Edit this page
Report an issueGetting started with the Kong Ingress Controller
Overview
Deploy an upstream HTTP application, create a configuration group, add a route, and add a plugin using Kong Gateway and Kong Ingress Controller.
Installation
Follow the deployment documentation to install the Kong Ingress Controller on the Kubernetes cluster.
Installing the Gateway APIs
If you wish to use the Gateway APIs examples, follow the supplemental Gateway APIs installation instructions.
Testing connectivity to Kong Gateway
Ensure that the PROXY_IP environment variable is
set to contain the IP address or URL pointing to Kong Gateway.
The deployment guide that you used to install the Kong Ingress Controller on the Kubernetes cluster provides the instructions to configure this environment variable.
If everything is set correctly, a request to Kong Gateway returns
a HTTP 404 Not Found status code:
curl -i $PROXY_IP
The results should look like this:
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 0
Server: kong/3.0.0
{"message":"no Route matched with those values"}
This is expected because Kong Gateway doesn’t know how to proxy the request yet.
Deploy an upstream HTTP application
To proxy requests, you need an upstream application to send a request to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:
echo "
apiVersion: v1
kind: Service
metadata:
labels:
app: echo
name: echo
spec:
ports:
- port: 1025
name: tcp
protocol: TCP
targetPort: 1025
- port: 1026
name: udp
protocol: TCP
targetPort: 1026
- port: 1027
name: http
protocol: TCP
targetPort: 1027
selector:
app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: echo
name: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: echo
spec:
containers:
- image: kong/go-echo:latest
name: echo
ports:
- containerPort: 1027
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
resources: {}
" | kubectl apply -f -
The results should look like this:
service/echo created
deployment.apps/echo created
Create a configuration group
Ingress and Gateway APIs controllers need a configuration that indicates which set of routing configuration they should recognize. This allows multiple controllers to coexist in the same cluster. Before creating individual routes, you need to create a class configuration to associate routes with:
Kong Ingress Controller recognizes the kong IngressClass and
konghq.com/kic-gateway-controller GatewayClass
by default. Setting the CONTROLLER_INGRESS_CLASS or
CONTROLLER_GATEWAY_API_CONTROLLER_NAME environment variable to
another value overrides these defaults.
Add routing configuration
Create routing configuration to proxy /echo requests to the echo server:
Test the routing rule:
curl -i -H 'Host:kong.example' $PROXY_IP/echo
The results should look like this:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2
Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...
If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.
Add TLS configuration
The routing configuration can include a certificate to present when clients connect over HTTPS. This is not required, as Kong Gateway will serve a default certificate if it cannot find another, but including TLS configuration along with routing configuration is typical.
-
Create a test certificate for the
kong.examplehostname.The results should look like this:
Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.
- Create a Secret containing the certificate.
kubectl create secret tls kong.example --cert=./server.crt --key=./server.keyThe results should look like this:
secret/kong.example created -
Update your routing configuration to use this certificate.
The results should look like this:
-
Send requests to verify if the configured certificate is served.
curl -ksv https://kong.example/echo --resolve kong.example:443:$PROXY_IP 2>&1 | grep -A1 "certificate:"The results should look like this:
* Server certificate: * subject: CN=kong.example
Using plugins on Ingress / Gateway API Routes
-
Setup a KongPlugin resource.
echo " apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: request-id config: header_name: my-request-id echo_downstream: true plugin: correlation-id " | kubectl apply -f -The results should look like this:
kongplugin.configuration.konghq.com/request-id created -
Update your route configuration to use the new plugin.
The results should look like this:
Kong now applies your plugin configuration to all routes associated with this resource.
-
To verify, send another request through the proxy.
curl -i http://kong.example/echo --resolve kong.example:80:$PROXY_IPThe results should look like this:
HTTP/1.1 200 OK Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Date: Thu, 10 Nov 2022 22:33:14 GMT Server: echoserver my-request-id: ea87894d-7f97-4710-84ae-cbc608bb8107#2 X-Kong-Upstream-Latency: 0 X-Kong-Proxy-Latency: 0 Via: kong/3.1.1 Hostname: echo-fc6fd95b5-6lqnc Pod Information: node name: kind-control-plane pod name: echo-fc6fd95b5-6lqnc pod namespace: default pod IP: 10.244.0.9 ... Request Headers: ... my-request-id=ea87894d-7f97-4710-84ae-cbc608bb8107#2 ...Requests that match the
echoIngress or HTTPRoute now include amy-request-idheader with a unique ID in both their request headers upstream and their response headers downstream.
Using plugins on Services
Kong can also apply plugins to Services. This allows you execute the same plugin configuration on all requests to that Service, without configuring the same plugin on multiple Ingresses.
-
Create a KongPlugin resource.
echo " apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rl-by-ip config: minute: 5 limit_by: ip policy: local plugin: rate-limiting " | kubectl apply -f -The results should look like this:
kongplugin.configuration.konghq.com/rl-by-ip created -
Apply the
konghq.com/pluginsannotation to the Kubernetes Service that needs rate-limiting.kubectl annotate service echo konghq.com/plugins=rl-by-ipThe results should look like this:
service/echo annotatedKong now enforces a rate limit to requests proxied to this Service.
-
To verify, send a request.
curl -i http://kong.example/echo --resolve kong.example:80:$PROXY_IPThe results should look like this:
HTTP/1.1 200 OK Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-RateLimit-Remaining-Minute: 4 RateLimit-Limit: 5 RateLimit-Remaining: 4 RateLimit-Reset: 13 X-RateLimit-Limit-Minute: 5 Date: Thu, 10 Nov 2022 22:47:47 GMT Server: echoserver my-request-id: ea87894d-7f97-4710-84ae-cbc608bb8107#3 X-Kong-Upstream-Latency: 1 X-Kong-Proxy-Latency: 1 Via: kong/3.1.1 Hostname: echo-fc6fd95b5-6lqnc Pod Information: node name: kind-control-plane pod name: echo-fc6fd95b5-6lqnc pod namespace: default pod IP: 10.244.0.9 ...
Next steps
- To learn how to secure proxied routes, see the ACL and JWT Plugins Guide.
- The External Services Guide explains how to proxy services outside of your Kubernetes cluster.
- Gateway API is a set of resources for configuring networking in Kubernetes. The Kong Ingress Controller supports Gateway API by default. To learn how to use Gateway API supported by the Kong Ingress Controller, see Using Gateway API.
