Kong Mesh入門編

THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD
CONNECTIVITY COMPANY Kong Mesh入門編施文翰(Wenhan Shi) – Solutions Engineer Oct, 2022

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who
am I 施文翰(シブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. • Kong
Mesh Intro • Deploy Kong mesh • Deploy Demo Counter app • Secure Demo Counter app • Apply Traﬃc permissions • Apply Deployment Strategies Agenda

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Kong
Mesh Intro

5 THE CLOUD CONNECTIVITY COMPANY Kong Proprietary and Conﬁdential Application
design is evolving NETWORK TRAFFIC L4/L7 DISTRIBUTED MONOLITH DECOUPLING APIS AND MICROSERVICES WE’RE JUST HERE!

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. CLASSIC API
GATEWAY MODERN API GATEWAY FULL SERVICE CONNECTIVITY MONOLITHIC APP API API MANAGEMENT CLIENT PRIVATE TRAFFIC PUBLIC TRAFFIC GW DP CLIENT PUBLIC TRAFFIC GW DP API APP API APP API APP API APP API APP GW DP GW DP GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. Connect services
end-to-end • Integrate into the Kong Enterprise platform for Full stack connectivity • Securely expose and manage the full-lifecycle of APIs and North-South communication using GW • Manage the cross-cutting concerns and East-West communication with Mesh Data Center 1 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Client Edge Data Center 2 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Kong Gateway

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. API Gateway
or Service Mesh? Support mobile apps Onboard external partners, customers or users High reliability for mission critical apps Zero-trust security / high compliance Observability for detailed visibility into service behavior Ensure reliability Ensure security Gain visibility NA NA YOU NEED A “Service Connectivity Platform” API GATEWAY SERVICE MESH Expose services (Edge, mesh-app, mesh-mesh) Full lifecycle API management Service – service communication NA Integration for full stack connectivity API Gateway with integration

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. Kuma Technology
ENVOY PROXY

ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION

ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING

ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE

ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS

ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS KONG MESH

THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. Why Kong
Mesh? Multi-Mesh And Easy To Use & Scale Universal (K8s + VMs), Attribute-Based Policies & More Built-in Multi Zone Connectivity Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Restrict access and encrypt all traffic by default to only complete transactions when identity is verified Out of the box connectivity for multi-cluster, multi-cloud and multi-platform deployments across the world

THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. • One
click deployment, one click attribute-based policies Start, Secure and Scale with Ease • Turnkey universal service mesh with built-in multi-zone connectivity • Multi-mesh support for scalability across the organization Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Service Discovery Global Kong Mesh Control plane Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster

THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. Run anywhere
Manage service meshes natively in Kubernetes using CRDs Deploy the service mesh across any environment, including multi-cluster, multi-cloud and multi-platform OR start with a service mesh in VM environments and migrate to Kubernetes at your own pace Service Mesh Container-based Microservices Service Mesh Container-based Microservices VM-based Monolith VM-based Monolith

THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo
- Deployment Kong Mesh - Deployment Demo APP - Secure Demo APP with mTLS (zero trust) - Apply Traﬃc permissions - Apply Deployment Strategies

THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Deployment
Kong Mesh

mode Standalone Multiple Zone

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Use
kumactl to deploy Kong Mesh # Download Kong Mesh $ curl -L https://docs.konghq.com/mesh/installer.sh | sh - # Deploy Control Plane $ kong-mesh-1.9.1/bin/kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - # Verify $ kubectl get pod -n kong-mesh-system NAME READY STATUS RESTARTS AGE kong-mesh-control-plane-5ff698786d-2cckg 1/1 Running 0 61s $ kubectl get meshes NAME AGE default 1m

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Access
GUI ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 <none> 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 91s # expose control plane as nodeport and use 30001 port ❯ kubectl expose deployment kong-mesh-control-plane -n kong-mesh-system --type=NodePort --name=kongmesh-cp --port 5681 service/kongmesh-cp exposed ❯ kubectl patch service kongmesh-cp -n kong-mesh-system --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":30001}]' ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 <none> 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 92s kongmesh-cp NodePort 10.43.110.195 <none> 5681:30001/TCP 2s

GUI http://<Mesh CP ip address>:<Port number>/gui to access the GUI

control plane via kumactl # configure kumactl to use the exposed IP address to control your mesh ❯ kumactl config control-planes add --name=kongmesh-cp \ --address=http://<ip address of Kong Mesh CP>:30001 ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 17m

Demo APP

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Counter
app • A front-end and a Redis database to store counters. • The front-end is a simple display that allows you to increment a counter. • The Redis database stores the current count. FRONTEND- APP KUMA-DP KUMA-DP REDIS

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 Kuma
sidecar annotation • Ensure the Kuma sidecar annotation is included with the application’s manifest. • It tells Kubernetes to automatically inject a data plane proxy to every service deployed in the namespace apiVersion: v1 kind: Namespace metadata: name: kuma-demo annotations: kuma.io/sidecar-injection: enabled

THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 Deploy
the application and inspect it ❯ kubectl apply -f counterapp.yaml ❯ kumactl inspect dataplanes MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS CERT REGENERATED AGO CERT EXPIRATION CERT REGENERATIONS CERT BACKEND SUPPORTED CERT BACKENDS KUMA-DP VERSION ENVOY VERSION DEPENDENCIES VERSIONS NOTES default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=768f774c55 version=v1 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=df4f5bdc7 version=v2 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default redis-684cbb56c9-brsmj.kuma-demo app=redis k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=redis k8s.kuma.io/service-port=6379 kuma.io/protocol=tcp kuma.io/service=redis_kuma-demo_svc_6379 pod-template-hash=684cbb56c9 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0

THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Inspect
the Data plane in GUI

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 Kong
Ingress Controller(KIC) • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 Deploy
Kong Ingress Controller(KIC) ❯ kubectl apply -f https://bit.ly/k4k8s namespace/kong created customresourcedefinition.apiextensions.k8s.io/ingressclassparameterses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/udpingresses.configuration.konghq.com created … # Pod of KIC ❯ kubectl get pods -n kong NAME READY STATUS RESTARTS AGE ingress-kong-6647c64fd4-ggvct 2/2 Running 0 4m51s # patch the kong proxy to use nodePort ❯ kubectl patch service kong-proxy --namespace=kong --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31112}]' ❯ kubectl get services -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.183.215 <none> 443/TCP 6m25s kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 6m25s

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Add
Kong Proxy to Kong Mesh # annotate the namespace and restart the KIC pod ❯ kubectl annotate ns kong kuma.io/sidecar-injection='enabled' ❯ kubectl delete pod ingress-kong-xxxxxxxxxx-xxxxx -n kong

THE CLOUD CONNECTIVITY COMPANY 33 © Kong Inc. 33 Create
Ingress rule for access the frontend app • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request Ingress

THE CLOUD CONNECTIVITY COMPANY 34 © Kong Inc. 34 Create
Ingress rule ❯ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: counterapp namespace: kuma-demo annotations: kubernetes.io/ingress.class: kong spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: demo-app port: number: 5000 EOF ingress.networking.k8s.io/counterapp created

the Counter Demo App ❯ kubectl get svc -n kong kong-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 75m

THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Intro
- No security or encrypted by default - Using a built-in CA, we can secure the services by enabling mTLS. - Only allowed services can communicate with others. - All traﬃc will be encrypted - mTLS is not enabled by default, enable it by updating the mesh policy ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 2h

mTLS policy ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends: - name: ca-1 type: builtin metrics: enabledBackend: prometheus-1 backends: - name: prometheus-1 type: prometheus conf: skipMTLS: true EOF ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default builtin/ca-1 prometheus/prometheus-1 off off off off 2h

THE CLOUD CONNECTIVITY COMPANY 39 © Kong Inc. 39 Verify
Traffic permission and remove the by-default rule - By default, there is a Traffic Permissions rule that allows all traffic. - Remove it - Counter app should down due to no allowed rule. ❯ kubectl get TrafficPermission NAME AGE allow-all-default 11m ❯ kubectl delete TrafficPermission allow-all-default trafficpermission.kuma.io "allow-all-default" deleted

- Traﬃc Permissions allows which services are able to communicate. - Easy for implementing Zero Trust networks FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request allow allow

Traﬃc Permission Policy ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: namespace: kuma-demo name: kong2frontend spec: sources: - match: kuma.io/service: kong-proxy_kong_svc_80 destinations: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 EOF ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: namespace: kuma-demo name: frontend2backend spec: sources: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 destinations: - match: kuma.io/service: redis_kuma-demo_svc_6379 EOF ❯ kumactl get dataplanes MESH NAME TAGS ... default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app ... default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app ... default ingress-kong-6647c64fd4-vd4lp.kong app=ingress-kong ... default redis-684cbb56c9-brsmj.kuma-demo app=redis ...

the Counter Demo App again

- Traffic Routing policy enables you to configure L4 routing rules FRONTEND- APP v1.0 KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request FRONTEND- APP v2.0 KUMA-DP Traffic Routing policy

THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 By
default Round Robin strategy cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficRoute mesh: default metadata: namespace: kuma-demo name: demo-app-canary spec: sources: - match: kuma.io/service: kong-proxy_kong_svc_80 destinations: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 conf: split: - weight: 80 destination: kuma.io/service: demo-app_kuma-demo_svc_5000 version: "v1" - weight: 20 destination: kuma.io/service: demo-app_kuma-demo_svc_5000 version: "v2" EOF 80% 20%

THE CLOUD CONNECTIVITY COMPANY 50 © Kong Inc. • Kong
Mesh Intro • Deploy Kong mesh using kumactl • Deploy Demo Counter app and use Kong Ingress Controller to expose it • Secure Demo Counter app with mTLS • Apply Traﬃc permissions • Apply Deployment Strategies Summary 50

Kong Mesh入門編

Kong Mesh入門編

More Decks by Wenhan Shi

Other Decks in Technology

Featured

Transcript