In order to give you better service we use cookies. By continuing to use our website, you agree to the use of cookies as described in our Cookie Policy

Kong Logo
search
Docs
Kong Konnect Konnect SaaS Kong Gateway (Enterprise) Kong Mesh Plugin Hub
Open Source Kong Gateway (OSS) decK Kubernetes Ingress Controller Insomnia Kuma
Support Community Kong U Demos & Labs
Get Started
Kubernetes Ingress Controller
Kubernetes Ingress Controller
1.2.x (latest)

Running the Kubernetes Ingress Controller with Istio

In this guide, you will:

  • Install Istio v1.6.7 and Kong in your cluster.
  • Deploy an example Istio-enabled application (bookinfo).
  • Deploy an Ingress customized with a KongPlugin for the example application.
  • Make several requests to the sample application via Kong and Istio.
  • See the performance metrics of the sample application, provided by Istio.

Prerequisites

For this guide, you will need:

  • A Kubernetes v1.15 (or newer) cluster which can pull container images from public registries. For example, you can use:
    • A managed Kubernetes cluster (AWS EKS, Google Cloud GKE, Azure AKS).
    • Minikube.
    • microk8s with the dns addon enabled.
  • kubectl with admin access to the cluster.

Download Istio

Download the Istio bundle at version 1.6.7:

1
2
3
4
5
6
7
8

$ curl -L https://istio.io/downloadIstio | env ISTIO_VERSION=1.6.7 sh -
...
...
Istio 1.6.7 Download Complete!                                                                                                 

Istio has been successfully downloaded into the istio-1.6.7 folder on your system.                                                                                                                                                                            
...
...

Install Istio Operator

Invoke istioctl to deploy the Istio Operator to the Kubernetes cluster:

1
2
3
4

$ ./istio-1.6.7/bin/istioctl operator init
Using operator Deployment image: docker.io/istio/operator:1.6.7
✔ Istio operator installed                                                                                                                                                                                                                                    
✔ Installation complete

Deploy Istio using Operator

Deploy Istio using Istio Operator:

1
2

$ kubectl create namespace istio-system
namespace/istio-system created

1
2
3
4
5
6
7
8
9
10

$ kubectl apply -f - <<EOF
  apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    namespace: istio-system
    name: example-istiocontrolplane
  spec:
    profile: demo
EOF
istiooperator.install.istio.io/example-istiocontrolplane created

1
2
3
4
5
6
7

$ kubectl describe istiooperator -n istio-system
...
...
Status:
  Status:  RECONCILING
...
...

Wait until the kubectl describe istiooperator command returns Status: HEALTHY.

Deploy the Kubernetes Ingress Controller in an Istio-enabled namespace

1
2

$ kubectl create namespace kong-istio
namespace/kong-istio created

1
2

$ kubectl label namespace kong-istio istio-injection=enabled
namespace/kong-istio labeled

1
2
3
4
5
6
7

$ helm install -n kong-istio example-kong kong/kong --set ingressController.installCRDs=false
...
NAME: example-kong
LAST DEPLOYED: Mon Aug 10 15:14:44 2020
NAMESPACE: kong-istio
STATUS: deployed
...

Optional: Run kubectl describe pod -n kong-istio -l app.kubernetes.io/instance=example-kong to see that the Istio sidecar (istio-proxy) is running alongside the Kubernetes Ingress Controller.

Deploy bookinfo in an Istio-enabled namespace

Deploy the sample bookinfo app from the Istio bundle:

1
2

$ kubectl create namespace my-istio-app
namespace/my-istio-app created

1
2
3

$ kubectl label namespace my-istio-app istio-injection=enabled
namespace/my-istio-app labeled
kubectl apply -n my-istio-app -f istio-1.6.7/samples/bookinfo/platform/kube/bookinfo.yaml

Wait until the application is up:

1

$ kubectl wait --for=condition=Available deployment productpage -n my-istio-app --timeout=240s

Deploy ingress

Define a KongPlugin rate-limiting access to 100 requests per minute. Define an Ingress telling Kong to proxy traffic to a service belonging to the sample application:

1
2
3
4
5
6
7
8
9
10
11

$ kubectl apply -f - <<EOF
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limit
  namespace: my-istio-app
plugin: rate-limiting
config:
  minute: 30
  policy: local
EOF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ kubectl apply -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: productpage
  namespace: my-istio-app
  annotations:
    konghq.com/plugins: rate-limit
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: productpage
          servicePort: 9080

Make some requests to the sample application

Connect to the sample application served via Kong and Istio.

Note that 8080:80 means that kubectl will open the tcp/8080 port on the local system and forward all requests to Kong’s port 80.

1
2
3
4
5

$ # Keep the command below running in the background
$ kubectl port-forward service/example-kong-kong-proxy 8080:80 -n kong-istio
Forwarding from 127.0.0.1:8080 -> 8000
Forwarding from [::1]:8080 -> 8000
...

Navigate your web browser to http://localhost:8080/ You should be able to see a bookstore web application. Click through any available links several times. As you hit 30 requests per minute (for example, by holding down the “Refresh” key combination, e.g. <Ctrl-R> or <Command-R>), you should obtain a Kong Error - API rate limit exceeded response.

See the connection graph in Kiali

Connect to Kiali (the Istio dashboard):

1
2
3
4
5

$ # Keep the command below running in the background
$ kubectl port-forward service/kiali 20001:20001 -n istio-system
Forwarding from 127.0.0.1:20001 -> 20001
Forwarding from [::1]:20001 -> 20001
...
  • Navigate your web browser to http://localhost:20001/.
  • Log in using the default credentials (admin/admin).
  • Choose Workloads from the menu on the left.
  • Select my-istio-app in the Namespace drop-down menu.
  • Click the productpage-v1 service name.
  • Click the three dots button in the top-right corner of Graph Overview and click Show full graph.
  • Select kong-istio alongside my-istio-app in the Namespace diagram.
  • Observe a connection graph spanning from example-kong-kong-proxy through productpage-v1 to the other sample application services such as ratings-v1 and details-v1.

See the metrics in Grafana

Connect to Grafana (a dashboard frontend for Prometheus which has been deployed with Istio):

1
2
3
4
5

$ # Keep the command below running in the background
$ kubectl port-forward service/grafana 3000:3000 -n istio-system
Forwarding from 127.0.0.1:3000 -> 3000
Forwarding from [::1]:3000 -> 3000
...
  • Navigate your web browser to http://localhost:3000/.
  • Expand the dashboard selection drop-down menu from the top of the screen. Expand the istio directory and choose the Istio Workload Dashboard from the list.
  • Choose Namespace: my-istio-app and Workload: productpage-v1 from the drop-downs.
  • Choose a timespan in the top-right of the page to include the time when you made requests to the sample application (e.g. Last 1 hour).
  • Observe the incoming and outgoing request graphs reflecting actual requests from Kong to productpage-v1, and from productpage-v1 to its backends.

Note that the requests from the web browser to Kong are not reflected in inbound stats of example-kong-kong-proxy because we’ve issued these requests by kubectl port-forward, thus bypassing the Istio proxy sidecar in Kong.

image