Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Mesh
1.6.x
  • Home icon
  • Kong Mesh
  • Installation
  • Kong Mesh with OpenShift
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.4.x (latest)
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
  • 1. Download Kong Mesh
  • 2. Run Kong Mesh
  • 3. Verify the Installation
  • 4. Quickstart
You are browsing documentation for an outdated version. See the latest documentation here.

Kong Mesh with OpenShift

To install and run Kong Mesh on OpenShift:

  1. Download Kong Mesh
  2. Run Kong Mesh
  3. Verify the Installation

Finally, you can follow the Quickstart to take it from here and continue your Kong Mesh journey.

Prerequisites

You have a license for Kong Mesh.

1. Download Kong Mesh

To run Kong Mesh on OpenShift, you need to download a compatible version of Kong Mesh for the machine from which you will be executing the commands.

Script
Manually

You can run the following script to automatically detect the operating system and download Kong Mesh:

$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION=1.6.4 sh -

You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access Kubernetes:

  • CentOS
  • Red Hat
  • Debian
  • Ubuntu
  • macOS

Then, extract the archive with:

$ tar xvzf kong-mesh-1.6.4*.tar.gz

2. Run Kong Mesh

Navigate to the bin folder:

$ cd kong-mesh-1.6.4/bin

We suggest adding the kumactl executable to your PATH so that it’s always available in every working directory. Alternatively, you can also create a link in /usr/local/bin/ by executing:

$ ln -s ./kumactl /usr/local/bin/kumactl

Then, run the control plane on OpenShift with:

OpenShift 4.x
OpenShift 3.11
kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f -

Starting from version 4.1, OpenShift uses nftables instead of iptables. So, using init container for redirecting traffic to the proxy no longer works. Instead, we use kuma-cni, which can be installed with the --cni-enabled flag.

By default, MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11.

To make them work, add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:

admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission
    ValidatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission

After updating master-config.yaml, restart the cluster and install control-plane:

$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f -

Where /path/to/license.json is the path to a valid Kong Mesh license file on the file system.

This example will run Kong Mesh in standalone mode for a flat deployment, but there are more advanced deployment modes like multi-zone.

It may take a while for OpenShift to start the Kong Mesh resources. You can check the status by running:

$ oc get pod -n kong-mesh-system

3. Verify the Installation

Now you can access the control plane with the GUI, oc, the HTTP API, or the CLI:

GUI (Read-Only)
oc (Read & Write)
HTTP API (Read-Only)
kumactl (Read-Only)

Kong Mesh ships with a read-only GUI that you can use to retrieve Kong Mesh resources. By default, the GUI listens on the API port 5681 and defaults to :5681/gui.

To access Kong Mesh, port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Navigate to 127.0.0.1:5681/gui to see the GUI.

You can use Kong Mesh with oc to perform read and write operations on Kong Mesh resources. For example:

$ oc get meshes

NAME          AGE
default       1m

Or, you can enable mTLS on the default Mesh with:

$ echo "apiVersion: kuma.io/v1alpha1
  kind: Mesh
  metadata:
    name: default
  spec:
    mtls:
      enabledBackend: ca-1
      backends:
      - name: ca-1
        type: builtin" | oc apply -f -

Kong Mesh ships with a read-only HTTP API that you use to retrieve Kong Mesh resources. By default, the HTTP API listens on port 5681.

To access Kong Mesh, port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Now you can navigate to 127.0.0.1:5681 to see the HTTP API.

You can use the kumactl CLI to perform read-only operations on Kong Mesh resources. The kumactl binary is a client to the Kong Mesh HTTP API. To use it, first port-forward the API service with:

$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681

Then run kumactl. For example:

$ kumactl get meshes

NAME          mTLS      METRICS      LOGGING   TRACING
default       off       off          off       off

You can configure kumactl to point to any remote kuma-cp instance by running:

$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681

Notice that Kong Mesh automatically creates a Mesh entity with the name default.

Kong Mesh explicitly specifies a UID for the kuma-dp sidecar to avoid capturing traffic from kuma-dp itself. You must grant a nonroot Security Context Constraint to the application namespace:

$ oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>

If the namespace is not configured properly, you will see the following error on the Deployment or DeploymentConfig:

'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint:
[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'

4. Quickstart

Congratulations! You have successfully installed Kong Mesh.

Before running the Kuma Demo in the Quickstart guide, run the following command:

$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo

One of the components in the demo requires root access, therefore it uses the anyuid instead of the nonroot permission.

The Kuma quickstart documentation is fully compatible with Kong Mesh, except that you are running Kong Mesh containers instead of Kuma containers.

To start using Kong Mesh, see the quickstart guide for Kubernetes deployments.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023