Kong Ingress Controllerで実現multiple rate limiting

Transcript

1. 【第2回開催！】 Kong Community, Japan ミートアップ

2. THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. THE CLOUD

   CONNECTIVITY COMPANY Kong Ingress Controllerで実現 multiple rate limiting Wenhan Shi Solutions Engineer [email protected]

3. THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 Who

   am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

4. THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Agenda

   • Kong Ingress Controller(KIC) • KIC + Rate Limiting • KIC + multiple Rate Limiting

5. THE CLOUD CONNECTIVITY COMPANY 5 © Kong Inc. 5 Kong

   Ingress Controller(KIC)

6. THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. 6 Kubernetes

   Ingress Controllerとは

7. THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 Kubernetes

   Ingress Controllerとは ▪ Kubernetesクラスタで利用できるもう一つの Ingress Controllers ▪ KubernetesのAPI serverをNativelyサポート ◦ YAMLでKongのリソースを設定

8. THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 Kubernetes

   Ingress Controllerとは ▪ Kubernetesクラスタで利用できるもう一つの Ingress Controllers ▪ KubernetesのAPI serverをNativelyサポート ◦ YAMLでKongのリソースを設定

9. THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. 9 KICをインストール

   • Yamlファイル • Helm kubectl create -f \ https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/v2.8.0/deploy/single/all-in-one-dbless.yaml helm upgrade -i my-kong kong/kong -n kong \ --set ingressController.installCRDs=false --wait

10. THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 KICをインストール

    • PodとSvcが作成 ❯ kubectl get pod -n kong NAME READY STATUS RESTARTS AGE my-kong-kong-6db76664df-6vjlg 2/2 Running 0 4m58s ❯ kubectl get svc -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-kong-kong-proxy LoadBalancer 10.100.140.184 xx-xx.ap-southeast-1.elb.amazonaws.com 80:30966/TCP,443:31707/TCP 5m3s my-kong-kong-validation-webhook ClusterIP 10.100.149.74 <none> 443/TCP 5m3s ❯ http proxy.kic.aws.kongtest.net HTTP/1.1 404 Not Found … { "message": "no Route matched with those values" }

11. THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE echo ClusterIP 10.100.83.81 <none> 8080/TCP,80/TCP 23d ❯ kubectl apply -f - << EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kong-demo-ingress spec: ingressClassName: kong rules: - http: paths: - path: /demo pathType: Exact backend: service: name: echo port: number: 80 EOF

12. THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ http proxy.kic.aws.kongtest.net/demo HTTP/1.1 200 OK … Hostname: echo-744d654d7b-mdb99 Pod Information: node name: ip-192-168-8-117.ap-southeast-1.compute.internal pod name: echo-744d654d7b-mdb99 pod namespace: default pod IP: 192.168.7.142 …

13. THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 Route(Ingress)の設定

    • もう少しRouteの設定をしたいなら、KongIngressを作成し、Ingress RuleとBindする kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongIngress metadata: name: update-kong-demo-ingress route: headers: foo: - bar --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kong-demo-ingress annotations: kubernetes.io/ingress.class: kong konghq.com/override : update-kong-demo-ingress spec:

14. THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Route(Ingress)の作成

    • Ingressを作成してsvcを公開 ❯ http proxy.kic.aws.kongtest.net/demo HTTP/1.1 404 Not Found … { "message": "no Route matched with those values" } ❯ http proxy.kic.aws.kongtest.net/demo foo:bar HTTP/1.1 200 OK … Hostname: echo-744d654d7b-mdb99 Pod Information: node name: ip-192-168-8-117.ap-southeast-1.compute.internal pod name: echo-744d654d7b-mdb99 pod namespace: default pod IP: 192.168.7.142 …

15. THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. 15 KIC

    + Rate Limiting

16. THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. 16 KICでPluginの実装

    1. CRDを使ってPluginリソースを作成 2. Ingress リソースのannotationに設定 kong-demo-ingress echo

17. THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. 17 Pluginの作成

    • Kongのプラグインは以下のCRDで実装 • KongPlugin: Namespaceレベル • KongClusterPlugin: Clusterレベル kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limiting config: minute: 5 policy: local plugin: rate-limiting disabled: false EOF kubectl apply -f - <<EOF apiVersion: configuration.konghq.com/v1 kind: KongClusterPlugin metadata: name: jwt-auth annotations: kubernetes.io/ingress.class: kong labels: global: "true" plugin: jwt EOF

18. THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 PluginをIngressに適用

    • Ingressのannotationsに利用するプラグインを宣言 • rate limitingの適用状況を確認 ❯ kubectl annotate ingress kong-demo-ingress konghq.com/plugins=rate-limiting ingress.networking.k8s.io/kong-demo-ingress annotated annotations: konghq.com/plugins: rate-limiting ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo ❯ http --header proxy.kic.aws.kongtest.net/demo HTTP/1.1 429 Too Many Requests … RateLimit-Limit: 5 RateLimit-Remaining: 0 RateLimit-Reset: 28

19. THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 KIC

    + multiple Rate Limiting

20. THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 Multiple

    rate limiting? 1. 各クライアントからは同じパスから、同一の APIをアクセス 2. リクエストにあるヘッダーを見て別々の Rate Limitingを適用

21. THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Multiple

    rate limiting? 1. 各クライアントからは同じパスから、同一の APIをアクセス 2. リクエストにあるヘッダーを見て別々の Rate Limitingを適用

22. THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Multiple

    rate limiting? Demo

23. THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 Thank

    you