We are excited to announce the latest minor release of Kuma 2.5.0.
We’re in the last stride of publishing this release, but I believe the features we’re landing are important enough to start teasing you about it. Let’s focus on three main features:
Kong recently launched Kong Mesh Manager, the SaaS offering to manage the enterprise distribution of Kuma, Kong Mesh. To achieve this it was necessary to part with the state of the world based syncing protocol between global and zone control planes.
So contributors from Kong enhanced Kuma with a new protocol that is called “deltaKDS”.
The main addition of the protocol is that it is only sending resources that have changed instead of the entire snapshot of the environment. If you want to understand the details see the MADR
After incubating it for a release it is now running in production on Konnect and we believe it is time for everyone to leverage this stronger, more efficient and more scalable protocol.
The transition from the old to the new protocol is seamless so you don’t have to worry about it. You will also be able to revert to the v1 for the coming 2 minor versions by setting KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED=false.
Since its inception, Kuma constantly strives to be a service mesh that achieves both simplicity and flexibility. We demonstrated this with our new policy API introduced in 2.0.0.
Another thing that Kuma always innovates is in multi-zone support. We are strongly convinced that for a service mesh to demonstrate its full utility it must be able to interconnect clusters and control traffic easily.
With 2.5.0 we’re introducing locality-aware load balancing as a feature in the existing MeshLoadBalancingStrategy policy.
This feature is divided into two parts:
As usual, this all relies on data plane tags you specify as a list of tags in order of preference. Kuma will first pick the endpoints that have the same tags as the client proxy. For example:
type: MeshLoadBalancingStrategy
name: localZone
spec:
targetRef:
kind: Mesh
to:
- targetRef:
kind: MeshService
name: backend
defaults:
localityAwareness:
localZone:
affinityTags:
- key: "k8s.io/node"
- key: k8s.io/az"Here traffic to the service backend will try to stay on the same node, if no instances exist on this node it will try to find instances in the same availability zone, finally if this is still not possible it will route to any other endpoint.
When routing across zones many things are at stake:
Firstly, not all services will have the same policy. Thankfully Kuma’s strongly expressive policy matching API allows very granular control of this.
Secondly, there’s symmetry in a lot of Cross-zone routing, for example, us-east fails over to us-west and vice versa. We wanted to build an api that would be expressive enough to not need to write things twice in these cases.
Thirdly, excluding is as important as including. We’ve seen recently a growing number of constraints around data sovereignty and we wanted to be able to have a global mesh with local data.
This leads us to the following API:
type: MeshLoadBalancingStrategy
name: example
spec:
targetRef:
kind: Mesh
to:
- targetRef:
kind: MeshService
name: backend
defaults:
localityAwareness:
crossZone:
failover:
- from:
zones: ["zone-1", "zone-2"]
to:
type: Only
zones: ["zone-1", "zone-2"]
- from:
zones: ["zone-3"]
to:
type: AnyExcept
zones: ["zone-1"]
- to:
type: Any We always favor traffic in the same zone. Once we do not have enough healthy instances in the same zone we’ll start load balancing to other zones in the order of priority of the elements in “failover.” Each rule has 2 sections:
“To” which defines which zones to route to. There can be 4 different types of “to” rules:
We’re now going to show how we use this new policy to define a very advanced setup:
type: MeshLoadBalancingStrategy
name: base-zone
spec:
targetRef:
kind: Mesh
to:
- targetRef:
kind: Mesh
defaults:
localityAwareness:
crossZone:
failover:
- from:
zones: ["zone-1", "zone-2"]
to:
type: Only
zones: ["zone-1", "zone-2"]
- to:
type: AnyExcept
zones: ["zone-3"]type: MeshLoadBalancingStrategy
name: zone-3-specific
spec:
targetRef:
kind: MeshSubset
tags:
kuma.io/zone: zone-3 # only impact dataplanes running in zone-3
to:
- targetRef:
kind: Mesh
defaults:
localityAwareness:
crossZone:
failover:
- to:
type: None
- targetRef:
kind: MeshService
name: service-a
defaults:
localityAwareness:
crossZone:
failover:
- to:
type: AnyWe believe that this expressiveness will enable you to define all your most advanced constraints in an expressive and powerful way. To fully understand what’s happening you can always use the inspect API and its graphical representation in the GUI.
For full details, you can check the MADR.
One of the core scalability issues of service meshes is the flexibility between being able to access a service and having a proxy configuration that grows exponentially with the number of services in your mesh.
Our answer to this has been reachable services that need to be manually added to proxies, which can be cumbersome.
However, in some environments, MeshTrafficPermission is leveraged for security purposes. There is no point in being able to connect to a service to which you don’t have access. Therefore, we’ll prune the configuration. We believe that the performance improvements of this feature can be substantial even with coarse-grained permissions at the namespace level.
To leverage this feature, make sure to enable:
KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES=true
You can also use this feature with reachableServices to obtain the best performance possible.
We’ve been working on these new policies for the past year. We've proven their expressiveness and power and would now like to move them away from beta so users can leverage them as much as possible.
While this release will be out in a few days, you can already try it out with: curl https://kuma.io/installer.sh | VERSION=2.5.0-preview.v51e90c3 sh -
You can already check out the docs here: https://kuma.io/docs/2.5.x/
Kong Mesh 2.13 delivers full support for Mesh Identity for Kubernetes and Universal mode. Plus, it's been designated as a Long Term Support release, with support for a total of 2 years. But first, what's Kong Mesh for the uninitiated? Built on top
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
We’re excited to announce the release of Kong Mesh and Kuma 2.2. This new minor release adds some long-awaited enterprise features, more incremental improvements to our UI and policies, and many more minor features and bug fixes. In order to take
We’re excited to announce the release of Kong Mesh and Kuma 2.1! In this release, we’re shipping the full suite of new and improved policies announced (and started) in 2.0. Additionally, we’re launching some more great UX improvements in the UI and a
Today we’re excited to announce the release of Kong Mesh and Kuma 2.0. With this new major release, we’re announcing the first availability of our next-generation policies, in addition to new eBPF capabilities. 2.0 is also significant as we have
We are happy to announce the release of Kong Mesh 1.9 and Kuma 1.8! This release is packed with features and improvements such as observability for builtin Gateway, a complete rewrite of the CNI and projected service account tokens support. In order
We’re excited to announce the latest release for both Kuma and Kong Mesh. This cycle, we focused on simplifying enterprise-wide mesh deployments. We strongly suggest upgrading, in order to take advantage of the latest and greatest when it comes to s