Kong Mesh入門編

Transcript

1. THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD

   CONNECTIVITY COMPANY Kong Mesh入門編 施文翰(Wenhan Shi) – Solutions Engineer Oct, 2022

2. THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who

   am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

3. THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. • Kong

   Mesh Intro • Deploy Kong mesh • Deploy Demo Counter app • Secure Demo Counter app • Apply Traffic permissions • Apply Deployment Strategies Agenda

4. THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Kong

   Mesh Intro

5. 5 THE CLOUD CONNECTIVITY COMPANY Kong Proprietary and Confidential Application

   design is evolving NETWORK TRAFFIC L4/L7 DISTRIBUTED MONOLITH DECOUPLING APIS AND MICROSERVICES WE’RE JUST HERE!

6. THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. CLASSIC API

   GATEWAY MODERN API GATEWAY FULL SERVICE CONNECTIVITY MONOLITHIC APP API API MANAGEMENT CLIENT PRIVATE TRAFFIC PUBLIC TRAFFIC GW DP CLIENT PUBLIC TRAFFIC GW DP API APP API APP API APP API APP API APP GW DP GW DP GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2

7. THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. Connect services

   end-to-end • Integrate into the Kong Enterprise platform for Full stack connectivity • Securely expose and manage the full-lifecycle of APIs and North-South communication using GW • Manage the cross-cutting concerns and East-West communication with Mesh Data Center 1 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Client Edge Data Center 2 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Kong Gateway

8. THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. API Gateway

   or Service Mesh? Support mobile apps Onboard external partners, customers or users High reliability for mission critical apps Zero-trust security / high compliance Observability for detailed visibility into service behavior Ensure reliability Ensure security Gain visibility NA NA YOU NEED A “Service Connectivity Platform” API GATEWAY SERVICE MESH Expose services (Edge, mesh-app, mesh-mesh) Full lifecycle API management Service – service communication NA Integration for full stack connectivity API Gateway with integration

9. THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. Kuma Technology

   ENVOY PROXY

10. THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. Kuma Technology

    ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION

11. THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. Kuma Technology

    ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING

12. THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. Kuma Technology

    ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE

13. THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. Kuma Technology

    ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS

14. THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. Kuma Technology

    ENVOY PROXY AUTOMATIC MULTI-ZONE PROPAGATION CROSS-ZONE DISCOVERY, SECURITY & ROUTING POLICY-BASED ARCHITECTURE KUBERNETES + VMS BINDINGS KONG MESH

15. THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. Why Kong

    Mesh? Multi-Mesh And Easy To Use & Scale Universal (K8s + VMs), Attribute-Based Policies & More Built-in Multi Zone Connectivity Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Restrict access and encrypt all traffic by default to only complete transactions when identity is verified Out of the box connectivity for multi-cluster, multi-cloud and multi-platform deployments across the world

16. THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. • One

    click deployment, one click attribute-based policies Start, Secure and Scale with Ease • Turnkey universal service mesh with built-in multi-zone connectivity • Multi-mesh support for scalability across the organization Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Service Discovery Global Kong Mesh Control plane Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster

17. THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. Run anywhere

    Manage service meshes natively in Kubernetes using CRDs Deploy the service mesh across any environment, including multi-cluster, multi-cloud and multi-platform OR start with a service mesh in VM environments and migrate to Kubernetes at your own pace Service Mesh Container-based Microservices Service Mesh Container-based Microservices VM-based Monolith VM-based Monolith

18. THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo

    - Deployment Kong Mesh - Deployment Demo APP - Secure Demo APP with mTLS (zero trust) - Apply Traffic permissions - Apply Deployment Strategies

19. THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Deployment

    Kong Mesh

20. THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 Deployment

    mode Standalone Multiple Zone

21. THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 Use

    kumactl to deploy Kong Mesh # Download Kong Mesh $ curl -L https://docs.konghq.com/mesh/installer.sh | sh - # Deploy Control Plane $ kong-mesh-1.9.1/bin/kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - # Verify $ kubectl get pod -n kong-mesh-system NAME READY STATUS RESTARTS AGE kong-mesh-control-plane-5ff698786d-2cckg 1/1 Running 0 61s $ kubectl get meshes NAME AGE default 1m

22. THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 Access

    GUI ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 <none> 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 91s # expose control plane as nodeport and use 30001 port ❯ kubectl expose deployment kong-mesh-control-plane -n kong-mesh-system --type=NodePort --name=kongmesh-cp --port 5681 service/kongmesh-cp exposed ❯ kubectl patch service kongmesh-cp -n kong-mesh-system --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":30001}]' ❯ kubectl get svc -n kong-mesh-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-mesh-control-plane ClusterIP 10.43.219.12 <none> 5680/TCP,5681/TCP,5682/TCP,443/TCP,5676/TCP,5678/TCP 92s kongmesh-cp NodePort 10.43.110.195 <none> 5681:30001/TCP 2s

23. THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 Access

    GUI http://<Mesh CP ip address>:<Port number>/gui to access the GUI

24. THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 Access

    control plane via kumactl # configure kumactl to use the exposed IP address to control your mesh ❯ kumactl config control-planes add --name=kongmesh-cp \ --address=http://<ip address of Kong Mesh CP>:30001 ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 17m

25. THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 Deployment

    Demo APP

26. THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Counter

    app • A front-end and a Redis database to store counters. • The front-end is a simple display that allows you to increment a counter. • The Redis database stores the current count. FRONTEND- APP KUMA-DP KUMA-DP REDIS

27. THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 Kuma

    sidecar annotation • Ensure the Kuma sidecar annotation is included with the application’s manifest. • It tells Kubernetes to automatically inject a data plane proxy to every service deployed in the namespace apiVersion: v1 kind: Namespace metadata: name: kuma-demo annotations: kuma.io/sidecar-injection: enabled

28. THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 Deploy

    the application and inspect it ❯ kubectl apply -f counterapp.yaml ❯ kumactl inspect dataplanes MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS CERT REGENERATED AGO CERT EXPIRATION CERT REGENERATIONS CERT BACKEND SUPPORTED CERT BACKENDS KUMA-DP VERSION ENVOY VERSION DEPENDENCIES VERSIONS NOTES default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=768f774c55 version=v1 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=demo-app k8s.kuma.io/service-port=5000 kuma.io/protocol=http kuma.io/service=demo-app_kuma-demo_svc_5000 pod-template-hash=df4f5bdc7 version=v2 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0 default redis-684cbb56c9-brsmj.kuma-demo app=redis k8s.kuma.io/namespace=kuma-demo k8s.kuma.io/service-name=redis k8s.kuma.io/service-port=6379 kuma.io/protocol=tcp kuma.io/service=redis_kuma-demo_svc_6379 pod-template-hash=684cbb56c9 Online 1m 1m 8 0 never - 0 - 1.9.1 1.22.1 coredns: 1.8.3, opa: 0.43.0

29. THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Inspect

    the Data plane in GUI

30. THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 Kong

    Ingress Controller(KIC) • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins

31. THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 Deploy

    Kong Ingress Controller(KIC) ❯ kubectl apply -f https://bit.ly/k4k8s namespace/kong created customresourcedefinition.apiextensions.k8s.io/ingressclassparameterses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/udpingresses.configuration.konghq.com created … # Pod of KIC ❯ kubectl get pods -n kong NAME READY STATUS RESTARTS AGE ingress-kong-6647c64fd4-ggvct 2/2 Running 0 4m51s # patch the kong proxy to use nodePort ❯ kubectl patch service kong-proxy --namespace=kong --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31112}]' ❯ kubectl get services -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.183.215 <none> 443/TCP 6m25s kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 6m25s

32. THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Add

    Kong Proxy to Kong Mesh # annotate the namespace and restart the KIC pod ❯ kubectl annotate ns kong kuma.io/sidecar-injection='enabled' ❯ kubectl delete pod ingress-kong-xxxxxxxxxx-xxxxx -n kong

33. THE CLOUD CONNECTIVITY COMPANY 33 © Kong Inc. 33 Create

    Ingress rule for access the frontend app • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request Ingress

34. THE CLOUD CONNECTIVITY COMPANY 34 © Kong Inc. 34 Create

    Ingress rule ❯ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: counterapp namespace: kuma-demo annotations: kubernetes.io/ingress.class: kong spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: demo-app port: number: 5000 EOF ingress.networking.k8s.io/counterapp created

35. THE CLOUD CONNECTIVITY COMPANY 35 © Kong Inc. 35 Access

    the Counter Demo App ❯ kubectl get svc -n kong kong-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 75m

36. THE CLOUD CONNECTIVITY COMPANY 36 © Kong Inc. 36 Secure

    Demo APP with mTLS

37. THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Intro

    - No security or encrypted by default - Using a built-in CA, we can secure the services by enabling mTLS. - Only allowed services can communicate with others. - All traffic will be encrypted - mTLS is not enabled by default, enable it by updating the mesh policy ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 2h

38. THE CLOUD CONNECTIVITY COMPANY 38 © Kong Inc. 38 Add

    mTLS policy ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends: - name: ca-1 type: builtin metrics: enabledBackend: prometheus-1 backends: - name: prometheus-1 type: prometheus conf: skipMTLS: true EOF ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default builtin/ca-1 prometheus/prometheus-1 off off off off 2h

39. THE CLOUD CONNECTIVITY COMPANY 39 © Kong Inc. 39 Verify

    Traffic permission and remove the by-default rule - By default, there is a Traffic Permissions rule that allows all traffic. - Remove it - Counter app should down due to no allowed rule. ❯ kubectl get TrafficPermission NAME AGE allow-all-default 11m ❯ kubectl delete TrafficPermission allow-all-default trafficpermission.kuma.io "allow-all-default" deleted

40. THE CLOUD CONNECTIVITY COMPANY 40 © Kong Inc. 40 Apply

    Traffic permissions

41. THE CLOUD CONNECTIVITY COMPANY 41 © Kong Inc. 41 Intro

    - Traffic Permissions allows which services are able to communicate. - Easy for implementing Zero Trust networks FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request allow allow

42. THE CLOUD CONNECTIVITY COMPANY 42 © Kong Inc. 42 Add

    Traffic Permission Policy ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: namespace: kuma-demo name: kong2frontend spec: sources: - match: kuma.io/service: kong-proxy_kong_svc_80 destinations: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 EOF ❯ cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: namespace: kuma-demo name: frontend2backend spec: sources: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 destinations: - match: kuma.io/service: redis_kuma-demo_svc_6379 EOF ❯ kumactl get dataplanes MESH NAME TAGS ... default demo-app-768f774c55-bwd4v.kuma-demo app=demo-app ... default demo-app-v2-df4f5bdc7-b8zml.kuma-demo app=demo-app ... default ingress-kong-6647c64fd4-vd4lp.kong app=ingress-kong ... default redis-684cbb56c9-brsmj.kuma-demo app=redis ...

43. THE CLOUD CONNECTIVITY COMPANY 43 © Kong Inc. 43 Verify

    Traffic Permissions via Kuma GUI

44. THE CLOUD CONNECTIVITY COMPANY 44 © Kong Inc. 44 Access

    the Counter Demo App again

45. THE CLOUD CONNECTIVITY COMPANY 45 © Kong Inc. 45 Apply

    Deployment Strategies

46. THE CLOUD CONNECTIVITY COMPANY 46 © Kong Inc. 46 Intro

    - Traffic Routing policy enables you to configure L4 routing rules FRONTEND- APP v1.0 KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request FRONTEND- APP v2.0 KUMA-DP Traffic Routing policy

47. THE CLOUD CONNECTIVITY COMPANY 47 © Kong Inc. 47 By

    default Round Robin strategy 50% 50%

48. THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 By

    default Round Robin strategy cat <<EOF | kubectl apply -f - apiVersion: kuma.io/v1alpha1 kind: TrafficRoute mesh: default metadata: namespace: kuma-demo name: demo-app-canary spec: sources: - match: kuma.io/service: kong-proxy_kong_svc_80 destinations: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 conf: split: - weight: 80 destination: kuma.io/service: demo-app_kuma-demo_svc_5000 version: "v1" - weight: 20 destination: kuma.io/service: demo-app_kuma-demo_svc_5000 version: "v2" EOF 80% 20%

49. THE CLOUD CONNECTIVITY COMPANY 49 © Kong Inc. 49 Summary

50. THE CLOUD CONNECTIVITY COMPANY 50 © Kong Inc. • Kong

    Mesh Intro • Deploy Kong mesh using kumactl • Deploy Demo Counter app and use Kong Ingress Controller to expose it • Secure Demo Counter app with mTLS • Apply Traffic permissions • Apply Deployment Strategies Summary 50

51. THE CLOUD CONNECTIVITY COMPANY 51 © Kong Inc. 51 Thank

    you