am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]
GATEWAY MODERN API GATEWAY FULL SERVICE CONNECTIVITY MONOLITHIC APP API API MANAGEMENT CLIENT PRIVATE TRAFFIC PUBLIC TRAFFIC GW DP CLIENT PUBLIC TRAFFIC GW DP API APP API APP API APP API APP API APP GW DP GW DP GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
end-to-end • Integrate into the Kong Enterprise platform for Full stack connectivity • Securely expose and manage the full-lifecycle of APIs and North-South communication using GW • Manage the cross-cutting concerns and East-West communication with Mesh Data Center 1 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Client Edge Data Center 2 Banking Product Service Mesh A Trading Product Service Mesh B Product Scope Kong Gateway Kong Gateway
or Service Mesh? Support mobile apps Onboard external partners, customers or users High reliability for mission critical apps Zero-trust security / high compliance Observability for detailed visibility into service behavior Ensure reliability Ensure security Gain visibility NA NA YOU NEED A “Service Connectivity Platform” API GATEWAY SERVICE MESH Expose services (Edge, mesh-app, mesh-mesh) Full lifecycle API management Service – service communication NA Integration for full stack connectivity API Gateway with integration
Mesh? Multi-Mesh And Easy To Use & Scale Universal (K8s + VMs), Attribute-Based Policies & More Built-in Multi Zone Connectivity Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Restrict access and encrypt all traffic by default to only complete transactions when identity is verified Out of the box connectivity for multi-cluster, multi-cloud and multi-platform deployments across the world
click deployment, one click attribute-based policies Start, Secure and Scale with Ease • Turnkey universal service mesh with built-in multi-zone connectivity • Multi-mesh support for scalability across the organization Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Service Discovery Global Kong Mesh Control plane Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster Remote Kong Mesh Control Plane Kong Mesh Ingress Platform, Cloud or Cluster
Manage service meshes natively in Kubernetes using CRDs Deploy the service mesh across any environment, including multi-cluster, multi-cloud and multi-platform OR start with a service mesh in VM environments and migrate to Kubernetes at your own pace Service Mesh Container-based Microservices Service Mesh Container-based Microservices VM-based Monolith VM-based Monolith
kumactl to deploy Kong Mesh # Download Kong Mesh $ curl -L https://docs.konghq.com/mesh/installer.sh | sh - # Deploy Control Plane $ kong-mesh-1.9.1/bin/kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - # Verify $ kubectl get pod -n kong-mesh-system NAME READY STATUS RESTARTS AGE kong-mesh-control-plane-5ff698786d-2cckg 1/1 Running 0 61s $ kubectl get meshes NAME AGE default 1m
control plane via kumactl # configure kumactl to use the exposed IP address to control your mesh ❯ kumactl config control-planes add --name=kongmesh-cp \ --address=http://<ip address of Kong Mesh CP>:30001 ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 17m
app • A front-end and a Redis database to store counters. • The front-end is a simple display that allows you to increment a counter. • The Redis database stores the current count. FRONTEND- APP KUMA-DP KUMA-DP REDIS
sidecar annotation • Ensure the Kuma sidecar annotation is included with the application’s manifest. • It tells Kubernetes to automatically inject a data plane proxy to every service deployed in the namespace apiVersion: v1 kind: Namespace metadata: name: kuma-demo annotations: kuma.io/sidecar-injection: enabled
Kong Ingress Controller(KIC) ❯ kubectl apply -f https://bit.ly/k4k8s namespace/kong created customresourcedefinition.apiextensions.k8s.io/ingressclassparameterses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created customresourcedefinition.apiextensions.k8s.io/udpingresses.configuration.konghq.com created … # Pod of KIC ❯ kubectl get pods -n kong NAME READY STATUS RESTARTS AGE ingress-kong-6647c64fd4-ggvct 2/2 Running 0 4m51s # patch the kong proxy to use nodePort ❯ kubectl patch service kong-proxy --namespace=kong --type='json' \ --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31112}]' ❯ kubectl get services -n kong NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-validation-webhook ClusterIP 10.43.183.215 <none> 443/TCP 6m25s kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 6m25s
Kong Proxy to Kong Mesh # annotate the namespace and restart the KIC pod ❯ kubectl annotate ns kong kuma.io/sidecar-injection='enabled' ❯ kubectl delete pod ingress-kong-xxxxxxxxxx-xxxxx -n kong
Ingress rule for access the frontend app • Deploy KIC for access frontend app via kong proxy FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request Ingress
the Counter Demo App ❯ kubectl get svc -n kong kong-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.43.251.106 <pending> 80:31112/TCP,443:32197/TCP 75m
- No security or encrypted by default - Using a built-in CA, we can secure the services by enabling mTLS. - Only allowed services can communicate with others. - All traffic will be encrypted - mTLS is not enabled by default, enable it by updating the mesh policy ❯ kumactl get meshes NAME mTLS METRICS LOGGING TRACING LOCALITY ZONEEGRESS AGE default off off off off off off 2h
Traffic permission and remove the by-default rule - By default, there is a Traffic Permissions rule that allows all traffic. - Remove it - Counter app should down due to no allowed rule. ❯ kubectl get TrafficPermission NAME AGE allow-all-default 11m ❯ kubectl delete TrafficPermission allow-all-default trafficpermission.kuma.io "allow-all-default" deleted
- Traffic Permissions allows which services are able to communicate. - Easy for implementing Zero Trust networks FRONTEND- APP KUMA-DP KUMA-DP REDIS Kong Proxy KUMA-DP Kong Plugins Request allow allow
Mesh Intro • Deploy Kong mesh using kumactl • Deploy Demo Counter app and use Kong Ingress Controller to expose it • Secure Demo Counter app with mTLS • Apply Traffic permissions • Apply Deployment Strategies Summary 50