k8s整合kong

k8s整合kong

Kong网关的发展历程

​ Kong网关起源于2007年,由Augusto、Marco、Michele三人在意大利的一个小车库中开发,当时命名为Mashup平台。在随后7年的时间里,Mashup平台逐渐占据API网关市场的主导地位。2017年10月,Mashup平台正式更名为Kong,并推出了Kong企业版。2018年,Kong公司成立,并发布了Kong 1.0版本。此次用的为kong 2.8.2版本。Kong、OpenResty都是基于Nginx打造的新一代服务器。它们兼具Web服务器的功能,但侧重于网关层特性的延伸。展示了三者的关系。

image-20220524173839852

​ 在功能定位上,Kong和OpenResty有很多相似之处,都是基于Lua脚本做二次开发。但Kong在OpenResty之上又衍生出不少新的概念,对网关内部层级做了更好的抽象,更符合用户使用习惯。

​ 2019年,Kong公司对外发布了不少更倾向于云原生服务的产品。例如:Kong网关升级到了2.0版本,并与Kubernetes有机结合,可以作为入口控制器来协调整个Kubernetes集群;Kuma产品基于Envoy的Service Mesh,降低了系统复杂性并提高了服务可靠性。相信Kong公司未来会给我们更多惊喜和更多划时代的新产品。此次调研主要是kong作为api网关,istio作为服务治理框架,结合一起使用。

下面是整合的示意图,暂时不过介绍istio

image-20220524181728955

官网:https://konghq.com/

Ingress介绍

​ 在 Kubernetes 集群内部使用 kube-dns 实现服务发现的功能,那么我们部署在 Kubernetes 集群中的应用如何暴露给外部的用户使用呢?我们知道可以使用 NodePortLoadBlancer 类型的 Service 可以把应用暴露给外部用户使用,除此之外,Kubernetes 还为我们提供了一个非常重要的资源对象可以用来暴露服务给外部用户,那就是 Ingress。对于小规模的应用我们使用 NodePort 或许能够满足我们的需求,但是当你的应用越来越多的时候,你就会发现对于 NodePort 的管理就非常麻烦了,这个时候使用 Ingress 就非常方便了,可以避免管理大量的端口。

Ingress 资源对象是 Kubernetes 内置定义的一个对象,是从 Kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器,可能你会觉得我们直接使用 nginx 就实现了,但是只使用 nginx 这种方式有很大缺陷,每次有新服务加入的时候怎么改 Nginx 配置?不可能让我们去手动更改或者滚动更新前端的 Nginx Pod 吧?那我们再加上一个服务发现的工具比如 consul 如何?貌似是可以,对吧?Ingress 实际上就是这样实现的,只是服务发现的功能自己实现了,不需要使用第三方的服务了,然后再加上一个域名规则定义,路由信息的刷新依靠 Ingress Controller 来提供。

image-20220524174745580

​ Ingress Controller 可以理解为一个监听器,通过不断地监听 kube-apiserver,实时的感知后端 Service、Pod 的变化,当得到这些信息变化后,Ingress Controller 再结合 Ingress 的配置,更新反向代理负载均衡器,达到服务发现的作用。常见的有ingress-nginx,traefik,apisix以及kong。官网地址:https://docs.konghq.com/kubernetes-ingress-controller/latest/deployment/k4k8s/

kong安装

helm安装

官网推荐的是helm安装,步骤如下:

helm repo add kong https://charts.konghq.com
helm repo update


# Helm 3
helm install kong/kong --generate-name --set ingressController.installCRDs=false

还要设置一下变量,后续通过变量连链接kong

export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong demo-kong-proxy)

官网示例如下:

curl -i $PROXY_IP/foo

通过动态ip访问不是很友好,而且helm里面的svc安装方式为LoadBalancer,但是Kubernetes 不为裸机集群提供网络负载均衡器的实现(LoadBalancer 类型的服务)。 Kubernetes 附带的 Network LB 的实现都是调用各种 IaaS 平台(GCP,AWS,Azure 等)的粘合代码。 如果你未在受支持的 IaaS 平台(GCP,AWS,Azure 等)上运行,则 LoadBalancers 在创建后将无限期保持 “pending” 状态。

可以通过MetalLB 解决 EXTERNAL-IP “pending” 的问题,具体参考:https://makeoptim.com/service-mesh/kubeadm-kubernetes-istio-setup#metallb

资源清单安装

常见的kong的数据库安装有3种,PG,Cassandra和DB-less,官网给出的资源清单,只有和PG和DB-less,后者是用Yaml后者JSON文件直接进行声明式配置即可,更适合CI/CD场景。官网地址:https://github.com/Kong/kubernetes-ingress-controller/blob/main/deploy/single/all-in-one-postgres.yaml

需要做部分修改,具体的如下:

apiVersion: v1
kind: Namespace
metadata:
  name: kong
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: kongclusterplugins.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: KongClusterPlugin
    listKind: KongClusterPluginList
    plural: kongclusterplugins
    shortNames:
    - kcp
    singular: kongclusterplugin
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - description: Name of the plugin
      jsonPath: .plugin
      name: Plugin-Type
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - description: Indicates if the plugin is disabled
      jsonPath: .disabled
      name: Disabled
      priority: 1
      type: boolean
    - description: Configuration of the plugin
      jsonPath: .config
      name: Config
      priority: 1
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: KongClusterPlugin is the Schema for the kongclusterplugins API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          config:
            description: Config contains the plugin configuration.
            type: object
            x-kubernetes-preserve-unknown-fields: true
          configFrom:
            description: ConfigFrom references a secret containing the plugin configuration.
            properties:
              secretKeyRef:
                description: NamespacedSecretValueFromSource represents the source
                  of a secret value specifying the secret namespace
                properties:
                  key:
                    description: the key containing the value
                    type: string
                  name:
                    description: the secret containing the key
                    type: string
                  namespace:
                    description: The namespace containing the secret
                    type: string
                required:
                - key
                - name
                - namespace
                type: object
            type: object
          consumerRef:
            description: ConsumerRef is a reference to a particular consumer
            type: string
          disabled:
            description: Disabled set if the plugin is disabled or not
            type: boolean
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          plugin:
            description: PluginName is the name of the plugin to which to apply the
              config
            type: string
          protocols:
            description: Protocols configures plugin to run on requests received on
              specific protocols.
            items:
              enum:
              - http
              - https
              - grpc
              - grpcs
              - tcp
              - tls
              - udp
              type: string
            type: array
          run_on:
            description: RunOn configures the plugin to run on the first or the second
              or both nodes in case of a service mesh deployment.
            enum:
            - first
            - second
            - all
            type: string
        required:
        - plugin
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: kongconsumers.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: KongConsumer
    listKind: KongConsumerList
    plural: kongconsumers
    shortNames:
    - kc
    singular: kongconsumer
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Username of a Kong Consumer
      jsonPath: .username
      name: Username
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1
    schema:
      openAPIV3Schema:
        description: KongConsumer is the Schema for the kongconsumers API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          credentials:
            description: Credentials are references to secrets containing a credential
              to be provisioned in Kong.
            items:
              type: string
            type: array
          custom_id:
            description: CustomID existing unique ID for the consumer - useful for
              mapping Kong with users in your existing database
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          username:
            description: Username unique username of the consumer.
            type: string
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: kongingresses.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: KongIngress
    listKind: KongIngressList
    plural: kongingresses
    shortNames:
    - ki
    singular: kongingress
  scope: Namespaced
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        description: KongIngress is the Schema for the kongingresses API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          proxy:
            description: Proxy defines additional connection options for the routes
              to be configured in the Kong Gateway, e.g. `connection_timeout`, `retries`,
              e.t.c.
            properties:
              connect_timeout:
                description: The timeout in milliseconds for establishing a connection
                  to the upstream server.
                minimum: 0
                type: integer
              path:
                description: The path to be used in requests to the upstream server.(optional)
                pattern: ^/.*$
                type: string
              protocol:
                description: The protocol used to communicate with the upstream.
                enum:
                - http
                - https
                - grpc
                - grpcs
                - tcp
                - tls
                - udp
                type: string
              read_timeout:
                description: The timeout in milliseconds between two successive read
                  operations for transmitting a request to the upstream server.
                minimum: 0
                type: integer
              retries:
                description: The number of retries to execute upon failure to proxy.
                minimum: 0
                type: integer
              write_timeout:
                description: The timeout in milliseconds between two successive write
                  operations for transmitting a request to the upstream server.
                minimum: 0
                type: integer
            type: object
          route:
            description: Route define rules to match client requests. Each Route is
              associated with a Service, and a Service may have multiple Routes associated
              to it.
            properties:
              headers:
                additionalProperties:
                  items:
                    type: string
                  type: array
                description: Headers contains one or more lists of values indexed
                  by header name that will cause this Route to match if present in
                  the request. The Host header cannot be used with this attribute.
                type: object
              https_redirect_status_code:
                description: HTTPSRedirectStatusCode is the status code Kong responds
                  with when all properties of a Route match except the protocol.
                type: integer
              methods:
                description: Methods is a list of HTTP methods that match this Route.
                items:
                  type: string
                type: array
              path_handling:
                description: PathHandling controls how the Service path, Route path
                  and requested path are combined when sending a request to the upstream.
                enum:
                - v0
                - v1
                type: string
              preserve_host:
                description: PreserveHost sets When matching a Route via one of the
                  hosts domain names, use the request Host header in the upstream
                  request headers. If set to false, the upstream Host header will
                  be that of the Service’s host.
                type: boolean
              protocols:
                description: Protocols is an array of the protocols this Route should
                  allow.
                items:
                  enum:
                  - http
                  - https
                  - grpc
                  - grpcs
                  - tcp
                  - tls
                  - udp
                  type: string
                type: array
              regex_priority:
                description: RegexPriority is a number used to choose which route
                  resolves a given request when several routes match it using regexes
                  simultaneously.
                type: integer
              request_buffering:
                description: RequestBuffering sets whether to enable request body
                  buffering or not.
                type: boolean
              response_buffering:
                description: ResponseBuffering sets whether to enable response body
                  buffering or not.
                type: boolean
              snis:
                description: SNIs is a list of SNIs that match this Route when using
                  stream routing.
                items:
                  type: string
                type: array
              strip_path:
                description: StripPath sets When matching a Route via one of the paths
                  strip the matching prefix from the upstream request URL.
                type: boolean
            type: object
          upstream:
            description: Upstream represents a virtual hostname and can be used to
              loadbalance incoming requests over multiple targets (e.g. Kubernetes
              `Services` can be a target, OR `Endpoints` can be targets).
            properties:
              algorithm:
                description: Algorithm is the load balancing algorithm to use.
                enum:
                - round-robin
                - consistent-hashing
                - least-connections
                type: string
              hash_fallback:
                description: 'HashFallback defines What to use as hashing input if
                  the primary hash_on does not return a hash. Accepted values are:
                  "none", "consumer", "ip", "header", "cookie".'
                type: string
              hash_fallback_header:
                description: HashFallbackHeader is the header name to take the value
                  from as hash input. Only required when "hash_fallback" is set to
                  "header".
                type: string
              hash_on:
                description: 'HashOn defines what to use as hashing input. Accepted
                  values are: "none", "consumer", "ip", "header", "cookie".'
                type: string
              hash_on_cookie:
                description: The cookie name to take the value from as hash input.
                  Only required when "hash_on" or "hash_fallback" is set to "cookie".
                type: string
              hash_on_cookie_path:
                description: The cookie path to set in the response headers. Only
                  required when "hash_on" or "hash_fallback" is set to "cookie".
                type: string
              hash_on_header:
                description: HashOnHeader defines the header name to take the value
                  from as hash input. Only required when "hash_on" is set to "header".
                type: string
              healthchecks:
                description: Healthchecks defines the health check configurations
                  in Kong.
                properties:
                  active:
                    description: ActiveHealthcheck configures active health check
                      probing.
                    properties:
                      concurrency:
                        minimum: 1
                        type: integer
                      healthy:
                        description: Healthy configures thresholds and HTTP status
                          codes to mark targets healthy for an upstream.
                        properties:
                          http_statuses:
                            items:
                              type: integer
                            type: array
                          interval:
                            minimum: 0
                            type: integer
                          successes:
                            minimum: 0
                            type: integer
                        type: object
                      http_path:
                        pattern: ^/.*$
                        type: string
                      https_sni:
                        type: string
                      https_verify_certificate:
                        type: boolean
                      timeout:
                        minimum: 0
                        type: integer
                      type:
                        type: string
                      unhealthy:
                        description: Unhealthy configures thresholds and HTTP status
                          codes to mark targets unhealthy.
                        properties:
                          http_failures:
                            minimum: 0
                            type: integer
                          http_statuses:
                            items:
                              type: integer
                            type: array
                          interval:
                            minimum: 0
                            type: integer
                          tcp_failures:
                            minimum: 0
                            type: integer
                          timeouts:
                            minimum: 0
                            type: integer
                        type: object
                    type: object
                  passive:
                    description: PassiveHealthcheck configures passive checks around
                      passive health checks.
                    properties:
                      healthy:
                        description: Healthy configures thresholds and HTTP status
                          codes to mark targets healthy for an upstream.
                        properties:
                          http_statuses:
                            items:
                              type: integer
                            type: array
                          interval:
                            minimum: 0
                            type: integer
                          successes:
                            minimum: 0
                            type: integer
                        type: object
                      type:
                        type: string
                      unhealthy:
                        description: Unhealthy configures thresholds and HTTP status
                          codes to mark targets unhealthy.
                        properties:
                          http_failures:
                            minimum: 0
                            type: integer
                          http_statuses:
                            items:
                              type: integer
                            type: array
                          interval:
                            minimum: 0
                            type: integer
                          tcp_failures:
                            minimum: 0
                            type: integer
                          timeouts:
                            minimum: 0
                            type: integer
                        type: object
                    type: object
                  threshold:
                    type: number
                type: object
              host_header:
                description: HostHeader is The hostname to be used as Host header
                  when proxying requests through Kong.
                type: string
              slots:
                description: Slots is the number of slots in the load balancer algorithm.
                minimum: 10
                type: integer
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: kongplugins.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: KongPlugin
    listKind: KongPluginList
    plural: kongplugins
    shortNames:
    - kp
    singular: kongplugin
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Name of the plugin
      jsonPath: .plugin
      name: Plugin-Type
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - description: Indicates if the plugin is disabled
      jsonPath: .disabled
      name: Disabled
      priority: 1
      type: boolean
    - description: Configuration of the plugin
      jsonPath: .config
      name: Config
      priority: 1
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: KongPlugin is the Schema for the kongplugins API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          config:
            description: Config contains the plugin configuration.
            type: object
            x-kubernetes-preserve-unknown-fields: true
          configFrom:
            description: ConfigFrom references a secret containing the plugin configuration.
            properties:
              secretKeyRef:
                description: SecretValueFromSource represents the source of a secret
                  value
                properties:
                  key:
                    description: the key containing the value
                    type: string
                  name:
                    description: the secret containing the key
                    type: string
                required:
                - key
                - name
                type: object
            type: object
          consumerRef:
            description: ConsumerRef is a reference to a particular consumer
            type: string
          disabled:
            description: Disabled set if the plugin is disabled or not
            type: boolean
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          plugin:
            description: PluginName is the name of the plugin to which to apply the
              config
            type: string
          protocols:
            description: Protocols configures plugin to run on requests received on
              specific protocols.
            items:
              enum:
              - http
              - https
              - grpc
              - grpcs
              - tcp
              - tls
              - udp
              type: string
            type: array
          run_on:
            description: RunOn configures the plugin to run on the first or the second
              or both nodes in case of a service mesh deployment.
            enum:
            - first
            - second
            - all
            type: string
        required:
        - plugin
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: tcpingresses.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: TCPIngress
    listKind: TCPIngressList
    plural: tcpingresses
    singular: tcpingress
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Address of the load balancer
      jsonPath: .status.loadBalancer.ingress[*].ip
      name: Address
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: TCPIngress is the Schema for the tcpingresses API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: TCPIngressSpec defines the desired state of TCPIngress
            properties:
              rules:
                description: A list of rules used to configure the Ingress.
                items:
                  description: IngressRule represents a rule to apply against incoming
                    requests. Matching is performed based on an (optional) SNI and
                    port.
                  properties:
                    backend:
                      description: Backend defines the referenced service endpoint
                        to which the traffic will be forwarded to.
                      properties:
                        serviceName:
                          description: Specifies the name of the referenced service.
                          type: string
                        servicePort:
                          description: Specifies the port of the referenced service.
                          format: int32
                          maximum: 65535
                          minimum: 1
                          type: integer
                      required:
                      - serviceName
                      - servicePort
                      type: object
                    host:
                      description: Host is the fully qualified domain name of a network
                        host, as defined by RFC 3986. If a Host is specified, the
                        protocol must be TLS over TCP. A plain-text TCP request cannot
                        be routed based on Host. It can only be routed based on Port.
                      type: string
                    port:
                      description: Port is the port on which to accept TCP or TLS
                        over TCP sessions and route. It is a required field. If a
                        Host is not specified, the requested are routed based only
                        on Port.
                      format: int32
                      maximum: 65535
                      minimum: 1
                      type: integer
                  required:
                  - backend
                  type: object
                type: array
              tls:
                description: TLS configuration. This is similar to the `tls` section
                  in the Ingress resource in networking.v1beta1 group. The mapping
                  of SNIs to TLS cert-key pair defined here will be used for HTTP
                  Ingress rules as well. Once can define the mapping in this resource
                  or the original Ingress resource, both have the same effect.
                items:
                  description: IngressTLS describes the transport layer security.
                  properties:
                    hosts:
                      description: Hosts are a list of hosts included in the TLS certificate.
                        The values in this list must match the name/s used in the
                        tlsSecret. Defaults to the wildcard host setting for the loadbalancer
                        controller fulfilling this Ingress, if left unspecified.
                      items:
                        type: string
                      type: array
                    secretName:
                      description: SecretName is the name of the secret used to terminate
                        SSL traffic.
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: TCPIngressStatus defines the observed state of TCPIngress
            properties:
              loadBalancer:
                description: LoadBalancer contains the current status of the load-balancer.
                properties:
                  ingress:
                    description: Ingress is a list containing ingress points for the
                      load-balancer. Traffic intended for the service should be sent
                      to these ingress points.
                    items:
                      description: 'LoadBalancerIngress represents the status of a
                        load-balancer ingress point: traffic intended for the service
                        should be sent to an ingress point.'
                      properties:
                        hostname:
                          description: Hostname is set for load-balancer ingress points
                            that are DNS based (typically AWS load-balancers)
                          type: string
                        ip:
                          description: IP is set for load-balancer ingress points
                            that are IP based (typically GCE or OpenStack load-balancers)
                          type: string
                        ports:
                          description: Ports is a list of records of service ports
                            If used, every port defined in the service should have
                            an entry in it
                          items:
                            properties:
                              error:
                                description: 'Error is to record the problem with
                                  the service port The format of the error shall comply
                                  with the following rules: - built-in error values
                                  shall be specified in this file and those shall
                                  use   CamelCase names - cloud provider specific
                                  error values must have names that comply with the   format
                                  foo.example.com/CamelCase. --- The regex it matches
                                  is (dns1123SubdomainFmt/)?(qualifiedNameFmt)'
                                maxLength: 316
                                pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                                type: string
                              port:
                                description: Port is the port number of the service
                                  port of which status is recorded here
                                format: int32
                                type: integer
                              protocol:
                                default: TCP
                                description: 'Protocol is the protocol of the service
                                  port of which status is recorded here The supported
                                  values are: "TCP", "UDP", "SCTP"'
                                type: string
                            required:
                            - port
                            - protocol
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                      type: object
                    type: array
                type: object
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.7.0
  creationTimestamp: null
  name: udpingresses.configuration.konghq.com
spec:
  group: configuration.konghq.com
  names:
    kind: UDPIngress
    listKind: UDPIngressList
    plural: udpingresses
    singular: udpingress
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Address of the load balancer
      jsonPath: .status.loadBalancer.ingress[*].ip
      name: Address
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: UDPIngress is the Schema for the udpingresses API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: UDPIngressSpec defines the desired state of UDPIngress
            properties:
              rules:
                description: A list of rules used to configure the Ingress.
                items:
                  description: UDPIngressRule represents a rule to apply against incoming
                    requests wherein no Host matching is available for request routing,
                    only the port is used to match requests.
                  properties:
                    backend:
                      description: Backend defines the Kubernetes service which accepts
                        traffic from the listening Port defined above.
                      properties:
                        serviceName:
                          description: Specifies the name of the referenced service.
                          type: string
                        servicePort:
                          description: Specifies the port of the referenced service.
                          format: int32
                          maximum: 65535
                          minimum: 1
                          type: integer
                      required:
                      - serviceName
                      - servicePort
                      type: object
                    port:
                      description: Port indicates the port for the Kong proxy to accept
                        incoming traffic on, which will then be routed to the service
                        Backend.
                      type: integer
                  required:
                  - backend
                  - port
                  type: object
                type: array
            type: object
          status:
            description: UDPIngressStatus defines the observed state of UDPIngress
            properties:
              loadBalancer:
                description: LoadBalancer contains the current status of the load-balancer.
                properties:
                  ingress:
                    description: Ingress is a list containing ingress points for the
                      load-balancer. Traffic intended for the service should be sent
                      to these ingress points.
                    items:
                      description: 'LoadBalancerIngress represents the status of a
                        load-balancer ingress point: traffic intended for the service
                        should be sent to an ingress point.'
                      properties:
                        hostname:
                          description: Hostname is set for load-balancer ingress points
                            that are DNS based (typically AWS load-balancers)
                          type: string
                        ip:
                          description: IP is set for load-balancer ingress points
                            that are IP based (typically GCE or OpenStack load-balancers)
                          type: string
                        ports:
                          description: Ports is a list of records of service ports
                            If used, every port defined in the service should have
                            an entry in it
                          items:
                            properties:
                              error:
                                description: 'Error is to record the problem with
                                  the service port The format of the error shall comply
                                  with the following rules: - built-in error values
                                  shall be specified in this file and those shall
                                  use   CamelCase names - cloud provider specific
                                  error values must have names that comply with the   format
                                  foo.example.com/CamelCase. --- The regex it matches
                                  is (dns1123SubdomainFmt/)?(qualifiedNameFmt)'
                                maxLength: 316
                                pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                                type: string
                              port:
                                description: Port is the port number of the service
                                  port of which status is recorded here
                                format: int32
                                type: integer
                              protocol:
                                default: TCP
                                description: 'Protocol is the protocol of the service
                                  port of which status is recorded here The supported
                                  values are: "TCP", "UDP", "SCTP"'
                                type: string
                            required:
                            - port
                            - protocol
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                      type: object
                    type: array
                type: object
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kong-serviceaccount
  namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kong-leader-election
  namespace: kong
rules:
- apiGroups:
  - ""
  - coordination.k8s.io
  resources:
  - configmaps
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: kong-ingress
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - endpoints/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongclusterplugins
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongclusterplugins/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongconsumers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongconsumers/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongingresses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongplugins
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - kongplugins/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - tcpingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - tcpingresses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - configuration.konghq.com
  resources:
  - udpingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - configuration.konghq.com
  resources:
  - udpingresses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses/status
  verbs:
  - get
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gateways
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gateways/status
  verbs:
  - get
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - httproutes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - httproutes/status
  verbs:
  - get
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - referencepolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - referencepolicies/finalizers
  verbs:
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - referencepolicies/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - tcproutes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - tcproutes/status
  verbs:
  - get
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - tlsroutes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - tlsroutes/status
  verbs:
  - get
  - update
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - udproutes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - udproutes/status
  verbs:
  - get
  - update
- apiGroups:
  - networking.internal.knative.dev
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.internal.knative.dev
  resources:
  - ingresses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - get
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kong-leader-election
  namespace: kong
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kong-leader-election
subjects:
- kind: ServiceAccount
  name: kong-serviceaccount
  namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kong-ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kong-ingress
subjects:
- kind: ServiceAccount
  name: kong-serviceaccount
  namespace: kong
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
  name: kong-proxy
  namespace: kong
spec:
  ports:
  - name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
  - name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: ingress-kong
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kong-validation-webhook
  namespace: kong
spec:
  ports:
  - name: webhook
    port: 443
    protocol: TCP
    targetPort: 8080
  selector:
    app: ingress-kong
---
apiVersion: v1
kind: Service
metadata:
  name: postgres
  namespace: kong
spec:
  ports:
  - name: pgql
    port: 5432
    protocol: TCP
    targetPort: 5432
  selector:
    app: postgres
---
apiVersion: v1
kind: Service
metadata:
  name: kong-ingress-controller
  namespace: kong
spec:
  type: NodePort
  ports:
  - name: kong-admin
    port: 8001
    targetPort: 8001
    nodePort: 30001
    protocol: TCP
  selector:
    app: ingress-kong
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ingress-kong
  name: ingress-kong
  namespace: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-kong
  template:
    metadata:
      annotations:
        kuma.io/gateway: enabled
        traffic.sidecar.istio.io/includeInboundPorts: ""
      labels:
        app: ingress-kong
    spec:
      dnsPolicy: ClusterFirstWithHostNet   ## dns对应调整为主机网络
      hostNetwork: true  ## 占用本机80端口和443端口,所以使用主机网络
      containers:
      - env:
        - name: KONG_DATABASE
          value: postgres
        - name: KONG_PG_HOST
          value: postgres
        - name: KONG_PG_PASSWORD
          value: kong
        - name: KONG_PROXY_LISTEN
          value: 0.0.0.0:80, 0.0.0.0:443 ssl http2
        - name: KONG_PORT_MAPS
          value: 80:80, 443:443
        - name: KONG_ADMIN_LISTEN
          value:  0.0.0.0:8001,0.0.0.0:8444 ssl
        - name: KONG_STATUS_LISTEN
          value: 0.0.0.0:8100
        - name: KONG_NGINX_WORKER_PROCESSES
          value: "2"
        - name: KONG_KIC
          value: "on"
        - name: KONG_ADMIN_ACCESS_LOG
          value: /dev/stdout
        - name: KONG_ADMIN_ERROR_LOG
          value: /dev/stderr
        - name: KONG_PROXY_ERROR_LOG
          value: /dev/stderr
        image: kong:2.8
        securityContext:
          runAsUser: 0
          capabilities:
            add:
            - NET_ADMIN
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - kong quit
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: proxy
        ports:
        - containerPort: 8000
          name: proxy
          protocol: TCP
        - containerPort: 8443
          name: proxy-ssl
          protocol: TCP
        - containerPort: 8100
          name: metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      - env:
        - name: CONTROLLER_KONG_ADMIN_URL
          value: https://127.0.0.1:8444
        - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
          value: "true"
        - name: CONTROLLER_PUBLISH_SERVICE
          value: kong/kong-proxy
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: kong/kubernetes-ingress-controller:2.3.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: ingress-controller
        ports:
        - containerPort: 8080
          name: webhook
          protocol: TCP
        - containerPort: 10255
          name: cmetrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /readyz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      initContainers:
      - command:
        - /bin/sh
        - -c
        - while true; do kong migrations list; if [[ 0 -eq $? ]]; then exit 0; fi;
          sleep 2;  done;
        env:
        - name: KONG_PG_HOST
          value: postgres
        - name: KONG_PG_PASSWORD
          value: kong
        image: kong:2.8
        name: wait-for-migrations
      serviceAccountName: kong-serviceaccount
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
  namespace: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  serviceName: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
      - env:
        - name: POSTGRES_USER
          value: kong
        - name: POSTGRES_PASSWORD
          value: kong
        - name: POSTGRES_DB
          value: kong
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        image: postgres:9.5
        name: postgres
        ports:
        - containerPort: 5432
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          name: datadir
          subPath: pgdata
      terminationGracePeriodSeconds: 60
      volumes:
      - name: datadir
        persistentVolumeClaim:
          claimName: pvc

---
apiVersion: batch/v1
kind: Job
metadata:
  name: kong-migrations
  namespace: kong
spec:
  template:
    metadata:
      name: kong-migrations
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - kong migrations bootstrap
        env:
        - name: KONG_PG_PASSWORD
          value: kong
        - name: KONG_PG_HOST
          value: postgres
        - name: KONG_PG_PORT
          value: "5432"
        image: kong:2.8
        name: kong-migrations
      initContainers:
      - command:
        - /bin/sh
        - -c
        - until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db';
          sleep 1; done
        env:
        - name: KONG_PG_HOST
          value: postgres
        - name: KONG_PG_PORT
          value: "5432"
        image: busybox
        name: wait-for-postgres
      restartPolicy: OnFailure
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: kong
spec:
  controller: ingress-controllers.konghq.com/kong

由于在安装pg的时候会做一个数据挂载,因此需要提前创建好nfs的存储类和pvc

image-20220524180747855

执行后,等相关pod都在running的时候就可以了,如下:

image-20220524180924636

注:postgresql其实只有一个pod,此处为2个,是因为打了istio的标签会自动注入一个边车容器。ingress-kong本身为2个容器,因为修改了相关配置,使用了hostNetwork把相关端口改成了80和443,直接占用了主机的端口,导致不会注入边车容器。istio官网也给出了相关说明:

image-20220524181237706

konga安装

1.先导入数据库

docker run --rm pantsel/konga:latest -c prepare -a postgres -u postgresql://kong:kong@10.244.209.217:5432/konga

10.244.179.5为pg容器的ip地址

2.在编写相关的资源清单,具体如下:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kong-konga
  namespace: kong
spec:
  selector:
    matchLabels:
      app: kong-konga
  replicas: 1
  template:
    metadata:
      labels:
        app: kong-konga
    spec:
      containers:
      - name: kong-konga
        image: pantsel/konga:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: DB_ADAPTER
          value: postgres
        - name: DB_HOST
          value: postgres
        - name: DB_PORT
          value: "5432"
        - name: DB_USER
          value: kong
        - name: DB_DATABASE
          value: konga
        - name: DB_PASSWORD
          value: kong
        - name: NODE_ENV
          value: production
        - name: TZ
          value: Asia/Shanghai
        ports:
        - containerPort: 1337
---
#service
apiVersion: v1
kind: Service
metadata:
  name: kong-konga
  namespace: kong
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 1337
    nodePort: 31337
  type: NodePort
  selector:
    app: kong-konga

3.应用后,就能打开相关的页面了,然后与kong进行链接,填kong的svc地址。

image-20220524182039669

kong-ingress

http访问

前面都安装好后,就可以配置相关ingress,通过域名来访问相关应用。

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: konga  
  namespace: kong 
spec:
  ingressClassName: kong
  rules:
  - host: konga-wgr.com
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: kong-konga
            port:
              number: 80
" | kubectl apply -f -

进行访问:

image-20220524182602662

在界面也能看到相关的路由

image-20220524182713373

https访问(http 强制转https)

echo "  
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: avatar-https
  namespace: spacex-avatar
  annotations:
    konghq.com/https-redirect-status-code: \"308\"
    konghq.com/protocols: https
spec:
  ingressClassName: kong
  tls:
    - hosts:
      - avatar.3dlink.cn
      secretName: uino-tls
  rules:
  - host: avatar.3dlink.cn
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:  
            name: avatar-svc
            port:
              number: 80
" | kubectl apply -f -  

如果不想强制跳转,就不要加下面的注解。

  annotations:
    konghq.com/https-redirect-status-code: \"308\"
    konghq.com/protocols: https

image-20220525124955123

kong插件

官方提供了几十种插件,地址:https://docs.konghq.com/hub,下面就举几个常见的插件,插件可以有多种形式,根据svc,根据路由,根据消费者,最后就是全局,全局是可以跨namespace的。

Correlation ID

为会请求头中添加一个唯一的id。

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: test-id
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  header_name: kong-request-id
  generator: uuid#counter
  echo_downstream: false
plugin: correlation-id

部署一个测试的应用:

kubectl apply -f https://bit.ly/echo-service

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - path: /foo
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 80
" | kubectl apply -f -

image-20220524192505532

限流

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rl-by-ip
config:
  minute: 5
  limit_by: ip
  policy: local
plugin: rate-limiting
" | kubectl apply -f -

再给之前测试的应用添加限流标签:

kubectl patch svc echo \
  -p '{"metadata":{"annotations":{"konghq.com/plugins": "rl-by-ip\n"}}}'
image-20220524192759422

下面几个插件用konga管理页面创建展示,注意:konga创建的插件不会在k8s的KongPlugin资源清单中找到,但是在K8s中创建的清单,可以在konga找到

身份验证

前提要创建好相关的凭证,访问前就会有弹窗提示

image-20220525100431673

image-20220525100510105

image-20220525100525455

在添加basic auth插件

image-20220525100759692

黑白名单

image-20220525103609722 image-20220525103635927

请求大小限制

image-20220525104249027 image-20220525104408082

当小于10bytes时,就能通过

image-20220525104514582
posted @ 2022-11-29 10:27  天宇轩-王  阅读(524)  评论(0编辑  收藏  举报