27 text

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 Kuma sidecar annotation • Ensure the Kuma sidecar annotation is included with the application’s manifest. • It tells Kubernetes to automatically inject a data plane proxy to every service deployed in the namespace apiVersion: v1 kind: Namespace metadata: name: kuma-demo annotations: kuma.io/sidecar-injection: enabled

Slide 28

Slide 28 text

THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 Deploy the application and inspect it ❯ kubectl apply -f counterapp.yaml ❯ kumactl inspect dataplanes MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS CERT REGENERATED AGO CERT EXPIRATION CERT REGENERATIONS CERT BACKEND SUPPORTED CERT BACKENDS KUMA-DP VERSION ENVOY VERSION DEPENDENCIES VERSIONS NOTES default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=768f774c55 version=v1 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=df4f5bdc7 version=v2 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default redis-684cbb56c9-brsmj.kuma-demo app=redis k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=redis k8s.kuma.io/service-port=6379 kuma.io/protocol=tcp kuma.io/service=redis_kuma-demo_svc_6379 pod-template-hash=684cbb56c9 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0

Slide 29

Slide 29 text

THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Inspect the Data plane in GUI

Slide 30

Slide 30 text

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 Kong Ingress Controller(KIC) • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins

Slide 31

Slide 31 text

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 Deploy Kong Ingress Controller(KIC) ❯ kubectl apply -f https://bit.ly/k4k8s namespace/kong created customresourcedefinition.apiextensions.k8s.io/ingressclassparameterses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/udpingresses.configuration.konghq.com created … # Pod of KIC ❯ kubectl get pods -n kong NAME READY STATUS RESTARTS AGE ingress-kong-6647c64fd4-ggvct 2/2 Running 0 4m51s # patch the kong proxy to use nodePort ❯ kubectl patch service kong-proxy --namespace=kong --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31112}]' ❯ kubectl get services -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.183.215 443/TCP 6m25s kong-proxy LoadBalancer 10.43.251.106 80:31112/TCP,443:32197/TCP 6m25s

Slide 32

Slide 32 text

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Add Kong Proxy to Kong Mesh # annotate the namespace and restart the KIC pod ❯ kubectl annotate ns kong kuma.io/sidecar-injection='enabled' ❯ kubectl delete pod ingress-kong-xxxxxxxxxx-xxxxx -n kong

Slide 33

Slide 33 text

THE CLOUD CONNECTIVITY COMPANY 33 © Kong Inc. 33 Create Ingress rule for access the frontend app • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request Ingress

Slide 34

Slide 34 text

THE CLOUD CONNECTIVITY COMPANY 34 © Kong Inc. 34 Create Ingress rule ❯ cat <

Slide 35

Slide 35 text

THE CLOUD CONNECTIVITY COMPANY 35 © Kong Inc. 35 Access the Counter Demo App ❯ kubectl get svc -n kong kong-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.43.251.106 80:31112/TCP,443:32197/TCP 75m

Slide 36

Slide 36 text

THE CLOUD CONNECTIVITY COMPANY 36 © Kong Inc. 36 Secure Demo APP with mTLS

Slide 37

Slide 37 text

THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Intro - No security or encrypted by default - Using a built-in CA, we can secure the services by enabling mTLS. - Only allowed services can communicate with others. - All traffic will be encrypted - mTLS is not enabled by default, enable it by updating the mesh policy ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 2h

Slide 38

Slide 38 text

THE CLOUD CONNECTIVITY COMPANY 38 © Kong Inc. 38 Add mTLS policy ❯ cat <

Slide 39

Slide 39 text

THE CLOUD CONNECTIVITY COMPANY 39 © Kong Inc. 39 Verify Traffic permission and remove the by-default rule - By default, there is a Traffic Permissions rule that allows all traffic. - Remove it - Counter app should down due to no allowed rule. ❯ kubectl get TrafficPermission NAME AGE allow-all-default 11m ❯ kubectl delete TrafficPermission allow-all-default trafficpermission.kuma.io "allow-all-default" deleted

Slide 40

Slide 40 text

THE CLOUD CONNECTIVITY COMPANY 40 © Kong Inc. 40 Apply Traffic permissions

Slide 41

Slide 41 text

THE CLOUD CONNECTIVITY COMPANY 41 © Kong Inc. 41 Intro - Traffic Permissions allows which services are able to communicate. - Easy for implementing Zero Trust networks FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request allow allow

Slide 42

Slide 42 text

THE CLOUD CONNECTIVITY COMPANY 42 © Kong Inc. 42 Add Traffic Permission Policy ❯ cat <

Slide 43

Slide 43 text

THE CLOUD CONNECTIVITY COMPANY 43 © Kong Inc. 43 Verify Traffic Permissions via Kuma GUI

Slide 44

Slide 44 text

THE CLOUD CONNECTIVITY COMPANY 44 © Kong Inc. 44 Access the Counter Demo App again

Slide 45

Slide 45 text

THE CLOUD CONNECTIVITY COMPANY 45 © Kong Inc. 45 Apply Deployment Strategies

Slide 46

Slide 46 text

THE CLOUD CONNECTIVITY COMPANY 46 © Kong Inc. 46 Intro - Traffic Routing policy enables you to configure L4 routing rules FRONTEND- APP v1.0 KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request FRONTEND- APP v2.0 KUMA-DP Traffic Routing policy

Slide 47

Slide 47 text

THE CLOUD CONNECTIVITY COMPANY 47 © Kong Inc. 47 By default Round Robin strategy 50% 50%

Slide 48

Slide 48 text

THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 By default Round Robin strategy cat <

Slide 49

Slide 49 text

THE CLOUD CONNECTIVITY COMPANY 49 © Kong Inc. 49 Summary

Slide 50

Slide 50 text

THE CLOUD CONNECTIVITY COMPANY 50 © Kong Inc. • Kong Mesh Intro • Deploy Kong mesh using kumactl • Deploy Demo Counter app and use Kong Ingress Controller to expose it • Secure Demo Counter app with mTLS • Apply Traffic permissions • Apply Deployment Strategies Summary 50

Slide 51

Slide 51 text

THE CLOUD CONNECTIVITY COMPANY 51 © Kong Inc. 51 Thank you