实践Kong for Kubernetes(K8S)

使用以下安装方法之一安装Kong for Kubernetes:

YAML清单

要通过部署Kong kubectl,请使用:

kubectl apply -f https://bit.ly/kong-ingress-dbless复制复制

重要!这不是生产级部署。根据您的用例调整“参数”:

  • 副本:确保您正在运行Kong的多个实例,以防止由于单个节点故障而造成的中断。
  • 性能优化:调整Kong的内存设置,并根据使用情况定制部署。
  • 负载均衡器:确保在Kong前面运行基于4层或TCP的均衡器。这使Kong可以提供TLS证书并与证书管理器集成。

helm部署

Kong有一个官方的Helm Chart。要将Kong部署到带有Helm的Kubernetes集群上,请使用:

$ helm repo add kong https://charts.konghq.com
$ helm repo update

# Helm 2
$ helm install kong/kong

# Helm 3
$ helm install kong/kong --generate-name --set ingressController.installCRDs=false复制复制

Kustomize

可以使用Kubernetes的kustomize声明性地修补Kong的Kubernetes清单。远程定制构建的一个示例是:

kustomize build github.com/kong/kubernetes-ingress-controller/deploy/manifests/base复制复制

在Kong的存储库中可以使用Kustomization 进行不同类型的部署。

如果您正在使用云提供商将Kong安装在托管的Kubernetes产品上,例如Google Kubernetes Engine(GKE),Amazon EKS(EKS),Azure Kubernetes Service(AKS)等,请确保已设置Kubernetes群集在云提供程序上,并已kubectl在您的工作站上进行了配置。

一旦您配置了Kubernetes集群并配置了kubectl,任何云提供商的安装都将使用上述方法之一(YAML manifestsHelm ChartKustomize)来安装Kong。

每个云提供商在允许如何配置特定资源(例如负载均衡器,存储卷等)方面都有一些细微的不同。我们建议您参考其文档来调整这些设置。

如果您使用的是数据库,我们建议您在Kubernetes内部以内存模式(也称为无DB)运行Kong,因为所有配置都存储在Kubernetes控制面板中。此设置简化了Kong的操作,因此无需担心数据库的设置,备份,可用性,安全性等。如果您决定使用数据库,建议您在Kubernetes之外运行数据库。您可以从云提供商使用Amazon RDS之类的服务或类似的托管Postgres服务来自动执行数据库操作。

我们不建议在Kubernetes部署中将Kong与Cassandra一起使用,因为Kong的Cassandra使用所涵盖的功能是通过Kubernetes中的其他方式处理的。

  1. 通过浏览器打开官方下载地址https://bit.ly/kong-ingress-dbless,下载对应的yaml文件

    wget https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/master/deploy/single/all-in-one-dbless.yaml

  2. 当前kong:2.1,kong-ingress-controller:0.9.1,修改service配置为NodePort,默认是LoadBalancer,整体配置文件如下:

    [root@localhost kong-gateway]# cat all-in-one-dbless.yaml
    apiVersion: v1
    kind: Namespace
    metadata:

    name: kong

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: kongclusterplugins.configuration.konghq.com
    spec:
    additionalPrinterColumns:

    • JSONPath: .plugin
      description: Name of the plugin
      name: Plugin-Type
      type: string
    • JSONPath: .metadata.creationTimestamp
      description: Age
      name: Age
      type: date
    • JSONPath: .disabled
      description: Indicates if the plugin is disabled
      name: Disabled
      priority: 1
      type: boolean
    • JSONPath: .config description: Configuration of the plugin name: Config priority: 1 type: string group: configuration.konghq.com names: kind: KongClusterPlugin plural: kongclusterplugins shortNames:
      • kcp scope: Cluster validation: openAPIV3Schema: properties: config: type: object configFrom: properties: secretKeyRef: properties: key: type: string name: type: string namespace: type: string required: - name - namespace - key type: object type: object disabled: type: boolean plugin: type: string protocols: items: enum: - http - https - grpc - grpcs - tcp - tls type: string type: array run_on: enum:
        • first
        • second
        • all type: string required:
          • plugin

    version: v1

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: kongconsumers.configuration.konghq.com
    spec:
    additionalPrinterColumns:

    • JSONPath: .username
      description: Username of a Kong Consumer
      name: Username
      type: string
    • JSONPath: .metadata.creationTimestamp description: Age name: Age type: date group: configuration.konghq.com names: kind: KongConsumer plural: kongconsumers shortNames:
      • kc
        scope: Namespaced
        validation:
        openAPIV3Schema:
        properties:
        credentials:
        items:
        type: string
        type: array
        custom_id:
        type: string
        username:
        type: string

    version: v1

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: kongcredentials.configuration.konghq.com
    spec:
    additionalPrinterColumns:

    • JSONPath: .type
      description: Type of credential
      name: Credential-type
      type: string
    • JSONPath: .metadata.creationTimestamp
      description: Age
      name: Age
      type: date
    • JSONPath: .consumerRef description: Owner of the credential name: Consumer-Ref type: string group: configuration.konghq.com names: kind: KongCredential plural: kongcredentials scope: Namespaced validation: openAPIV3Schema: properties: consumerRef: type: string type: type: string required:
      • consumerRef
      • type

    version: v1

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: kongingresses.configuration.konghq.com
    spec:
    group: configuration.konghq.com
    names:
    kind: KongIngress
    plural: kongingresses
    shortNames:
    - ki
    scope: Namespaced
    validation:
    openAPIV3Schema:
    properties:
    proxy:
    properties:
    connect_timeout:
    minimum: 0
    type: integer
    path:
    pattern: ^/.$ type: string protocol: enum: - http - https - grpc - grpcs - tcp - tls type: string read_timeout: minimum: 0 type: integer retries: minimum: 0 type: integer write_timeout: minimum: 0 type: integer type: object route: properties: headers: additionalProperties: items: type: string type: array type: object https_redirect_status_code: type: integer methods: items: type: string type: array path_handling: enum: - v0 - v1 type: string preserve_host: type: boolean protocols: items: enum: - http - https - grpc - grpcs - tcp - tls type: string type: array regex_priority: type: integer strip_path: type: boolean upstream: properties: algorithm: enum: - round-robin - consistent-hashing - least-connections type: string hash_fallback: type: string hash_fallback_header: type: string hash_on: type: string hash_on_cookie: type: string hash_on_cookie_path: type: string hash_on_header: type: string healthchecks: properties: active: properties: concurrency: minimum: 1 type: integer healthy: properties: http_statuses: items: type: integer type: array interval: minimum: 0 type: integer successes: minimum: 0 type: integer type: object http_path: pattern: ^/.$
    type: string
    timeout:
    minimum: 0
    type: integer
    unhealthy:
    properties:
    http_failures:
    minimum: 0
    type: integer
    http_statuses:
    items:
    type: integer
    type: array
    interval:
    minimum: 0
    type: integer
    tcp_failures:
    minimum: 0
    type: integer
    timeout:
    minimum: 0
    type: integer
    type: object
    type: object
    passive:
    properties:
    healthy:
    properties:
    http_statuses:
    items:
    type: integer
    type: array
    interval:
    minimum: 0
    type: integer
    successes:
    minimum: 0
    type: integer
    type: object
    unhealthy:
    properties:
    http_failures:
    minimum: 0
    type: integer
    http_statuses:
    items:
    type: integer
    type: array
    interval:
    minimum: 0
    type: integer
    tcp_failures:
    minimum: 0
    type: integer
    timeout:
    minimum: 0
    type: integer
    type: object
    type: object
    threshold:
    type: integer
    type: object
    host_header:
    type: string
    slots:
    minimum: 10
    type: integer
    type: object

    version: v1

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: kongplugins.configuration.konghq.com
    spec:
    additionalPrinterColumns:

    • JSONPath: .plugin
      description: Name of the plugin
      name: Plugin-Type
      type: string
    • JSONPath: .metadata.creationTimestamp
      description: Age
      name: Age
      type: date
    • JSONPath: .disabled
      description: Indicates if the plugin is disabled
      name: Disabled
      priority: 1
      type: boolean
    • JSONPath: .config description: Configuration of the plugin name: Config priority: 1 type: string group: configuration.konghq.com names: kind: KongPlugin plural: kongplugins shortNames:
      • kp scope: Namespaced validation: openAPIV3Schema: properties: config: type: object configFrom: properties: secretKeyRef: properties: key: type: string name: type: string required: - name - key type: object type: object disabled: type: boolean plugin: type: string protocols: items: enum: - http - https - grpc - grpcs - tcp - tls type: string type: array run_on: enum:
        • first
        • second
        • all type: string required:
          • plugin

    version: v1

    apiVersion: apiextensions.k8s.io/v1beta1
    kind: CustomResourceDefinition
    metadata:
    name: tcpingresses.configuration.konghq.com
    spec:
    additionalPrinterColumns:

    • JSONPath: .status.loadBalancer.ingress[*].ip
      description: Address of the load balancer
      name: Address
      type: string
    • JSONPath: .metadata.creationTimestamp
      description: Age
      name: Age
      type: date
      group: configuration.konghq.com
      names:
      kind: TCPIngress
      plural: tcpingresses
      scope: Namespaced
      subresources:
      status: {}
      validation:
      openAPIV3Schema:
      properties:
      apiVersion:
      type: string
      kind:
      type: string
      metadata:
      type: object
      spec:
      properties:
      rules:
      items:
      properties:
      backend:
      properties:
      serviceName:
      type: string
      servicePort:
      format: int32
      type: integer
      type: object
      host:
      type: string
      port:
      format: int32
      type: integer
      type: object
      type: array
      tls:
      items:
      properties:
      hosts:
      items:
      type: string
      type: array
      secretName:
      type: string
      type: object
      type: array
      type: object
      status:
      type: object
      version: v1beta1
      status:
      acceptedNames:
      kind: ""
      plural: ""
      conditions: []

    storedVersions: []

    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: kong-serviceaccount

    namespace: kong

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    name: kong-ingress-clusterrole
    rules:

    • apiGroups:
      • ""
        resources:
      • endpoints
      • nodes
      • pods
      • secrets
        verbs:
      • list
      • watch
    • apiGroups:
      • ""
        resources:
      • nodes
        verbs:
      • get
    • apiGroups:
      • ""
        resources:
      • services
        verbs:
      • get
      • list
      • watch
    • apiGroups:
      • networking.k8s.io
      • extensions
      • networking.internal.knative.dev
        resources:
      • ingresses
        verbs:
      • get
      • list
      • watch
    • apiGroups:
      • ""
        resources:
      • events
        verbs:
      • create
      • patch
    • apiGroups:
      • networking.k8s.io
      • extensions
      • networking.internal.knative.dev
        resources:
      • ingresses/status
        verbs:
      • update
    • apiGroups:
      • configuration.konghq.com
        resources:
      • tcpingresses/status
        verbs:
      • update
    • apiGroups:
      • configuration.konghq.com
        resources:
      • kongplugins
      • kongclusterplugins
      • kongcredentials
      • kongconsumers
      • kongingresses
      • tcpingresses
        verbs:
      • get
      • list
      • watch
    • apiGroups:
      • ""
        resources:
      • configmaps
        verbs:
      • create
      • get

    - update

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
    name: kong-ingress-clusterrole-nisa-binding
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: kong-ingress-clusterrole
    subjects:

    • kind: ServiceAccount
      name: kong-serviceaccount

    namespace: kong

    apiVersion: v1
    kind: Service
    metadata:
    annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    name: kong-proxy
    namespace: kong
    spec:
    ports:

    • name: proxy
      port: 80
      protocol: TCP
      targetPort: 8000
    • name: proxy-ssl
      port: 443
      protocol: TCP
      targetPort: 8443
      selector:
      app: ingress-kong

    type: NodePort

    apiVersion: v1
    kind: Service
    metadata:
    name: kong-validation-webhook
    namespace: kong
    spec:
    ports:

    • name: webhook
      port: 443
      protocol: TCP
      targetPort: 8080
      selector:

    app: ingress-kong

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    labels:
    app: ingress-kong
    name: ingress-kong
    namespace: kong
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: ingress-kong
    template:
    metadata:
    annotations:
    kuma.io/gateway: enabled
    prometheus.io/port: "8100"
    prometheus.io/scrape: "true"
    traffic.sidecar.istio.io/includeInboundPorts: ""
    labels:
    app: ingress-kong
    spec:
    containers:
    - env:
    - name: KONG_PROXY_LISTEN
    value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
    - name: KONG_ADMIN_LISTEN
    value: 127.0.0.1:8444 ssl
    - name: KONG_STATUS_LISTEN
    value: 0.0.0.0:8100
    - name: KONG_DATABASE
    value: "off"
    - name: KONG_NGINX_WORKER_PROCESSES
    value: "1"
    - name: KONG_ADMIN_ACCESS_LOG
    value: /dev/stdout
    - name: KONG_ADMIN_ERROR_LOG
    value: /dev/stderr
    - name: KONG_PROXY_ERROR_LOG
    value: /dev/stderr
    image: kong:2.1
    lifecycle:
    preStop:
    exec:
    command:
    - /bin/sh
    - -c
    - kong quit
    livenessProbe:
    failureThreshold: 3
    httpGet:
    path: /status
    port: 8100
    scheme: HTTP
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1
    name: proxy
    ports:
    - containerPort: 8000
    name: proxy
    protocol: TCP
    - containerPort: 8443
    name: proxy-ssl
    protocol: TCP
    - containerPort: 8100
    name: metrics
    protocol: TCP
    readinessProbe:
    failureThreshold: 3
    httpGet:
    path: /status
    port: 8100
    scheme: HTTP
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1
    securityContext:
    runAsUser: 1000
    - env:
    - name: CONTROLLER_KONG_ADMIN_URL
    value: https://127.0.0.1:8444
    - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
    value: "true"
    - name: CONTROLLER_PUBLISH_SERVICE
    value: kong/kong-proxy
    - name: POD_NAME
    valueFrom:
    fieldRef:
    apiVersion: v1
    fieldPath: metadata.name
    - name: POD_NAMESPACE
    valueFrom:
    fieldRef:
    apiVersion: v1
    fieldPath: metadata.namespace
    image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.9.1
    imagePullPolicy: IfNotPresent
    livenessProbe:
    failureThreshold: 3
    httpGet:
    path: /healthz
    port: 10254
    scheme: HTTP
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1
    name: ingress-controller
    ports:
    - containerPort: 8080
    name: webhook
    protocol: TCP
    readinessProbe:
    failureThreshold: 3
    httpGet:
    path: /healthz
    port: 10254
    scheme: HTTP
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1
    serviceAccountName: kong-serviceaccount

  3. 执行该yaml 文件

    [root@localhost kong-gateway]# kubectl apply -f all-in-one-dbless.yaml
    namespace/kong created
    customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created
    customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created
    customresourcedefinition.apiextensions.k8s.io/kongcredentials.configuration.konghq.com created
    customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created
    customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created
    customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created
    serviceaccount/kong-serviceaccount created
    clusterrole.rbac.authorization.k8s.io/kong-ingress-clusterrole created
    clusterrolebinding.rbac.authorization.k8s.io/kong-ingress-clusterrole-nisa-binding created
    service/kong-proxy created
    service/kong-validation-webhook created
    deployment.apps/ingress-kong created

上一篇:关于kong


下一篇:Kong 系列 -- Kong 101