Kubernetes (K8s) has become a cornerstone technology for deploying and managing containerized applications. But have you ever wondered how to manage your K8s services efficiently, especially when exposing many services outside the Cluster?

By opting for an API gateway over a simple Ingress Controller, you’re simplifying the management of your K8s services and enhancing your control and efficiency. The API Gateway is a single entry point for client requests, abstracting security-related complexities, service discovery, routing, and load balancing. This centralized management of all your APIs running within the Kubernetes Cluster empowers you to handle your services easily. Moreover, an API Gateway opens up new possibilities like API Analytics, further enhancing your capabilities. Additionally, you can expose your services using protocols like TCP, UDP, or gRPC, giving you the flexibility you need.

One Gateway, multiple options

With Kong’s flexible API Gateway, you become independent of any platform or runtime. In Kubernetes, you have two variants for deploying and using Kong Gateway. You can deploy it as a regular Kubernetes Service or an Ingress Controller.

Deployment model: Kong Gateway as Kubernetes Service

When you choose to deploy Kong Gateway as a regular Kubernetes deployment, you’re making a decision that significantly benefits your operations. However, it’s important to note that you’ll need to make the Kong Proxy and Admin API services available outside the Cluster. This step, though necessary, is a small price to pay for the enhanced control and management that Kong Gateway brings to your Kubernetes services.

With the Kong Gateway in place, you can configure other Kubernetes services to be securely exposed. The Kong Admin API plays a crucial role here. It allows Gateway Admins to update the Gateway’s configuration. Because it can change the Gateway configuration, you must ensure that the Kong Admin API is adequately secured.

The Kong Admin API is a REST API. Therefore, you can integrate it easily with CI/CD pipelines. However, this can be cumbersome due to the imperative nature of a REST interface. Instead of using the Admin API directly, Gateway Admins can use Kong decK. The tool allows us to manage the Kong Gateway configuration declaratively. In the background, it connects to the Admin API and automatically applies the necessary changes.

Kong deployed as a regular K8s service
Figure 1: Kong deployed as a regular K8s service

The API Gateway can also secure Kubernetes traffic internally using this deployment model. If you have such requirements, you should consider using a Service Mesh like Kuma to secure and manage your East-West traffic.

Deployment model: Kong Ingress Controller

If you want to manage your Kubernetes services in a Kubernetes-native way, you can use the Kong Ingress Controller (KIC). It defines respective custom resource definitions, so Gateway Admins can use Kubernetes Manifests to configure Kong Gateway.

As shown in Figure 2, there’s still a Kong Gateway proxy for exposing Kubernetes services to the outside world. In addition, you can see an Ingress Controller component. As it watches etcd, it is essential for relevant Kong-specific Manifests. KIC translates these into Kong Gateway configurations and applies them to the proxy. In the background, KIC uses Kong Admin API to configure the Gateway proxy.

Kong Ingress Controller deployment
Figure 2: Kong Ingress Controller deployment

The main differences regarding the scenario above are:

  • You don’t need to expose the Kong Admin API publicly
  • Gateway configuration in a Kubernetes-native way
  • Securing Kubernetes internal traffic is not possible

Increasing complexity through API distribution

Usually, you have to deal with more than just one Kubernetes cluster. In addition, you’ll also have to deal with non-containerized workloads. Furthermore, you may distribute those workloads over on-prem environments and different public cloud vendors. Now, you may ask how to manage all APIs in that distributed environment consistently.

Kong Konnect is a single-pane-of-glass solution for tackling the challenges of today’s distributed world. It provides a central, global control plane with rich management capabilities. Read this blog to learn more about Konnect.

Seeing is believing

Would you like to see this in action? Fortunately, I created a video tutorial that shows how to get started with Kubernetes-native API Management using Kong Konnect and Kong Ingress Controller.

Check it out, and let me know your thoughts, impressions, and questions!

Further reading

If you want to learn more about the unique features of an API Gateway like Kong, I recommend this blog. It details when an API Gateway might be more suitable for your needs than a simpler Ingress Controller such as Nginx.

Alle Beiträge von Sven Bernhardt

Sven Bernhardt is a technology enthusiast who works for OPITZ CONSULTING as the Chief Architect on the Corporate Development team. In this role, he manages the technology portfolio and develops Best Practices and Guidelines. In addition, Sven supports his colleagues in implementing Software solutions for Customers. Sven regularly speaks at various conferences about technology or architecture topics. He also shares his thoughts and experiences by writing articles and blog posts. In addition, he's a Kong Champion.

Schreibe einen Kommentar