Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Ingress Controller
2.2.x
  • Home icon
  • Kong Ingress Controller
  • Guides
  • Running the Kong Ingress Controller with Istio
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.11.x (latest)
  • 2.10.x
  • 2.9.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Overview
    • Prerequisites
    • Download and verify Istio
    • Deploy Istio
    • Create an Istio-enabled namespace for Kong Ingress Controller
    • Deploy Kong Gateway and Kong Ingress Controller
    • Deploy BookInfo example application
    • Access BookInfo externally through Kong Gateway
    • Configure rate limiting with a Kong plugin
    • Mesh network observability with Kiali
You are browsing documentation for an outdated version. See the latest documentation here.

Running the Kong Ingress Controller with Istio

This guide walks you through deploying Kong Gateway with Kong Ingress Controller as the gateway for Istio as your service mesh solution.

See the version compatibility reference for the tested compatible versions of Kong Ingress Controller and Istio.

Overview

Istio is a popular service mesh that enables traffic management, security, and observability features for Kubernetes clusters.

With Kong Gateway and Istio, you can combine the mesh features of Istio inside your cluster with Kong’s rich feature set for ingress traffic from outside the cluster.

This guide shows how to:

  • Install Istio and Kong Gateway with Kong Ingress Controller in your cluster.
  • Deploy an example Istio-enabled application.
  • Deploy an Ingress customized with a Kong plugin for the example application.
  • Make requests to the sample application via Kong and Istio.
  • Explore the observability features of Istio to visualize cluster traffic.

Prerequisites

  • A Kubernetes cluster v1.19 or later
  • kubectl v1.19 or later
  • Helm v3.5 or later
  • cURL version 7.x.x

You can use a managed cluster from a cloud provider, such as AWS (EKS), Google Cloud (GKE), or Azure (AKS), or you can work locally with tools such as Minikube or Microk8s.

Your Kubernetes cluster must provision LoadBalancer type Services. Cloud providers generally automate LoadBalancer type Service provisioning with their default settings, but if you run your cluster elsewhere you might need to check the relevant documentation for details. See also the Kubernetes documentation
for external load balancers.

Some of the kubectl calls in this guide assume your test cluster is the current default cluster context. To check, or for more information, see the Kubernetes documentation on configuring access to multiple clusters.

Download and verify Istio

This guide shows how to install with istioctl, because it’s the community recommended method. The Istio installation guides explain alternative deployment mechanisms.

You can also explore the Istio FAQ for more information about the differences between methods. However, if you choose another installation method, you might need to adjust the examples in this guide.

  1. Download the istioctl command-line utility for your platform:

    curl -s -L https://istio.io/downloadIstio | ISTIO_VERSION=1.11.2 sh -
    

    The response includes instructions to set up the istioctl program locally and perform pre-check validation of the Istio installation.

  2. Make sure to add istioctl to your shell’s path:

    export PATH="$PATH:$PWD/istio-1.11.2/bin"
    
  3. Verify that istioctl is working, and run checks on your Kubernetes cluster to ensure Istio will deploy to it properly:

    istioctl x precheck
    

Deploy Istio

Istio provides configuration profiles to let you customize your Istio deployment, and default profiles are included with the installation. This guide works with the demo profile, which is meant for testing and evaluation.

Deploy Istio with the demo profile:

istioctl install --set profile=demo -y

Create an Istio-enabled namespace for Kong Ingress Controller

To integrate Istio’s mesh functionality in any given Kubernetes Pod, a namespace must be labeled with the istio-injection=enabled label to instruct IstioD – the main control program for Istio – to manage the pods and add them to the mesh network.

  1. Create the Istio-enabled namespace:

    kubectl create namespace kong-istio
    
  2. Enable the namespace for the Istio mesh:

    kubectl label namespace kong-istio istio-injection=enabled
    

Deploy Kong Gateway and Kong Ingress Controller

The Kong Helm Chart deploys a Pod that includes containers for Kong Gateway and Kong Ingress Controller. Here’s how to deploy it to the Istio-enabled kong-istio namespace.

  1. Make sure you have the Kong Helm repository configured locally:

    helm repo add kong https://charts.konghq.com && helm repo update
    
  2. Deploy the chart:

    helm install -n kong-istio kong-istio kong/kong
    
  3. Verify that Kong containers are deployed and the Istio sidecar container is injected properly:

    kubectl describe pod -n kong-istio -l app.kubernetes.io/instance=kong-istio
    

    The output should look like:

    Events:
      Type     Reason     From               Message
      ----     ------     ----               -------
      Normal   Scheduled  default-scheduler  Successfully assigned kong-istio/kong-istio-kong-8f875f9fd-qsv4p to gke-istio-testing-default-pool-403b2219-l5ns
      Normal   Pulled     kubelet            Container image "docker.io/istio/proxyv2:1.11.2" already present on machine
      Normal   Created    kubelet            Created container istio-init
      Normal   Started    kubelet            Started container istio-init
      Normal   Pulling    kubelet            Pulling image "kong/kubernetes-ingress-controller:1.3"
      Normal   Pulled     kubelet            Successfully pulled image "kong/kubernetes-ingress-controller:1.3" in 2.645390171s
      Normal   Created    kubelet            Created container ingress-controller
      Normal   Started    kubelet            Started container ingress-controller
      Normal   Pulling    kubelet            Pulling image "kong:2.5"
      Normal   Pulled     kubelet            Successfully pulled image "kong:2.5" in 3.982679281s
      Normal   Created    kubelet            Created container proxy
      Normal   Started    kubelet            Started container proxy
      Normal   Pulled     kubelet            Container image "docker.io/istio/proxyv2:1.11.2" already present on machine
      Normal   Created    kubelet            Created container istio-proxy
      Normal   Started    kubelet            Started container istio-proxy
    

    See also the Kubernetes documentation on using kubectl to fetch pod details.

Deploy BookInfo example application

The Istio BookInfo application provides a basic example that lets you explore and evaluate Istio’s mesh features.

As in previous steps, you create a namespace, add the appropriate label, and then deploy.

  1. Create the namespace:

    kubectl create namespace bookinfo
    
  2. Label the namespace for Istio injection:

    kubectl label namespace bookinfo istio-injection=enabled
    
  3. Deploy the BookInfo app from the Istio bundle:

    kubectl -n bookinfo apply -f istio-1.11.2/samples/bookinfo/platform/kube/bookinfo.yaml
    

    The response should look like:

    service/details created
    serviceaccount/bookinfo-details created
    deployment.apps/details-v1 created
    service/ratings created
    serviceaccount/bookinfo-ratings created
    deployment.apps/ratings-v1 created
    service/reviews created
    serviceaccount/bookinfo-reviews created
    deployment.apps/reviews-v1 created
    deployment.apps/reviews-v2 created
    deployment.apps/reviews-v3 created
    service/productpage created
    serviceaccount/bookinfo-productpage created
    deployment.apps/productpage-v1 created
    
  4. Wait until the application is up:

    kubectl -n bookinfo wait --timeout 120s --for=condition=Available deployment productpage-v1
    

Access BookInfo externally through Kong Gateway

At this point the BookInfo application is available only internally. Here’s how to expose it as a service with Ingress.

  1. Save the following as bookinfo-ingress.yaml:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: productpage
      namespace: bookinfo
    spec:
      ingressClassName: kong
      rules:
      - http:
          paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: productpage
                port:
                  number: 9080
    
  2. Apply the manifest:

    kubectl apply -f bookinfo-ingress.yaml
    
  3. To make HTTP requests using Kong Gateway as ingress, you need the IP address of the load balancer. Get the LoadBalancer address and store it in a local PROXY_IP environment variable:

    export PROXY_IP=$(kubectl -n kong-istio get svc kong-istio-kong-proxy -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
    

    If you’re running your cluster on AWS, specify .hostname instead of .ip. This is because the AWS load balancer provides only a DNS name. This can also happen with other cluster providers.

    Make sure to check that the value of $PROXY_IP is the value of the external host. You can check with kubectl get svc kong-istio-kong-proxy.

  4. Make an external connection request:

    curl -s -v http://$PROXY_IP | head -4
    

    The response should look like:

    curl -s -v http://$PROXY_IP | head -4
    *   Trying 127.0.0.1:80...
    * Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
    > GET / HTTP/1.1
    > Host: 127.0.0.1
    > User-Agent: curl/7.76.1
    > Accept: */*
    >
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < content-type: text/html; charset=utf-8
    < content-length: 1683
    < server: istio-envoy
    < x-envoy-upstream-service-time: 6
    < x-kong-upstream-latency: 4
    < x-kong-proxy-latency: 1
    < via: kong/2.5.0
    < x-envoy-decorator-operation: kong-istio-kong-proxy.kong-istio.svc.cluster.local:80/*
    <
    { [1079 bytes data]
    * Connection #0 to host 127.0.0.1 left intact
    <!DOCTYPE html>
    <html>
      <head>
        <title>Simple Bookstore App</title>
    

Note the following in the response:

  • <title>Simple Bookstore App</title> - connected to the BookInfo app as expected.
  • server: istio-envoy - the Istio mesh network is in use for the BookInfo product page.
  • via: kong/2.5.0 - Kong Gateway provides the connection to the backend BookInfo service.

Configure rate limiting with a Kong plugin

To demonstrate Kong features for Istio enabled services, you can create a KongPlugin to enforce Kong rate-limiting on ingress requests to the BookInfo service. The plugin adds rate limiting to the BookInfo application and limits outside access to 30 requests per minute.

  1. Save the following as bookinfo-ratelimiter.yaml:

    apiVersion: configuration.konghq.com/v1
    kind: KongPlugin
    metadata:
      name: rate-limit
      namespace: bookinfo
    plugin: rate-limiting
    config:
      minute: 30
      policy: local
    
  2. Apply the manifest:

    kubectl apply -f bookinfo-ratelimiter.yaml
    
  3. Add an annotation to the Ingress resource to attach rate limiting:

    kubectl -n bookinfo patch ingress productpage -p '{"metadata":{"annotations":{"konghq.com/plugins":"rate-limit"}}}'
    
  4. Inspect the headers in the response from the BookInfo product page:

    curl -s -v http://$PROXY_IP 2>&1 | grep ratelimit
    

    The response should look like:

    < x-ratelimit-remaining-minute: 26
    < x-ratelimit-limit-minute: 30
    < ratelimit-remaining: 26
    < ratelimit-limit: 30
    < ratelimit-reset: 2
    

For more examples of Kong features to add to your environment, see the available guides.

Mesh network observability with Kiali

For observability, Istio includes a web console called Kiali that can provide topology, health, and other features to provide insights into your application traffic.

You also need a Prometheus metrics server, and Grafana for visualization dashboards. Istio includes these as addons. Here’s what to do:

  1. Install Prometheus:

    kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/addons/prometheus.yaml
    

    The response should look like:

    serviceaccount/prometheus created
    configmap/prometheus created
    clusterrole.rbac.authorization.k8s.io/prometheus created
    clusterrolebinding.rbac.authorization.k8s.io/prometheus created
    service/prometheus created
    deployment.apps/prometheus created
    
  2. Install Grafana:

    kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/addons/grafana.yaml
    

    The response should look like:

    serviceaccount/grafana created
    configmap/grafana created
    service/grafana created
    deployment.apps/grafana created
    configmap/istio-grafana-dashboards created
    configmap/istio-services-grafana-dashboards created
    
  3. Install Kiali:

    kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/addons/kiali.yaml
    

    The response should look like:

    serviceaccount/kiali created
    configmap/kiali created
    clusterrole.rbac.authorization.k8s.io/kiali-viewer created
    clusterrole.rbac.authorization.k8s.io/kiali created
    clusterrolebinding.rbac.authorization.k8s.io/kiali created
    role.rbac.authorization.k8s.io/kiali-controlplane created
    rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
    service/kiali created
    deployment.apps/kiali created
    
  4. Generate traffic for the BookInfo application, to create traffic metrics to view in Kiali:

    COUNT=25 ; until [ $COUNT -le 0 ]; do curl -s -o /dev/null http://$PROXY_IP ; ((COUNT--)); done
    
  5. In a production environment, you’d access the Kiali dashboard through the Kong ingress. But this sample version of Kiali is meant for exploring only internal traffic on the cluster. You can instead use the port-forwarding functionality that istioctl provides.

    In a new terminal, run:

    istioctl dashboard kiali
    

    This runs a port-forward to Kiali in the background and opens it in your web browser. The response should look like:

    http://localhost:20001/kiali
    

    If http://localhost:20001/kiali doesn’t open automatically in your browser, navigate manually to the address.

You’re now connected to Kiali and have a window into the traffic moving across your mesh network. Familiarize yourself with Kiali and graphically view the topology for your BookInfo application’s web requests:

  • Choose Workloads from the menu on the left.
  • Select bookinfo in the Namespace drop-down menu.
  • Select the productpage-v1 service name.
  • In the top-right corner change the Last <time> dropdown to Last 1h.
  • Select the three dots button in the top-right corner of Graph Overview and select Show full graph.
  • Select kong-istio alongside bookinfo in the Namespace diagram.

You should see a connection graph that shows connections from the Kong Gateway deployed at the edge of your cluster down to the backend BookInfo application. The graph demonstrates some of the fundamental capabilities of Istio, and you can explore further with Kiali. For more information, see the Kiali Documentation.

The Istio Task Documentation also provides guides for other Istio features.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023