Kong之前都是使用Admin API來進行管理的,Kong主要暴露兩個端口管理端口8001和代理端口8000,管理Kong主要的是爲上游服務配置Service、Routes、Plugins、Consumer等實體資源,Kong按照這些配置規則進行對上游服務的請求進行路由分發和控制。在Kubernetes集羣環境下,Admin API方式不是很適應Kubernetes聲明式管理方式。所以Kong在Kubernetes集羣環境下推出Kong Ingress Controller。Kong Ingress Controller定義了四個CRDs(CustomResourceDefinitions),基本上涵蓋了原Admin API的各個方面。
- kongconsumers:Kong的用戶,給不同的API用戶提供不同的消費者身份。
- kongcredentials:Kong用戶的認證憑證。
- kongingresses:定義代理行爲規則,是對Ingress的補充配置。
- kongplugins:插件的配置。
Kong創建的CRDs:
kubectl get crds
NAME CREATED AT
kongconsumers.configuration.konghq.com 2019-12-15T08:02:29Z
kongcredentials.configuration.konghq.com 2019-12-15T08:02:29Z
kongingresses.configuration.konghq.com 2019-12-15T08:02:29Z
kongplugins.configuration.konghq.com 2019-12-15T08:02:29Z
以下爲Kong系列-04-Helm安裝Kong 1.3.0 with PostgreSQL and with Ingress Controller的環境,可以看出Kong Pod其中有兩個容器,一個爲ingress-controller,一個爲kong。Kong對外提供兩個服務,gateway-kong-admin爲管理服務,支持Admin API,gateway-kong-proxy爲代理服務,這兩個服務都由kong提供,而CRDs的API接口是ingress-controller容器提供的。
kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/gateway-kong-79498b67b7-plmlm 2/2 Running 5 34d 10.244.1.13 k8s-node1 <none> <none>
pod/gateway-kong-79498b67b7-zcfh6 2/2 Running 5 34d 10.244.2.10 k8s-node2 <none> <none>
pod/gateway-kong-init-migrations-5qdxc 0/1 Completed 0 34d 10.244.1.10 k8s-node1 <none> <none>
pod/gateway-postgresql-0 1/1 Running 1 34d 10.244.1.14 k8s-node1 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/gateway-kong-admin NodePort 10.1.6.70 <none> 8444:32444/TCP 34d app=kong,component=app,release=gateway
service/gateway-kong-proxy NodePort 10.1.232.237 <none> 80:32080/TCP,443:32443/TCP 34d app=kong,component=app,release=gateway
service/gateway-postgresql ClusterIP 10.1.161.34 <none> 5432/TCP 34d app=postgresql,release=gateway,role=master
service/gateway-postgresql-headless ClusterIP None <none> 5432/TCP 34d app=postgresql,release=gateway
service/kubernetes ClusterIP 10.1.0.1 <none> 443/TCP 34d <none>
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/gateway-kong 2/2 2 2 34d ingress-controller,kong kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.6.0,kong:1.3 app=kong,component=app,release=gateway
其實在Kubernetes集羣中也可以直接部署Kong和PostgreSQL,那樣是不支持Kong Ingress Controller,直接使用Admin API管理即可。
下面介紹一下如何使用Kong Ingress Controller。先將Kong初始化爲空配置。
curl -i http://192.168.1.55:32080/
HTTP/1.1 404 Not Found
Date: Sun, 22 Dec 2019 11:12:00 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.3.0
{"message":"no Route matched with those values"}
創建一個echo服務。
vi echo-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: echo
name: echo
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: echo
name: echo
spec:
replicas: 2
selector:
matchLabels:
app: echo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: echo
spec:
containers:
- image: e2eteam/echoserver:2.2
name: echo
ports:
- containerPort: 8080
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
resources: {}
kubectl apply -f echo-service.yaml
創建Ingress,定義路由規則。
vi echo-ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo-ingress
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: echo
servicePort: 80
kubectl apply -f echo-ingress.yaml
根據Ingress規則,訪問echo服務。
curl -i http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sun, 22 Dec 2019 11:34:02 GMT
Server: echoserver
X-Kong-Upstream-Latency: 6
X-Kong-Proxy-Latency: 13
Via: kong/1.3.0
Hostname: echo-75cf96d976-4qvx4
Pod Information:
node name: k8s-node1
pod name: echo-75cf96d976-4qvx4
pod namespace: default
pod IP: 10.244.1.21
Server values:
server_version=nginx: 1.14.2 - lua: 10015
Request Information:
client_address=10.244.1.20
method=GET
real path=/
query=
request_version=1.1
request_scheme=http
request_uri=http://192.168.1.55:8080/
Request Headers:
accept=*/*
connection=keep-alive
host=192.168.1.55:32080
user-agent=curl/7.29.0
x-forwarded-for=10.244.0.0
x-forwarded-host=192.168.1.55
x-forwarded-port=8000
x-forwarded-proto=http
x-real-ip=10.244.0.0
Request Body:
-no body in request-
再演示一下插件的使用,插件可以在Ingress上啓用。
先創建Correlation ID插件。Correlation ID可以在請求頭中增加一個UUID,也可以在響應頭中返回,可以用來追蹤請求響應對。
vi correlation-id-plugin.yaml
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: request-id
config:
header_name: my-request-id
generator: uuid#counter
echo_downstream: true
plugin: correlation-id
kubectl apply -f correlation-id-plugin.yaml
新建一個新的Ingress,並在Ingress應用新建的插件。注意Correlation ID插件沒有應用到上一個Ingress上。
vi echo-ingress-2.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo-ingress-2
annotations:
plugins.konghq.com: request-id
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
backend:
serviceName: echo
servicePort: 80
kubectl apply -f echo-ingress-2.yaml
測試一下效果,訪問/bar路徑,可以發現插件已經啓用,在請求和響應中都增加了頭my-request-id: 6827852e-c165-4479-b5c9-a953ca3ff69b#1
curl -i -H "Host: example.com" http://192.168.1.55:32080/bar/sample
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 18 Jan 2020 10:00:06 GMT
Server: echoserver
my-request-id: 6827852e-c165-4479-b5c9-a953ca3ff69b#1
X-Kong-Upstream-Latency: 5
X-Kong-Proxy-Latency: 166
Via: kong/1.3.0
Hostname: echo-75cf96d976-sl7xs
Pod Information:
node name: k8s-node2
pod name: echo-75cf96d976-sl7xs
pod namespace: default
pod IP: 10.244.2.12
Server values:
server_version=nginx: 1.14.2 - lua: 10015
Request Information:
client_address=10.244.2.10
method=GET
real path=/sample
query=
request_version=1.1
request_scheme=http
request_uri=http://example.com:8080/sample
Request Headers:
accept=*/*
connection=keep-alive
host=example.com
my-request-id=6827852e-c165-4479-b5c9-a953ca3ff69b#1
user-agent=curl/7.29.0
x-forwarded-for=10.244.0.0
x-forwarded-host=example.com
x-forwarded-port=8000
x-forwarded-proto=http
x-real-ip=10.244.0.0
Request Body:
-no body in request-
訪問/foo路徑,可以發現確實沒有改請求頭。
curl -i http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 18 Jan 2020 09:59:10 GMT
Server: echoserver
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 17
Via: kong/1.3.0
Hostname: echo-75cf96d976-g9db2
Pod Information:
node name: k8s-node1
pod name: echo-75cf96d976-g9db2
pod namespace: default
pod IP: 10.244.1.15
Server values:
server_version=nginx: 1.14.2 - lua: 10015
Request Information:
client_address=10.244.1.13
method=GET
real path=/
query=
request_version=1.1
request_scheme=http
request_uri=http://192.168.1.55:8080/
Request Headers:
accept=*/*
connection=keep-alive
host=192.168.1.55:32080
user-agent=curl/7.29.0
x-forwarded-for=10.244.0.0
x-forwarded-host=192.168.1.55
x-forwarded-port=8000
x-forwarded-proto=http
x-real-ip=10.244.0.0
Request Body:
-no body in request-
再演示一下插件在Service上啓用。限速插件Rate Limiting可以配置一定時間內可以請求的次數,如下設置爲限速5次/分鐘。
vi rate-limiting-plugin.yaml
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rl-by-ip
config:
minute: 5
limit_by: ip
policy: local
plugin: rate-limiting
kubectl apply -f rate-limiting-plugin.yaml
將該插件在Service上啓用。
kubectl patch service echo \
-p '{"metadata":{"annotations":{"plugins.konghq.com": "rl-by-ip\n"}}}'
第三方三發
#HTTP requests with /foo -> Kong enforces rate-limit -> echo server
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:10 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 4
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 4
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:11 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 3
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 0
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:13 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 4
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:13 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 3
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 3
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:14 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 2
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 3
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:14 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 1
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 3
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:15 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 2
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 429 Too Many Requests
Date: Sun, 22 Dec 2019 12:01:15 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 37
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
Server: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:16 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 2
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 5
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:17 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 1
X-Kong-Upstream-Latency: 4
X-Kong-Proxy-Latency: 4
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:01:17 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
X-Kong-Upstream-Latency: 4
X-Kong-Proxy-Latency: 4
Via: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 429 Too Many Requests
Date: Sun, 22 Dec 2019 12:01:17 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 37
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
Server: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 429 Too Many Requests
Date: Sun, 22 Dec 2019 12:01:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 37
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
Server: kong/1.3.0
curl -I http://192.168.1.55:32080/foo
HTTP/1.1 429 Too Many Requests
Date: Sun, 22 Dec 2019 12:01:19 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 37
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 0
Server: kong/1.3.0
訪問/bar路徑,可以發現兩個插件同時啓用了。
#HTTP requests with /bar -> Kong enforces rate-limit + -> echo-server
# on example.com injects my-request-id header
curl -I -H "Host: example.com" http://192.168.1.55:32080/bar/sample
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive
Date: Sun, 22 Dec 2019 12:10:21 GMT
Server: echoserver
X-RateLimit-Limit-minute: 5
X-RateLimit-Remaining-minute: 4
my-request-id: 0eee7f62-7681-45d7-85b2-3b8f8ff63a0f#3
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 27
Via: kong/1.3.0