WHY GARTNER’S “CONTEXT MESH” CHANGES EVERYTHING AI CONNECTIVITY: THE ROAD AHEAD DON’T MISS API + AI SUMMIT 2026 SEPT 30 – OCT 1
We're Entering the Age of AI Connectivity [Read more](/blog/news/the-age-of-ai-connectivity)Read moreProducts & Agents:
[Engineering](/blog/engineering)Engineering
June 16, 2021
7 min read

# Using Kong Kubernetes Ingress Controller as an API Gateway

Viktor Gamov

*In this first section, I'll provide a quick overview of the business case and the tools you can use to create a Kubernetes ingress API gateway. If you're already familiar, you could skip ahead to the *[tutorial section](https://konghq.com/blog/engineering/kubernetes-ingress-api-gateway#use-case)tutorial section* or watch the video at the bottom of this article.*

## Kubernetes Microservice Architecture

Digital transformation has led to a high velocity of data moving through APIs to applications and devices. Companies with legacy infrastructures are experiencing inconsistencies, failures and increased costs. And most importantly, dissatisfied customers.

All this has led to significant restructuring and [modernization of API technologies](https://konghq.com/blog/evolution-apis-cloud-age-beyond)modernization of API technologies, especially within IT. A primary strategy is to embrace Kubernetes and decouple [monolithic systems](https://konghq.com/blog/learning-center/monolith-vs-microservices)monolithic systems. On top of that, IT leadership is tasking DevOps teams to find systems, like an [API gateway](https://konghq.com/blog/learning-center/what-is-an-api-gateway)API gateway or [Kubernetes ingress controller](https://konghq.com/blog/learning-center/what-is-a-kubernetes-ingress-controller)Kubernetes ingress controller, to support API traffic growth while minimizing costs.

API gateways are crucial components of [microservice architectures](https://konghq.com/blog/learning-center/what-are-microservices)microservice architectures. The API gateway acts as a single entry point into a distributed system, providing a unified interface for clients who don’t need to care (or know) that the system aggregates their API call response from multiple microservices.

### Some everyday use cases for API gateways include:

  • - Routing inbound requests to the appropriate microservice
  • - Presenting a unified interface to a distributed architecture by aggregating responses from multiple backend services
  • - Transforming microservice responses into the format required by the caller
  • - Implementing non-functional/policy concerns such as authentication, logging, monitoring and observability, [API rate limiting](https://konghq.com/blog/learning-center/what-is-api-rate-limiting)API rate limiting, IP filtering, and attack mitigation
  • - Facilitating deployment strategies such as blue/green or canary releases

*API gateways can simplify the development and maintenance of a *[*kubernetes architecture*](https://konghq.com/blog/learning-center/kubernetes-architecture)*kubernetes architecture**. As a result, freeing up development teams to focus on the business logic of individual components.*

Many companies select a [Kubernetes API gateway](https://docs.konghq.com/kubernetes-ingress-controller/latest/concepts/gateway-api/)Kubernetes API gateway at the beginning or partway through their transition to multi-cloud. Doing so makes it necessary to choose a solution that can function with on-prem services and the cloud.

How an API Gateway works

## **What is Kubernetes?**

[Kubernetes](https://konghq.com/blog/learning-center/what-is-kubernetes)Kubernetes is becoming the hosting platform of choice for distributed architectures. It offers auto-scaling, fault tolerance and zero-downtime deployments out of the box.

By providing a widely accepted, standard approach with a carefully designed API gateway, Kubernetes has spawned a thriving ecosystem of products and tools that make it much easier to deploy and maintain complex systems.

## **Kong Kubernetes Ingress Controller**

As a native Kubernetes application, Kong is installed and managed precisely as any other Kubernetes resource. It integrates well with other [CNCF](https://www.cncf.io)CNCF projects and automatically updates itself with zero downtime in response to cluster events like pod deployments. There’s also a great [plugin ecosystem](https://docs.konghq.com/hub/)plugin ecosystem and native [gRPC](https://grpc.io)gRPC support.

This tutorial will walk through how easy it is to set up the open source [Kong Ingress Controller](https://konghq.com/products/kong-ingress-controller)Kong Ingress Controller as a Kubernetes API gateway on a cluster.

## API Gateways vs. K8s Ingress Compared: Know Your Best-Fit Solution

[Download Now](/resources/e-book/api-gateways-vs-kubernetes-ingress)Download Now

## Use Case: Routing API Calls to Backend Services

To keep this article to a manageable size, I will only cover a single, straightforward use case.

Routing with Kong Gateway

Kong foo/bar routing


I will create a Kubernetes cluster, deploy two dummy microservices, "foo" and "bar," install and configure Kong to route inbound calls to /foo to the foo microservice and send calls to /bar to the bar microservice.

The information in this post barely scratches the surface of what you can do with Kong, but it’s a good starting point.

### **Prerequisites**

There are a few things you’ll need to work through in this article.

In this tutorial, I'm going to create a "real" Kubernetes cluster on [DigitalOcean](https://digitalocean.com)DigitalOcean because it’s quick and easy, and I like to keep things as close to real-world scenarios as possible. If you want to work locally, you can use [minikube](https://minikube.sigs.k8s.io/docs)minikube or [KinD](https://kind.sigs.k8s.io)KinD. You will need to fake a load-balancer, though, either using the [minikube tunnel](https://minikube.sigs.k8s.io/docs/handbook/accessing/#loadbalancer-access)minikube tunnel or setting up a port forward to the API gateway.

For DigitalOcean, you will need:

To build and push docker images representing our microservices, you will need:

*Note: Optional because you can deploy the images I’ve already created.*

You will also need [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl)kubectl to access the Kubernetes cluster.

### **Setting Up doctl**

After installing doctl, you’ll need to authenticate using the DigitalOcean API token:

$ doctl auth init
...
Enter your access token:  <-- paste your API token, when prompted
Validating token... OK

### **Create Kubernetes Cluster**

Now that you have authenticated doctl, you can create your Kubernetes cluster with this command:

$ doctl kubernetes cluster create mycluster --size s-1vcpu-2gb --count 1

*Note: The command spins up a Kubernetes cluster on DigitalOcean. Doing so will incur charges (approximately $0.01/hour, at the time of writing) as long as it is running. Please remember to destroy any resources you create when you finish with them.*

The command creates a cluster with a single worker node of the smallest viable size in the New York data center. It's the smallest and simplest cluster (and also the cheapest to run). You can explore other options by running doctl kubernetes –help.

The command will take several minutes to complete, and you should see an output like this:

$ doctl kubernetes cluster create mycluster --size s-1vcpu-2gb --count 1
Notice: Cluster is provisioning, waiting for cluster to be running
....................................................
Notice: Cluster created, fetching credentials
Notice: Adding cluster credentials to kubeconfig file found in "/Users/david/.kube/config"
Notice: Setting current-context to do-nyc1-mycluster
ID                                      Name         Region    Version        Auto Upgrade    Status     Node Pools
4cf2159a-01c1-423c-907d-51f19c3f9a01    mycluster    nyc1      1.20.2-do.0    false           running    mycluster-default-pool

As you can see, the command automatically adds cluster credentials and a context to the ~/.kube/config file, so you should be able to access your cluster using kubectl:

$ kubectl get namespace
NAME              STATUS   AGE
default           Active   24m
kube-node-lease   Active   24m
kube-public       Active   24m
kube-system       Active   24m

### **Create Dummy Microservices**

To represent backend microservices, I’m going to use a trivial [Python Flask](https://pypi.org/project/Flask)Python Flask application that returns a JSON string:

*foo.py*

from flask import Flask
app = Flask(__name__)

@app.route('/foo')
def hello():
    return '{"msg":"Hello from the foo microservice"}'

if __name__ == "__main__":
    app.run(debug=True, host='0.0.0.0')

This Dockerfile builds a docker image you can deploy:

*Dockerfile*

FROM python:3-alpine

WORKDIR /app

RUN echo "Flask==1.1.1" > requirements.txt
RUN pip install -r requirements.txt
COPY foo.py .

EXPOSE 5000

CMD ["python", "foo.py"]

The files for our "foo" and "bar" services are almost identical, so I’m only going to show the "foo" files here.

[This gist](https://gist.github.com/digitalronin/424134ef9a68a11ddcccaed3878b7c68)This gist contains files and a script to build foo and bar microservices docker images and push them to Docker Hub as:

  • - digitalronin/foo-microservice:0.1
  • - digitalronin/bar-microservice:0.1

*Note: You don’t have to build and push these images. You can just use the ones I’ve already created.*

### **Deploy Dummy Microservices**

You’ll need a manifest that defines a [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment)Deployment and a [Service](https://kubernetes.io/docs/concepts/services-networking/service)Service for each microservice, both for "foo" and "bar." The manifest for "foo" (again, I’m only showing the "foo" example here, since the "bar" file is nearly identical) would look like this:

*foo.yaml*

apiVersion: apps/v1
kind: Deployment
metadata:
  name: foo-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: foo
  template:
    metadata:
      labels:
        app: foo
    spec:
      containers:
      - name: api
        image: digitalronin/foo-microservice:0.1
        ports:
        - containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
  name: foo-service
  labels:
    app: foo-service
spec:
  ports:
  - port: 5000
    name: http
    targetPort: 5000
  selector:
    app: foo

[This gist](https://gist.github.com/digitalronin/401910f3848f92bb32fb129273a0c889)This gist has manifests for both microservices, which you can download and deploy to your cluster like this:

$ kubectl apply -f foo.yaml
$ kubectl apply -f bar.yaml

### **Access the Services**

You can check that the microservices are running correctly using a port forward:

$ kubectl port-forward service/foo-service 5000:5000

Then, in a different terminal:

$ curl http://localhost:5000/foo
{"msg":"Hello from the foo microservice"}

Ditto for bar, also using port 5000.

### **Install Kong for Kubernetes**

Now that you have our two microservices running in our Kubernetes cluster, let’s [install Kong](https://konghq.com/install)install Kong.

There are several options for this, which you will find in the [documentation](https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/deployment/minikube)documentation. I’m going to apply the manifest directly, like this:

$ kubectl create -f https://bit.ly/k4k8s

The last few lines of output should look like this:

...
service/kong-proxy created
service/kong-validation-webhook created
deployment.apps/ingress-kong created

*Note: You may receive several API deprecation warnings at this point, which you can ignore. Kong's choice of API versions allows Kong Ingress Controller to support the broadest range of Kubernetes versions possible.*

Installing Kong will create a DigitalOcean [load balancer](https://www.digitalocean.com/products/load-balancer)load balancer. It's the internet-facing endpoint to which you will make API calls to access our microservices.

*Note: DigitalOcean load balancers incur charges, so please remember to delete your load balancer along with your cluster when you are finished.*

Creating the load balancer will take a minute or two. You can monitor its progress like this:

$ kubectl -n kong get service kong-proxy
NAME                      TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
kong-proxy                LoadBalancer   10.245.14.22    <pending>     80:32073/TCP,443:30537/TCP   71s

Once the system creates the load balancer, the EXTERNAL-IP value will change from <pending> to a real IP address:

$ kubectl -n kong get service kong-proxy
NAME                      TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
kong-proxy                LoadBalancer   10.245.14.22    167.172.7.192   80:32073/TCP,443:30537/TCP   3m45s

For convenience, let’s export that IP number as an environment variable:

$ export PROXY_IP=167.172.7.192 # <--- use your own EXTERNAL-IP number here

Now you can check that Kong is working:

$ curl $PROXY_IP
{"message":"no Route matched with those values"}

*Note: It's the correct response because you haven’t yet told Kong what to do with any API calls it receives.*

### **Configure Kong Gateway**

You can use [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress)Ingress resources like this to configure Kong to route API calls to the microservices:

*foo-ingress.yaml*

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: default

spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: foo-service
            port:
              number: 5000

[This gist](https://gist.github.com/digitalronin/4ea0c04689244f1fd79a51de7ea1cd72)This gist defines ingresses for both microservices. Download and apply them:

$ kubectl apply -f foo-ingress.yaml
$ kubectl apply -f bar-ingress.yaml

Now, Kong will route calls to /foo to the foo microservice and /bar to bar.

You can check this using curl:

$ curl $PROXY_IP/foo
{"msg":"Hello from the foo microservice"}

$ curl $PROXY_IP/bar
{"msg":"Hello from the bar microservice"}

## What Else Can You Do?

In this article, I have:

  • - Deployed a Kubernetes cluster on DigitalOcean
  • - Created Docker images for two dummy microservices, “foo” and “bar”
  • - Deployed the microservices to the Kubernetes cluster
  • - Installed the Kong Ingress Controller
  • - Configured Kong to route API calls to the appropriate backend microservice

I've demonstrated one simple use of Kong, but it’s only a starting point. With [Kong for Kubernetes](https://konghq.com/products/kong-enterprise/kong-kubernetes)Kong for Kubernetes, here are several examples of other things you can do:

**Authentication**

By adding an [authentication](https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/configure-acl-plugin)authentication plugin to Kong, you can require your API callers to provide a valid JSON Web Token ([JWT](https://en.wikipedia.org/wiki/JSON_Web_Token)JWT) and check each call against an Access Control List ([ACL](https://en.wikipedia.org/wiki/Access-control_list)ACL) to ensure callers are entitled to perform the relevant operations.

**Certificate management**

You can enable [integration with cert-manager](https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/cert-manager)integration with cert-manager to provision and auto-renew SSL certificates for your API endpoints so that all your API traffic is encrypted as it travels over the public internet.

**gRPC support**

Kong natively supports [gRPC](https://grpc.io)gRPC, so it’s easy to [add gRPC support](https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/using-ingress-with-grpc)add gRPC support to your API.

You can do a **lot** more with Kong, and I’d encourage you to look at the [documentation](https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/deployment/minikube)documentation and start to explore some of the other features.

The API gateway is a crucial part of a microservices architecture, and the Kong Ingress Controller is well suited for this role in a Kubernetes cluster. You can manage it in the same way as any other Kubernetes resource.

## Cleanup

Don’t forget to destroy your Kubernetes cluster when you are finished with it so that you don’t incur unnecessary charges:

$ kubectl delete -f https://bit.ly/k4k8s  # <-- this will destroy the load-balancer

$ doctl kubernetes cluster delete mycluster
Warning: Are you sure you want to delete this Kubernetes cluster? (y/N) ? y
Notice: Cluster deleted, removing credentials
...

*Note: If you delete the cluster first, the load balancer will be left behind. You can delete any leftover resources via the *[*DigitalOcean web interface*](https://cloud.digitalocean.com)*DigitalOcean web interface**.*

Have questions or want to stay in touch with the Kong community? Join us wherever you hang out:

[Star us on GitHub](https://github.com/Kong/kong)Star us on GitHub

🐦 [Follow us on Twitter](https://twitter.com/thekonginc)Follow us on Twitter

🌎 [Join the Kong Community](https://konghq.com/community?utm_source=newsletter&utm_medium=email&utm_campaign=community)Join the Kong Community

🍻 [Join our Meetups](https://www.meetup.com/pro/kong)Join our Meetups

❓ ️[Ask and answer questions on Kong Nation](https://discuss.konghq.com)Ask and answer questions on Kong Nation

💯 [Apply to become a Kong Champion](https://konghq.com/kong-champions?utm_source=newsletter&utm_medium=email&utm_campaign=community)Apply to become a Kong Champion

**This content contains a video which can not be displayed in Agent mode**

Once you’ve finished setting up Kong Ingress Controller, you may find these other Kubernetes tutorials helpful:

**Topics**
- [Kubernetes](/blog/tag/kubernetes)Kubernetes- [API Gateway](/blog/tag/api-gateway)API Gateway- [Ingress](/blog/tag/ingress)Ingress
Viktor Gamov

Recommended posts

## Ready to see Kong in action?

Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.

[Get a Demo](/contact-sales)Get a Demo