THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD CONNECTIVITY COMPANY Kong Mesh入門編 施文翰(Wenhan Shi) – Solutions Engineer Oct, 2022

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan wenhan.shi@konghq.com

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. ● Kong Mesh Intro ● Deploy Kong mesh ● Deploy Demo Counter app ● Secure Demo Counter app ● Apply Traffic permissions ● Apply Deployment Strategies Agenda

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Kong Mesh Intro

5 THE CLOUD CONNECTIVITY COMPANY Kong Proprietary and Confidential Application design is evolving NETWORK TRAFFIC L4/L7 DISTRIBUTED MONOLITH DECOUPLING APIS AND MICROSERVICES WE’RE JUST HERE!

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. CLASSIC API GATEWAY MODERN API GATEWAY FULL SERVICE CONNECTIVITY MONOLITHIC APP API API MANAGEMENT CLIENT PRIVATE TRAFFIC PUBLIC TRAFFIC GW DP CLIENT PUBLIC TRAFFIC GW DP API APP API APP API APP API APP API APP GW DP GW DP GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. Connect services end-to-end • Integrate into the Kong Enterprise platform for Full stack connectivity • Securely expose and manage the full-lifecycle of APIs and North-South communication using GW • Manage the cross-cutting concerns and East-West communication with Mesh Data Center 1 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Client Edge Data Center 2 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Kong Gateway

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. API Gateway or Service Mesh? Support mobile apps Onboard external partners, customers or users High reliability for mission critical apps Zero-trust security / high compliance Observability for detailed visibility into service behavior Ensure reliability Ensure security Gain visibility NA NA YOU NEED A “Service Connectivity Platform” API GATEWAY SERVICE MESH Expose services (Edge, mesh-app, mesh-mesh) Full lifecycle API management Service – service communication NA Integration for full stack connectivity API Gateway with integration

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. Kuma Technology ENVOY PROXY

THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION

THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING

THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE

THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS

THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. Kuma Technology ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS KONG MESH

THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. Why Kong Mesh? Multi-Mesh And Easy To Use & Scale Universal (K8s + VMs), Attribute-Based Policies & More Built-in Multi Zone Connectivity Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Restrict access and encrypt all traffic by default to only complete transactions when identity is verified Out of the box connectivity for multi-cluster, multi-cloud and multi-platform deployments across the world

THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. ● One click deployment, one click attribute-based policies Start, Secure and Scale with Ease ● Turnkey universal service mesh with built-in multi-zone connectivity ● Multi-mesh support for scalability across the organization Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Service Discovery Global Kong Mesh Control plane Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster

THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. Run anywhere Manage service meshes natively in Kubernetes using CRDs Deploy the service mesh across any environment, including multi-cluster, multi-cloud and multi-platform OR start with a service mesh in VM environments and migrate to Kubernetes at your own pace Service Mesh Container-based Microservices Service Mesh Container-based Microservices VM-based Monolith VM-based Monolith

THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo - Deployment Kong Mesh - Deployment Demo APP - Secure Demo APP with mTLS (zero trust) - Apply Traffic permissions - Apply Deployment Strategies

THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Deployment Kong Mesh

THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 Deployment mode Standalone Multiple Zone

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Use kumactl to deploy Kong Mesh # Download Kong Mesh $ curl -L https://docs.konghq.com/mesh/installer.sh | sh - # Deploy Control Plane $ kong-mesh-1.9.1/bin/kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - # Verify $ kubectl get pod -n kong-mesh-system NAME READY STATUS RESTARTS AGE kong-mesh-control-plane-5ff698786d-2cckg 1/1 Running 0 61s $ kubectl get meshes NAME AGE default 1m

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Access GUI ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 91s # expose control plane as nodeport and use 30001 port ❯ kubectl expose deployment kong-mesh-control-plane -n kong-mesh-system --type=NodePort --name=kongmesh-cp --port 5681 service/kongmesh-cp exposed ❯ kubectl patch service kongmesh-cp -n kong-mesh-system --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":30001}]' ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 92s kongmesh-cp NodePort 10.43.110.195 5681:30001/TCP 2s

THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 Access GUI http://:/gui to access the GUI

THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 Access control plane via kumactl # configure kumactl to use the exposed IP address to control your mesh ❯ kumactl config control-planes add --name=kongmesh-cp \ --address=http://:30001 ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 17m

THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 Deployment Demo APP

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Counter app • A front-end and a Redis database to store counters. • The front-end is a simple display that allows you to increment a counter. • The Redis database stores the current count. FRONTEND- APP KUMA-DP KUMA-DP REDIS

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 Kuma sidecar annotation • Ensure the Kuma sidecar annotation is included with the application’s manifest. • It tells Kubernetes to automatically inject a data plane proxy to every service deployed in the namespace apiVersion: v1 kind: Namespace metadata: name: kuma-demo annotations: kuma.io/sidecar-injection: enabled

THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 Deploy the application and inspect it ❯ kubectl apply -f counterapp.yaml ❯ kumactl inspect dataplanes MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS CERT REGENERATED AGO CERT EXPIRATION CERT REGENERATIONS CERT BACKEND SUPPORTED CERT BACKENDS KUMA-DP VERSION ENVOY VERSION DEPENDENCIES VERSIONS NOTES default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=768f774c55 version=v1 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=df4f5bdc7 version=v2 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default redis-684cbb56c9-brsmj.kuma-demo app=redis k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=redis k8s.kuma.io/service-port=6379 kuma.io/protocol=tcp kuma.io/service=redis_kuma-demo_svc_6379 pod-template-hash=684cbb56c9 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0

THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Inspect the Data plane in GUI

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 Kong Ingress Controller(KIC) • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 Deploy Kong Ingress Controller(KIC) ❯ kubectl apply -f https://bit.ly/k4k8s namespace/kong created customresourcedefinition.apiextensions.k8s.io/ingressclassparameterses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/udpingresses.configuration.konghq.com created … # Pod of KIC ❯ kubectl get pods -n kong NAME READY STATUS RESTARTS AGE ingress-kong-6647c64fd4-ggvct 2/2 Running 0 4m51s # patch the kong proxy to use nodePort ❯ kubectl patch service kong-proxy --namespace=kong --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31112}]' ❯ kubectl get services -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.183.215 443/TCP 6m25s kong-proxy LoadBalancer 10.43.251.106 80:31112/TCP,443:32197/TCP 6m25s

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Add Kong Proxy to Kong Mesh # annotate the namespace and restart the KIC pod ❯ kubectl annotate ns kong kuma.io/sidecar-injection='enabled' ❯ kubectl delete pod ingress-kong-xxxxxxxxxx-xxxxx -n kong

THE CLOUD CONNECTIVITY COMPANY 33 © Kong Inc. 33 Create Ingress rule for access the frontend app • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request Ingress

THE CLOUD CONNECTIVITY COMPANY 34 © Kong Inc. 34 Create Ingress rule ❯ cat <

THE CLOUD CONNECTIVITY COMPANY 35 © Kong Inc. 35 Access the Counter Demo App ❯ kubectl get svc -n kong kong-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.43.251.106 80:31112/TCP,443:32197/TCP 75m

THE CLOUD CONNECTIVITY COMPANY 36 © Kong Inc. 36 Secure Demo APP with mTLS

THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Intro - No security or encrypted by default - Using a built-in CA, we can secure the services by enabling mTLS. - Only allowed services can communicate with others. - All traffic will be encrypted - mTLS is not enabled by default, enable it by updating the mesh policy ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 2h

THE CLOUD CONNECTIVITY COMPANY 38 © Kong Inc. 38 Add mTLS policy ❯ cat <

THE CLOUD CONNECTIVITY COMPANY 39 © Kong Inc. 39 Verify Traffic permission and remove the by-default rule - By default, there is a Traffic Permissions rule that allows all traffic. - Remove it - Counter app should down due to no allowed rule. ❯ kubectl get TrafficPermission NAME AGE allow-all-default 11m ❯ kubectl delete TrafficPermission allow-all-default trafficpermission.kuma.io "allow-all-default" deleted

THE CLOUD CONNECTIVITY COMPANY 40 © Kong Inc. 40 Apply Traffic permissions

THE CLOUD CONNECTIVITY COMPANY 41 © Kong Inc. 41 Intro - Traffic Permissions allows which services are able to communicate. - Easy for implementing Zero Trust networks FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request allow allow

THE CLOUD CONNECTIVITY COMPANY 42 © Kong Inc. 42 Add Traffic Permission Policy ❯ cat <

THE CLOUD CONNECTIVITY COMPANY 43 © Kong Inc. 43 Verify Traffic Permissions via Kuma GUI

THE CLOUD CONNECTIVITY COMPANY 44 © Kong Inc. 44 Access the Counter Demo App again

THE CLOUD CONNECTIVITY COMPANY 45 © Kong Inc. 45 Apply Deployment Strategies

THE CLOUD CONNECTIVITY COMPANY 46 © Kong Inc. 46 Intro - Traffic Routing policy enables you to configure L4 routing rules FRONTEND- APP v1.0 KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request FRONTEND- APP v2.0 KUMA-DP Traffic Routing policy

THE CLOUD CONNECTIVITY COMPANY 47 © Kong Inc. 47 By default Round Robin strategy 50% 50%

THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 By default Round Robin strategy cat <

THE CLOUD CONNECTIVITY COMPANY 49 © Kong Inc. 49 Summary

THE CLOUD CONNECTIVITY COMPANY 50 © Kong Inc. • Kong Mesh Intro • Deploy Kong mesh using kumactl • Deploy Demo Counter app and use Kong Ingress Controller to expose it • Secure Demo Counter app with mTLS • Apply Traffic permissions • Apply Deployment Strategies Summary 50

THE CLOUD CONNECTIVITY COMPANY 51 © Kong Inc. 51 Thank you