Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kong Ingress Controllerで実現multiple rate limiting

Wenhan Shi
February 17, 2023

Kong Ingress Controllerで実現multiple rate limiting

【第2回開催!】Kong Community, Japanミートアップ

Wenhan Shi

February 17, 2023
Tweet

More Decks by Wenhan Shi

Other Decks in Technology

Transcript

  1. THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. THE CLOUD

    CONNECTIVITY COMPANY Kong Ingress Controllerで実現 multiple rate limiting Wenhan Shi Solutions Engineer [email protected]
  2. THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 Who

    am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]
  3. THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Agenda

    • Kong Ingress Controller(KIC) • KIC + Rate Limiting • KIC + multiple Rate Limiting
  4. THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 Kubernetes

    Ingress Controllerとは ▪ Kubernetesクラスタで利用できるもう一つの Ingress Controllers ▪ KubernetesのAPI serverをNativelyサポート ◦ YAMLでKongのリソースを設定
  5. THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 Kubernetes

    Ingress Controllerとは ▪ Kubernetesクラスタで利用できるもう一つの Ingress Controllers ▪ KubernetesのAPI serverをNativelyサポート ◦ YAMLでKongのリソースを設定
  6. THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. 9 KICをインストール

    • Yamlファイル • Helm kubectl create -f \ https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/v2.8.0/deploy/single/all-in-one-dbless.yaml helm upgrade -i my-kong kong/kong -n kong \ --set ingressController.installCRDs=false --wait
  7. THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 KICをインストール

    • PodとSvcが作成 ❯ kubectl get pod -n kong NAME READY STATUS RESTARTS AGE my-kong-kong-6db76664df-6vjlg 2/2 Running 0 4m58s ❯ kubectl get svc -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-kong-kong-proxy LoadBalancer 10.100.140.184 xx-xx.ap-southeast-1.elb.amazonaws.com 80:30966/TCP,443:31707/TCP 5m3s my-kong-kong-validation-webhook ClusterIP 10.100.149.74 <none> 443/TCP 5m3s ❯ http proxy.kic.aws.kongtest.net HTTP/1.1 404 Not Found … { "message": "no Route matched with those values" }
  8. THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE echo ClusterIP 10.100.83.81 <none> 8080/TCP,80/TCP 23d ❯ kubectl apply -f - << EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kong-demo-ingress spec: ingressClassName: kong rules: - http: paths: - path: /demo pathType: Exact backend: service: name: echo port: number: 80 EOF
  9. THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ http proxy.kic.aws.kongtest.net/demo HTTP/1.1 200 OK … Hostname: echo-744d654d7b-mdb99 Pod Information: node name: ip-192-168-8-117.ap-southeast-1.compute.internal pod name: echo-744d654d7b-mdb99 pod namespace: default pod IP: 192.168.7.142 …
  10. THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 Route(Ingress)の設定

    • もう少しRouteの設定をしたいなら、KongIngressを作成し、Ingress RuleとBindする kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongIngress metadata: name: update-kong-demo-ingress route: headers: foo: - bar --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kong-demo-ingress annotations: kubernetes.io/ingress.class: kong konghq.com/override : update-kong-demo-ingress spec:
  11. THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ http proxy.kic.aws.kongtest.net/demo HTTP/1.1 404 Not Found … { "message": "no Route matched with those values" } ❯ http proxy.kic.aws.kongtest.net/demo foo:bar HTTP/1.1 200 OK … Hostname: echo-744d654d7b-mdb99 Pod Information: node name: ip-192-168-8-117.ap-southeast-1.compute.internal pod name: echo-744d654d7b-mdb99 pod namespace: default pod IP: 192.168.7.142 …
  12. THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. 16 KICでPluginの実装

    1. CRDを使ってPluginリソースを作成 2. Ingress リソースのannotationに設定 kong-demo-ingress echo
  13. THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. 17 Pluginの作成

    • Kongのプラグインは以下のCRDで実装 • KongPlugin: Namespaceレベル • KongClusterPlugin: Clusterレベル kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limiting config: minute: 5 policy: local plugin: rate-limiting disabled: false EOF kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongClusterPlugin metadata: name: jwt-auth annotations: kubernetes.io/ingress.class: kong labels: global: "true" plugin: jwt EOF
  14. THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 PluginをIngressに適用

    • Ingressのannotationsに利用するプラグインを宣言 • rate limitingの適用状況を確認 ❯ kubectl annotate ingress kong-demo-ingress konghq.com/plugins=rate-limiting ingress.networking.k8s.io/kong-demo-ingress annotated annotations: konghq.com/plugins: rate-limiting ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo HTTP/1.1 429 Too Many Requests … RateLimit-Limit: 5 RateLimit-Remaining: 0 RateLimit-Reset: 28
  15. THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 Multiple

    rate limiting? 1. 各クライアントからは同じパスから、同一の APIをアクセス 2. リクエストにあるヘッダーを見て別々の Rate Limitingを適用
  16. THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Multiple

    rate limiting? 1. 各クライアントからは同じパスから、同一の APIをアクセス 2. リクエストにあるヘッダーを見て別々の Rate Limitingを適用