Kong for Kubernetes 0.7 Released!
Kong for Kubernetes (Kong for K8s) is a Kubernetes Ingress Controller based on the popular Kong Gateway open source project. Kong for K8s is fully Kubernetes Native and provides enhanced API management capabilities. From an architectural perspective, Kong for K8s consists of two parts: A Kubernetes controller, which manages the state of Kong for K8s ingress configuration, and the Kong Gateway which processes and manages incoming API requests.
We are thrilled to announce the availability of this latest release of Kong for K8s! This release’s highlight features include encrypted credentials, mutual authentication using TLS, native gRPC routing, and performance improvements.
With this release, Kong for K8s now has 100%coverage of Kong Gateway’s administrative API functions. This means that all the features of the Kong Gateway can now be used natively on Kong for K8s through Kubernetes resources.
Encrypted Credentials Using Secret Resource
API access credentials can now be stored in encrypted form inside the Kubernetes datastore using the Secret resource. This provides encryption at rest for sensitive credentials. Kong’s controller reads these secrets from the Kubernetes API server and loads them into Kong.
# create the secret containing the credential and credential-type
$ kubectl create secret generic harry-apikey \
# associate it with an existing or new KongConsumer using the
# credentials array
$ echo "apiVersion: configuration.konghq.com/v1
- harry-apikey" | kubectl apply -f -
# use the API key to authenticate against a service
curl -i -H 'apikey: my-sooper-secret-key' $PROXY_IP/foo/status/200
We have also added support for validating the above secrets as they are created, using the Admission Controller that ships with Kong for K8s.
KongCredential CRD is now deprecated and will be removed in a future release. Users are encouraged to use Secrets for storing credentials.
Native gRPC Routing
gRPC traffic can now be routed via Kong for K8s natively with support for method-based routing. This can be enabled via the
path field in the Ingress spec, which corresponds to the gRPC method name when the Ingress resource is annotated with gRPC as the protocol.
All logging and observability plugins can be enabled on the gRPC traffic to monitor and get insights into the traffic as gRPC requests are routed via Kong. Kong. We will be adding gRPC support to the wide array of authentication, traffic throttling, transformation plugins – stay tuned!
Mutual Authentication Using mTLS
The connection between Kong for K8s and Kubernetes services can now be encrypted and authenticated using mTLS. You can use this to further lock down access to your services.
You can enable this feature for all the services in Kubernetes or on a case-by-case basis.
Plugins for Combinations of Consumer and Service
Plugins can now be created for a combination of Ingress and a KongConsumer or a Service and a KongConsumer. This allows for cases where a specific client of an API needs special treatment. A good example here is rate-limiting your users based on different tiers of your services (based on your SLAs/pricing) or giving a specific customer a higher rate-limit on a specific endpoint. Simply apply the same
plugins.konghq.com annotation on the resources you’d like to configure the plugin for, and the controller will figure the rest out for you.
By default, Kong for K8s will run in in-memory mode without a database now. This means that the Kubernetes datastore is now the source of truth. This also reduces the operational burden of running Kong and simplifies the management and upgrades, as there is no need to worry about the database anymore.
The controller will also consume less memory, and the number of sync events to Kong should reduce by at least an order of magnitude, further increasing Kong’s performance.
Controller Configuration Revamped
Configuration of the Kong for K8s Kubernetes Controller itself can now be tweaked via both environment flags and CLI flags. Environment variables and Secrets can be used to pass sensitive information to the controller. Each flag has a corresponding environment variable (simply prefix the flag name with
Services with multiple ports are now supported and can be flexibly exposed to the outside world via Kong for K8s. This was a long-standing ask from the community and our enterprise users alike. Thank you @rainest for contributing this feature!
host header sent to the Kubernetes service can now be tweaked using the KongIngress resource.
For a complete list of changes and new features for this latest release of Kong for K8s, please consult the changelog document.
Kong for Ka variety of deployments and runtimes. For a complete view of Kong for K8s compatibility, plea8S works in se see the compatibility document.
You can try out Kong for K8s using our lab environment, available for free to all at konglabs.io/kubernetes.
You can install Kong for K8s on your Kubernetes cluster with one click:
$ kubectl apply -f bit.ly/k4k8s
$ helm repo update
$ helm install stable/kong
Alternatively, if you want to use your own Kubernetes cluster, follow our getting started guide to get your hands dirty.
Want Hands-On Experience with Kong for K8s?