You are browsing documentation for an outdated version. See the latest documentation here.

Kong Mesh with OpenShift

To install and run Kong Mesh on OpenShift:

Download Kong Mesh
Run Kong Mesh
Verify the Installation

Finally, you can follow the Quickstart to take it from here and continue your Kong Mesh journey.

Prerequisites

You have a license for Kong Mesh.

1. Download Kong Mesh

To run Kong Mesh on OpenShift, you need to download a compatible version of Kong Mesh for the machine from which you will be executing the commands.

Script

Manually

You can run the following script to automatically detect the operating system and download Kong Mesh:

$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION=1.6.4 sh -

You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access Kubernetes:

Then, extract the archive with:

$ tar xvzf kong-mesh-1.6.4*.tar.gz

2. Run Kong Mesh

Navigate to the bin folder:

$ cd kong-mesh-1.6.4/bin

We suggest adding the kumactl executable to your PATH so that it’s always available in every working directory. Alternatively, you can also create a link in /usr/local/bin/ by executing:

$ ln -s ./kumactl /usr/local/bin/kumactl

Then, run the control plane on OpenShift with:

OpenShift 4.x

OpenShift 3.11

kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f -

Starting from version 4.1, OpenShift uses nftables instead of iptables. So, using init container for redirecting traffic to the proxy no longer works. Instead, we use kuma-cni, which can be installed with the --cni-enabled flag.

By default, MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11.

To make them work, add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:

admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission
    ValidatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission

After updating master-config.yaml, restart the cluster and install control-plane:

$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f -

Where /path/to/license.json is the path to a valid Kong Mesh license file on the file system.

This example will run Kong Mesh in standalone mode for a flat deployment, but there are more advanced deployment modes like multi-zone.

It may take a while for OpenShift to start the Kong Mesh resources. You can check the status by running:

$ oc get pod -n kong-mesh-system

3. Verify the Installation

Now you can access the control plane with the GUI, oc, the HTTP API, or the CLI:

GUI (Read-Only)

oc (Read & Write)

HTTP API (Read-Only)

kumactl (Read-Only)

Kong Mesh ships with a read-only GUI that you can use to retrieve Kong Mesh resources. By default, the GUI listens on the API port 5681 and defaults to :5681/gui.

To access Kong Mesh, port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Navigate to 127.0.0.1:5681/gui to see the GUI.

You can use Kong Mesh with oc to perform read and write operations on Kong Mesh resources. For example:

$ oc get meshes

NAME          AGE
default       1m

Or, you can enable mTLS on the default Mesh with:

$ echo "apiVersion: kuma.io/v1alpha1
  kind: Mesh
  metadata:
    name: default
  spec:
    mtls:
      enabledBackend: ca-1
      backends:
      - name: ca-1
        type: builtin" | oc apply -f -

Kong Mesh ships with a read-only HTTP API that you use to retrieve Kong Mesh resources. By default, the HTTP API listens on port 5681.

To access Kong Mesh, port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Now you can navigate to 127.0.0.1:5681 to see the HTTP API.

You can use the kumactl CLI to perform read-only operations on Kong Mesh resources. The kumactl binary is a client to the Kong Mesh HTTP API. To use it, first port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Then run kumactl. For example:

$ kumactl get meshes

NAME          mTLS      METRICS      LOGGING   TRACING
default       off       off          off       off

You can configure kumactl to point to any remote kuma-cp instance by running:

$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681

Notice that Kong Mesh automatically creates a Mesh entity with the name default.

Kong Mesh explicitly specifies a UID for the kuma-dp sidecar to avoid capturing traffic from kuma-dp itself. You must grant a nonroot Security Context Constraint to the application namespace:

$ oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>

If the namespace is not configured properly, you will see the following error on the Deployment or DeploymentConfig:

'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint:
[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'

4. Quickstart

Congratulations! You have successfully installed Kong Mesh.

Before running the Kuma Demo in the Quickstart guide, run the following command:

$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo

One of the components in the demo requires root access, therefore it uses the anyuid instead of the nonroot permission.

The Kuma quickstart documentation is fully compatible with Kong Mesh, except that you are running Kong Mesh containers instead of Kuma containers.

To start using Kong Mesh, see the quickstart guide for Kubernetes deployments.