【第2回開催!】Kong Community, Japanミートアップ
View Slide
THE CLOUD CONNECTIVITY COMPANY2© Kong Inc.THE CLOUDCONNECTIVITY COMPANYKong Ingress Controllerで実現multiple rate limitingWenhan ShiSolutions Engineer[email protected]
THE CLOUD CONNECTIVITY COMPANY3© Kong Inc. 3Who am I施 文翰(シ ブンカン) Wenhan Shi• 日立製作所 - Linux kernel module development/Support• Red Hat K.K. - GlusterFS/OpenShift Support• Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support• Rancher Lab/SUSE - Rancher Support• Kong Inc. - Solutions Engineer@shi_wenhan[email protected]
THE CLOUD CONNECTIVITY COMPANY4© Kong Inc. 4Agenda ● Kong Ingress Controller(KIC)● KIC + Rate Limiting● KIC + multiple Rate Limiting
THE CLOUD CONNECTIVITY COMPANY5© Kong Inc. 5Kong Ingress Controller(KIC)
THE CLOUD CONNECTIVITY COMPANY6© Kong Inc. 6Kubernetes Ingress Controllerとは
THE CLOUD CONNECTIVITY COMPANY7© Kong Inc. 7Kubernetes Ingress Controllerとは■ Kubernetesクラスタで利用できるもう一つのIngress Controllers■ KubernetesのAPI serverをNativelyサポート○ YAMLでKongのリソースを設定
THE CLOUD CONNECTIVITY COMPANY8© Kong Inc. 8Kubernetes Ingress Controllerとは■ Kubernetesクラスタで利用できるもう一つのIngress Controllers■ KubernetesのAPI serverをNativelyサポート○ YAMLでKongのリソースを設定
THE CLOUD CONNECTIVITY COMPANY9© Kong Inc. 9KICをインストール• Yamlファイル• Helmkubectl create -f \https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/v2.8.0/deploy/single/all-in-one-dbless.yamlhelm upgrade -i my-kong kong/kong -n kong \--set ingressController.installCRDs=false --wait
THE CLOUD CONNECTIVITY COMPANY10© Kong Inc. 10KICをインストール• PodとSvcが作成❯ kubectl get pod -n kongNAME READY STATUS RESTARTS AGEmy-kong-kong-6db76664df-6vjlg 2/2 Running 0 4m58s❯ kubectl get svc -n kongNAME TYPE CLUSTER-IP EXTERNAL-IPPORT(S) AGEmy-kong-kong-proxy LoadBalancer 10.100.140.184 xx-xx.ap-southeast-1.elb.amazonaws.com80:30966/TCP,443:31707/TCP 5m3smy-kong-kong-validation-webhook ClusterIP 10.100.149.74 443/TCP 5m3s❯ http proxy.kic.aws.kongtest.netHTTP/1.1 404 Not Found…{"message": "no Route matched with those values"}
THE CLOUD CONNECTIVITY COMPANY11© Kong Inc. 11Route(Ingress)の作成• Ingressを作成してsvcを公開❯ kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEecho ClusterIP 10.100.83.81 8080/TCP,80/TCP 23d❯ kubectl apply -f - << EOFapiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: kong-demo-ingressspec:ingressClassName: kongrules:- http:paths:- path: /demopathType: Exactbackend:service:name: echoport:number: 80EOF
THE CLOUD CONNECTIVITY COMPANY12© Kong Inc. 12Route(Ingress)の作成• Ingressを作成してsvcを公開❯ http proxy.kic.aws.kongtest.net/demoHTTP/1.1 200 OK…Hostname: echo-744d654d7b-mdb99Pod Information:node name: ip-192-168-8-117.ap-southeast-1.compute.internalpod name: echo-744d654d7b-mdb99pod namespace: defaultpod IP: 192.168.7.142…
THE CLOUD CONNECTIVITY COMPANY13© Kong Inc. 13Route(Ingress)の設定• もう少しRouteの設定をしたいなら、KongIngressを作成し、Ingress RuleとBindするkubectl apply -f - <apiVersion: configuration.konghq.com/v1kind: KongIngressmetadata:name: update-kong-demo-ingressroute:headers:foo:- bar---apiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: kong-demo-ingressannotations:kubernetes.io/ingress.class: kongkonghq.com/override : update-kong-demo-ingressspec:
THE CLOUD CONNECTIVITY COMPANY14© Kong Inc. 14Route(Ingress)の作成• Ingressを作成してsvcを公開❯ http proxy.kic.aws.kongtest.net/demoHTTP/1.1 404 Not Found…{"message": "no Route matched with those values"}❯ http proxy.kic.aws.kongtest.net/demo foo:barHTTP/1.1 200 OK…Hostname: echo-744d654d7b-mdb99Pod Information:node name: ip-192-168-8-117.ap-southeast-1.compute.internalpod name: echo-744d654d7b-mdb99pod namespace: defaultpod IP: 192.168.7.142…
THE CLOUD CONNECTIVITY COMPANY15© Kong Inc. 15KIC + Rate Limiting
THE CLOUD CONNECTIVITY COMPANY16© Kong Inc. 16KICでPluginの実装1. CRDを使ってPluginリソースを作成2. Ingress リソースのannotationに設定kong-demo-ingressecho
THE CLOUD CONNECTIVITY COMPANY17© Kong Inc. 17Pluginの作成• Kongのプラグインは以下のCRDで実装• KongPlugin: Namespaceレベル• KongClusterPlugin: Clusterレベルkubectl apply -f - <apiVersion: configuration.konghq.com/v1kind: KongPluginmetadata:name: rate-limitingconfig:minute: 5policy: localplugin: rate-limitingdisabled: falseEOFkubectl apply -f - <apiVersion: configuration.konghq.com/v1kind: KongClusterPluginmetadata:name: jwt-authannotations:kubernetes.io/ingress.class: konglabels:global: "true"plugin: jwtEOF
THE CLOUD CONNECTIVITY COMPANY18© Kong Inc. 18PluginをIngressに適用• Ingressのannotationsに利用するプラグインを宣言• rate limitingの適用状況を確認❯ kubectl annotate ingress kong-demo-ingress konghq.com/plugins=rate-limitingingress.networking.k8s.io/kong-demo-ingress annotatedannotations:konghq.com/plugins: rate-limiting❯ http --header proxy.kic.aws.kongtest.net/demo❯ http --header proxy.kic.aws.kongtest.net/demo❯ http --header proxy.kic.aws.kongtest.net/demo❯ http --header proxy.kic.aws.kongtest.net/demo❯ http --header proxy.kic.aws.kongtest.net/demo❯ http --header proxy.kic.aws.kongtest.net/demoHTTP/1.1 429 Too Many Requests…RateLimit-Limit: 5RateLimit-Remaining: 0RateLimit-Reset: 28
THE CLOUD CONNECTIVITY COMPANY19© Kong Inc. 19KIC + multiple Rate Limiting
THE CLOUD CONNECTIVITY COMPANY20© Kong Inc. 20Multiple rate limiting?1. 各クライアントからは同じパスから、同一のAPIをアクセス2. リクエストにあるヘッダーを見て別々のRate Limitingを適用
THE CLOUD CONNECTIVITY COMPANY21© Kong Inc. 21Multiple rate limiting?1. 各クライアントからは同じパスから、同一のAPIをアクセス2. リクエストにあるヘッダーを見て別々のRate Limitingを適用
THE CLOUD CONNECTIVITY COMPANY22© Kong Inc. 22Multiple rate limiting?Demo
THE CLOUD CONNECTIVITY COMPANY23© Kong Inc. 23Thank you
xibuka
mitsuaki96
optim
iselegant
convto
zakiyama
nozomiito
x_ttyszk
line_developers
oracle4engineer
sasakitomohiro
taishin
mraible
wjessup
chriscoyier
keathley
davidbonilla
jasonvnalue
brianwarren
jacobian
keavy
holman
destraynor
soudai