Kong Academyを日本語でお届け!#2

THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD
CONNECTIVITY COMPANY Kong Academyを日本語でお届け！#2 KGLL-108 - Kong for Kubernetes 施文翰(Wenhan Shi) – Solution Engineer April 2022

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who
am I 施文翰(シブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solution Engineer @shi_wenhan [email protected]

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 本セッションについて
このセッションはKong Academy KGLL-108 Learning Lab: Kong for Kubernetes をベースに日本語ででお届けします - https://education.konghq.com/ - 全てレベル100、無償でオンライン受講可能（自習形式） - レベル200以上は有償で提供（サブスクリプション） - 講師によるトレーニングを実施 - Kong認定証を授与

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. • Kong
for Kubernetes intro • Deployment ◦ Kubernetes YAML ◦ Helm • Exposing, Securing, and Protecting a Service Agenda

THE CLOUD CONNECTIVITY COMPANY 5 © Kong Inc. 5 Kong
for Kubernetes Intro

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. 6 •
Kong for Kubernetes is a cloud native Kubernetes Ingress Controller • Kong Ingress Controller for Kubernetes(KIC) Github Intro https://docs.konghq.com/enterprise/2.5.x/deployment/installation/kong-for-kubernetes/#introduction

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 •
Kong and KIC will be deployed in one Pod. • Expose kubernetes’ service by Ingress Resource • KIC Receive event from API server and configure Kong • Kong container will Handle all traffic defined by Kong Ingress resources. Arch https://docs.konghq.com/kubernetes-ingress-controller/2.3.x/concepts/design/

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 Intro
- 2 • Kong’s main components Kong Gateway : http://wenhan.io Route(/A) Route(/B) Route(/C) Service(1) Service(2) Service(3) Route(/D) LB API Client http://wenhan.io/A URL 1 URL 2 External API URL 2

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. 9 Intro
- 3 • Kong’s main components map to Kubernetes resource type Kong Gateway : http://wenhan.io Route(/A) Route(/B) Route(/C) Service(1) Service(2) Service(3) Route(/D) LB API Client http://wenhan.io/A URL 1 URL 2 External API URL 2 Ingress Rules Kubernetes Service Kubernetes Pods

THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 Deployment

THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Install
Kong Gateway

THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Deployment
method YAML Helm DataBase DB-less only DB-less or DB-based Conﬁg store ETCD ETCD or DB mode Available for OSS, Enterprise Pros Easy and quick Fully customizable Component s Proxy Yes Yes Admin API No Yes Manager (GUI) No Yes Dev Portal No Yes Vitals No Yes

THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 DB-less
mode? - Kong can be deploy in both DB-less or DB-related mode - Using a DB-less mode - reduced dependencies: no need to manage a database - good fit for automation in CI/CD: configuration in a single source (local or Git) - Not all the plugins are full Compatible in this mode - https://docs.konghq.com/konnect-platform/compatibility/plugins/ https://docs.konghq.com/gateway/2.8.x/reference/db-less-and-declarative-config/#using-kong-in-db-less-mode

THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Deploying
with Kubernetes YAML - 1 - Need license ﬁle for Enterprise deployment - There is no postgre DB pod ## on Kubernetes native kubectl create namespace kong ## Kong Gateway on Kubernetes native kubectl create secret generic kong-enterprise-license --from-file=./license -n kong kubectl apply -f https://bit.ly/k4k8s-enterprise-install ## Kong Gateway (OSS) on Kubernetes native kubectl apply -f https://bit.ly/kong-ingress-dbless $ kubectl get pod -n kong NAME READY STATUS RESTARTS AGE svclb-kong-proxy-4sfn5 2/2 Running 0 103s ingress-kong-677b9ccbf8-tczsf 2/2 Running 3 (79s ago) 103s

with Kubernetes YAML - 2 - Verify $ kubectl get svc -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.98.37 <none> 443/TCP 110s kong-proxy LoadBalancer 10.43.98.177 10.0.134.197 80:30717/TCP,443:32221/TCP 110s $ http 10.0.134.197 Or $ http localhost:30717 HTTP/1.1 404 Not Found Connection: keep-alive Content-Length: 48 Content-Type: application/json; charset=utf-8 Date: Mon, 18 Apr 2022 05:02:37 GMT Server: kong/2.8.0 X-Kong-Response-Latency: 1 { "message": "no Route matched with those values" }

with Helm - all default settings -1 - Deploy Kong using helm with all default settings ## pre-install kubectl create namespace kong helm repo add kong https://charts.konghq.com helm repo update ## Install Kong Gateway helm install kong/kong --generate-name

with Helm - all default settings - 2 - Verify ## By default, Kong is deployed in DB-less mode $ kubectl get pod NAME READY STATUS RESTARTS AGE svclb-kong-1650259566-kong-proxy-wfs7g 2/2 Running 0 90s kong-1650259566-kong-6b5d5c5758-psffx 2/2 Running 2 (87s ago) 90s ## Only kong proxy is available $ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 39h kong-1650259566-kong-proxy LoadBalancer 10.43.40.186 10.0.134.197 80:31276/TCP,443:30182/TCP 49s $ http 10.0.134.197 $ http localhost:31276 HTTP/1.1 404 Not Found … { "message": "no Route matched with those values" }

with Helm - customize - 1 - Use values.yaml to config Kong - Configuration parameters. - https://github.com/Kong/charts/blob/main/charts/kong/README.md#configuration - Examples - https://github.com/Kong/charts/tree/main/charts/kong/example-values ## pre-install kubectl create namespace kong helm repo add kong https://charts.konghq.com helm repo update ## Install Kong Gateway helm install my-kong kong/kong -n kong --values ./values.yaml

with Helm - customize - 2 - Verify ## A Postgre DB pod is running and also a localpath of PV $ kubectl get pod -n kong NAME READY STATUS RESTARTS AGE my-kong-postgresql-0 1/1 Running 0 7m2s my-kong-kong-init-migrations--1-drgk9 0/1 Completed 0 7m2s my-kong-kong-57c589bf8c-xm6c8 2/2 Running 2 (5m54s ago) 7m2 $ kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE pvc-fc7353d4-bb9f-4d9e-8f74-cb1cb8546f40 8Gi RWO Delete Bound kong/data-my-kong-postgresql-0 local-path 8m41s ## Have all the features enabled. $ kubectl get svc -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-kong-postgresql-headless ClusterIP None <none> 5432/TCP 9m11s my-kong-kong-proxy NodePort 10.43.119.198 <none> 80:31000/TCP,443:31254/TCP 9m11s my-kong-kong-admin NodePort 10.43.191.164 <none> 8001:31001/TCP 9m11s my-kong-kong-portal NodePort 10.43.118.111 <none> 8003:31003/TCP 9m11s my-kong-postgresql ClusterIP 10.43.55.81 <none> 5432/TCP 9m11s my-kong-kong-manager NodePort 10.43.86.108 <none> 8002:31002/TCP 9m11s

with Helm - customize - 3 $ http GET localhost:31001/status Kong-Admin-Token:kong HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://3.113.112.202:31002 Connection: keep-alive Content-Length: 1824 Content-Type: application/json; charset=utf-8 Date: Tue, 19 Apr 2022 14:26:14 GMT Server: kong/2.8.1.0-enterprise-edition X-Kong-Admin-Latency: 6 X-Kong-Admin-Request-ID: LO0bm1oNonBAMR0dooKrzcaGRZlIzVNM vary: Origin { "database": { "reachable": true }, "memory": { "lua_shared_dicts": { "kong": { … - Verify GUI on port 31002, admin API on port 31001

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. Environment now
EC2 node (3.113.112.202) Kubernetes Cluster 21 Kong Gateway Admin API 31001 Kong Manager 31002 Kong Proxy 31000

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Exposing,
Securing, and Protecting a Service

THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. - First,
let’s deploy an echo service/pod 23 Deploy a service and expose it by Kong $ kubectl get pod -n echo NAME READY STATUS RESTARTS AGE echo-554cb8b48b-nknfw 1/1 Running 0 60s $ kubectl get svc -n echo NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE echo ClusterIP 10.43.57.39 <none> 80/TCP 66s

THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. - Next,
expose the echo service outside the Kubernetes cluster by deﬁning Ingress rules. 24 Deploy a service and expose it by Kong # https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource $ echo ' apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo annotations: konghq.com/strip-path: "true” kubernetes.io/ingress.class: kong namespace: echo spec: rules: - http: paths: - path: /echo pathType: Prefix backend: service: name: echo port: number: 80 ' | kubectl apply -f - <<<<< path will be delete when access service <<<<< Using Kong Ingress Controller <<<<< access path is /echo <<<<< target service is echo, port is 80

THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. Environment now
EC2 node (3.113.112.202) Kubernetes Cluster Kong Gateway Service “Echo” Admin API 31001 Kong Manager 31002 Kong Proxy 31000 Pod “echo” Ingress Rule “demo” 80 80 /echo http://3.113.112.202:31000/echo

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Access
service from outside ❯ http http://3.113.112.202:31000/echo HTTP/1.1 200 OK Connection: keep-alive Content-Length: 1293 Content-Type: application/json; charset=utf-8 Date: Tue, 19 Apr 2022 14:51:03 GMT ETag: W/"50d-PK3UDIH5M5k5u0EVmQ6TSEQlQY8" Via: kong/2.8.1.0-enterprise-edition X-Kong-Proxy-Latency: 0 X-Kong-Upstream-Latency: 8 { "environment": { "ECHO_PORT": "tcp://10.43.57.39:80", "ECHO_PORT_80_TCP": "tcp://10.43.57.39:80", "ECHO_PORT_80_TCP_ADDR": "10.43.57.39", …

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 Protech
the service - Rate Limit - Controls how many times a client can access the service in a speciﬁed time frame.

the service - Rate Limit - setup - To enforce rate limiting plugin - deﬁne a KongPlugin(Kong CRD) resource cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rl-by-ip annotations: kubernetes.io/ingress.class: kong namespace: echo config: minute: 5 limit_by: ip policy: local plugin: rate-limiting EOF

the service - Rate Limit - setup - To enforce rate limiting plugin - annotate the service. - The plugin can also be applied at the Ingress or globally level - e.g. enforce a global rate limit for all services but enforce a different rate limit for speciﬁc services or consumers $ kubectl annotate svc echo konghq.com/plugins=rl-by-ip -n echo $ kubectl get svc -n echo -o yaml apiVersion: v1 items: - apiVersion: v1 kind: Service metadata: annotations: konghq.com/plugins: rl-by-ip <snip>

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. EC2 node
(3.113.112.202) Kubernetes Cluster Kong Gateway Service “Echo” Admin API 31001 Kong Manager 31002 Kong Proxy 31000 Pod “echo” Ingress Rule “demo” Ratelimit KongPlugin 80 80 /echo Environment now

the service - Rate Limit - verify - Now the service can only be access 5 times in 1 minutes ❯ http http://3.113.112.202:31000/echo ❯ http http://3.113.112.202:31000/echo ❯ http http://3.113.112.202:31000/echo ❯ http http://3.113.112.202:31000/echo ❯ http http://3.113.112.202:31000/echo ❯ http http://3.113.112.202:31000/echo HTTP/1.1 429 Too Many Requests Connection: keep-alive Content-Length: 41 Content-Type: application/json; charset=utf-8 Date: Tue, 19 Apr 2022 15:32:37 GMT RateLimit-Limit: 5 RateLimit-Remaining: 0 RateLimit-Reset: 23 Retry-After: 23 Server: kong/2.8.1.0-enterprise-edition X-Kong-Response-Latency: 1 X-RateLimit-Limit-Minute: 5 X-RateLimit-Remaining-Minute: 0

the service - authentication - Add key authentication to a Service or a Route to prevent free access - Consumers need to add their API key(in header or body) to authenticate. - Another plugin “Key Authentication Encrypted” provides the ability to encrypt keys

the service - authentication - setup - To enforce Key-Auth plugin - deﬁne a KongPlugin(Kong CRD) resource cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: key-auth namespace: echo annotations: kubernetes.io/ingress.class: kong plugin: key-auth EOF

the service - authentication - setup - To enforce Key-Auth plugin - annotate the ingress. $ kubectl annotate ingress demo konghq.com/plugins=key-auth -n echo $ kubectl get ing demo -n echo -o yaml apiVersion: v1 items: - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: konghq.com/plugins: key-auth konghq.com/strip-path: "true" <snip>

the service - authentication - Veriﬁcation - Now the service can’t be access without an API key ❯ http http://3.113.112.202:31000/echo HTTP/1.1 401 Unauthorized Connection: keep-alive Content-Length: 45 Content-Type: application/json; charset=utf-8 Date: Wed, 20 Apr 2022 05:12:43 GMT Server: kong/2.8.1.0-enterprise-edition WWW-Authenticate: Key realm="kong" X-Kong-Response-Latency: 62 { "message": "No API key found in request" }

the service - authentication - Consumer & API Key - Create an API Key by secret as we are using native Kubernetes. - Create a Consumer and conﬁgure the credentials to use the secret kubectl create secret generic jason-apikey --from-literal=kongCredType=key-auth \ --from-literal=key=123456789 \ -n echo cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: jason namespace: echo annotations: kubernetes.io/ingress.class: kong username: jason credentials: - jason-apikey EOF

THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Consumer?
• A user, or a service associated to individuals using your Service, • used for tracking, access management Kong Gateway : http://wenhan.io Route(/A) Route(/B) Route(/C) Service(1) Service(2) Service(3) Route(/D) LB API Client http://wenhan.io/A URL 1 URL 2 External API URL 2 Ingress Rules Kubernetes Service Kubernetes Pods KongConsumer (CRD)

(3.113.112.202) Kubernetes Cluster Kong Gateway Service “Echo” Admin API 31001 Kong Manager 31002 Kong Proxy 31000 Pod “echo” Ingress Rule “demo” KongPluginR atelimit KongPluginK ey Auth Consumer Jason 80 80 /echo Environment now

the service - authentication - Veriﬁcation - 2 - Access service with deﬁned API key ❯ http http://3.113.112.202:31000/echo HTTP/1.1 401 Unauthorized Connection: keep-alive <snip> ❯ http http://3.113.112.202:31000/echo apikey:123456789 HTTP/1.1 200 OK Connection: keep-alive <snip>

the service - Access Control List(ACL) - Consumers can access the Service only when they are members of a particular group.

the service - Access Control List(ACL) - Setup - Create an ACL group by secret as we are using native Kubernetes. - Create an ACL plugin, only allow Consumers that are members of the app-admin group. kubectl create secret generic app-admin-acl --from-literal=kongCredType=acl \ --from-literal=group=app-admin \ -n echo cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: admin-acl namespace: echo annotations: kubernetes.io/ingress.class: kong plugin: acl config: whitelist: ['app-admin'] EOF

the service - Access Control List(ACL) - Setup - Apply the ACL plugin to the Ingress. - Now the Consumers need a key and also a member of the admin-acl group. $ kubectl annotate ingress demo konghq.com/plugins- -n echo # delete annotate $ kubectl annotate ingress demo konghq.com/plugins=key-auth,admin-acl -n echo $ kubectl get ing -n echo -o yaml apiVersion: v1 items: - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: konghq.com/plugins: key-auth,admin-acl <snip>

(3.113.112.202) Kubernetes Cluster Kong Gateway Service “Echo” Admin API 31001 Kong Manager 31002 Kong Proxy 31000 Pod “echo” Ingress Rule “demo” KongPluginR atelimit KongPluginK ey Auth KongPluginA CL Consumer Jason 80 80 /echo Environment now

the service - Access Control List(ACL) - Veriﬁcation - Now the service can’t be access even with an API key ❯ http http://3.113.112.202:31000/echo apikey:123456789 HTTP/1.1 403 Forbidden Connection: keep-alive Content-Length: 49 Content-Type: application/json; charset=utf-8 Date: Wed, 20 Apr 2022 08:35:50 GMT Server: kong/2.8.1.0-enterprise-edition X-Kong-Response-Latency: 129 { "message": "You cannot consume this service" }

the service - Access Control List(ACL) - Update group - Update Jason’s Consumer resource with the app-admin-acl secret. - This adds Jason to the group app-admin. $ cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: jason namespace: echo annotations: kubernetes.io/ingress.class: kong username: jason credentials: - jason-apikey - app-admin-acl EOF

the service - Access Control List(ACL) - Veriﬁcation - Now we can access the service using this consumer - Key authentication and ACL groups do a ﬁne job to secured the service - However most Enterprise prefer to integrate with an existing Identity Provider. ❯ http http://3.113.112.202:31000/echo apikey:123456789 HTTP/1.1 200 OK Connection: keep-alive Content-Length: 1496

the service - Using 3rd party Identity Provider - Openid connect plugin(OIDC) can be conﬁgured to use a 3rd party IDP - Auth0 - Amazon AWS Cognito - Connect2id - Curity - Dex - Gluu - Google - IdentityServer - Keycloak - Microsoft Azure Active Directory - Microsoft Active Directory Federation Services - Microsoft Live Connect - Okta - OneLogin - OpenAM - Paypal - PingFederate - Salesforce - WSO2 - Yahoo!

THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 Setup
OIDC plugin - Create OIDC plugin and conﬁgure to use Okta - Replace key-auth and acl plugins with OIDC plugin cat <<EOF | kubectl apply -f - apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: openid-connect namespace: echo annotations: kubernetes.io/ingress.class: kong config: issuer: https://dev-513727.okta.com/oauth2/default consumer_optional: true auth_methods: - client_credentials verify_parameters: false scopes: [] plugin: openid-connect EOF $ kubectl annotate ingress demo konghq.com/plugins- -n echo $ kubectl annotate ingress demo konghq.com/plugins=openid-connect -n echo

(3.113.112.202) Kubernetes Cluster Kong Gateway Service “Echo” Admin API 31001 Kong Manager 31002 Kong Proxy 31000 Pod “echo” Ingress Rule “demo” KongPluginR atelimit KongPlugin openid-connect Consumer Jason 80 80 /echo Environment now

THE CLOUD CONNECTIVITY COMPANY 50 © Kong Inc. 50 Veriﬁcation
- Access will be reject as we didn’t provided any auth information. - The service can be access if we provided correct authentication information. $ http http://3.113.112.202:31000/echo HTTP/1.1 401 Unauthorized Connection: keep-alive Content-Length: 26 Content-Type: application/json; charset=utf-8 Date: Wed, 20 Apr 2022 16:14:39 GMT Server: nginx WWW-Authenticate: Bearer realm="dev-513727.okta.com" X-Kong-Response-Latency: 1 { "message": "Unauthorized" } $ http GET http://3.113.112.202:31000/echo authorization:"Basic MG9hM2dqZXJ3elRJNXlqN3AzNTc6QS10eWNzc083TldEOEtRNWh6ZWhwWTVtQ0Z2emxIRE93cVpETHYyZA==" HTTP/1.1 200 OK Connection: keep-alive Content-Encoding: gzip <snip>

Kong Academyを日本語でお届け!#2

Kong Academyを日本語でお届け!#2

More Decks by Wenhan Shi

Other Decks in Technology

Featured

Transcript