About Kong Mesh in Production
Deploying Kuma in a production environment.
After you’ve completed your initial test and assessment of Kong Mesh, it’s time to deploy Kong Mesh in your production environment. Before doing so, it’s important to understand the overall steps in the process as well as the different options you have. This guide walks you through the big picture steps and options so you can make the right decisions when it comes to deployment time.
Overview of deployment steps
Deploying Kong Mesh to a production environment involves the following steps:
- Decide which deployment topology you plan to use.
-
Install
kumactl
. - Deploy the control plane.
- Configure the data plane.
- Configure security features for Kong Mesh.
Deployment topologies
There are two deployment models that can be adopted with Kong Mesh: single-zone and multi-zone. You can use these modes to address any service mesh use case, including:
- A simple model with the service mesh running in one zone
- A more complex model where multiple Kubernetes or VM zones are involved
- A hybrid universal model where Kong Mesh runs simultaneously on Kubernetes and VMs
The following table describes some common use cases and the deployment modes you can use for them:
Use case | Recommended deployment mode |
---|---|
You want to migrate from on-premise or virtual machines to the cloud in a brownfield project. | Multi-zone |
You only intend to deploy Kong Mesh in one zone, like one Kubernetes cluster or Amazon VPC. | Single-zone |
You want to run a mix of Kubernetes and Universal zones. | Multi-zone |
You want to run workloads in different regions, clouds, and/or data centers. | Multi-zone |
kumactl
The first step after you pick your deployment mode is to install kumactl
.
kumactl
is a CLI tool that you can use to access Kong Mesh. It can do the following:
- Perform read-only operations on Kong Mesh resources on Kubernetes.
- Read and create resources in Kong Mesh in Universal mode.
The kumactl
binary is a client to the Kong Mesh HTTP API.
Control plane and data plane architecture
Once kumactl
is installed, you can use it to configure the control plane and deploy the data plane. The control plane (CP) is never on the execution path of the requests that the services exchange with each other. It’s used as a source of truth to dynamically configure the underlying data plane proxies that are deployed alongside every instance of every service that is part of the service mesh.
You can either configure a multi-zone or single-zone control plane, depending on your organization’s needs. You can deploy either a Kubernetes or Universal data plane.
Security
Kong Mesh offers many security features that you can use to ensure your service mesh is safe.
Here are a few of the main features:
- Secure the access to your Kong Mesh deployment
- Store sensitive data with secrets
- Manage access control to administrative actions executed on the Kong Mesh API Server
- Require data plane proxy authentication to obtain a configuration from the control plane
- Require zone proxy authentication to obtain a configuration from the control plane
- Configure data plane proxy membership constraints when joining a mesh