Kong
Kong is a cloud-native, open-source API gateway and Kubernetes ingress controller. It provides advanced routing, security, and observability features for microservices and APIs. Kong is widely used in AWS, Azure, GCP, and hybrid environments for managing north-south traffic, API management, and integrating legacy and modern workloads.
Key Features
Ingress routing: Use Ingress resources to configure Kong for HTTP, HTTPS, and gRPC traffic.
API management with plugins: Monitor, transform, secure, and rate-limit traffic using Kong plugins.
Native gRPC support: Proxy and secure gRPC traffic with full plugin support.
Health checking & load balancing: Distribute requests across pods with active and passive health checks.
Request/response transformations: Modify traffic on the fly using plugins.
Authentication: Protect services with JWT, OAuth2, key-auth, and more.
Declarative configuration: Manage Kong using Kubernetes CRDs for GitOps and automation.
Gateway Discovery: Monitor and push config to all Kong Gateway replicas.
Installation
YAML (quick start):
kubectl apply -f https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/latest/deploy/single/all-in-one-dbless.yaml
Helm (recommended for production):
helm repo add kong https://charts.konghq.com
helm repo update
helm install kong/kong --generate-name --set ingressController.installCRDs=false
Real-Life Example: Exposing a Microservice with Kong
1. Set the Kong Proxy IP
Get the external IP of the Kong proxy service:
export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong demo-kong-proxy)
2. Test Kong Gateway Connectivity
curl -i $PROXY_IP
Expected: HTTP 404 Not Found (no route configured yet)
3. Deploy an Upstream HTTP Application
Deploy a simple echo server:
echo "
apiVersion: v1
kind: Service
metadata:
labels:
app: echo
name: echo
spec:
ports:
- port: 1027
name: http
protocol: TCP
targetPort: 1027
selector:
app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: echo
name: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
template:
metadata:
labels:
app: echo
spec:
containers:
- image: kong/go-echo:latest
name: echo
ports:
- containerPort: 1027
" | kubectl apply -f -
4. Create an IngressClass (if needed)
echo "
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: kong
spec:
controller: ingress-controllers.konghq.com/kong
" | kubectl apply -f -
5. Add Routing Configuration
Create an Ingress to route /echo to the echo service:
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: echo
annotations:
konghq.com/strip-path: 'true'
spec:
ingressClassName: kong
rules:
- host: kong.example
http:
paths:
- path: /echo
pathType: ImplementationSpecific
backend:
service:
name: echo
port:
number: 1027
" | kubectl apply -f -
Test the route:
curl -i http://kong.example/echo --resolve kong.example:80:$PROXY_IP
Real-Life Example: Securing and Rate-Limiting with Plugins
1. Enable a Plugin (e.g., Correlation ID)
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: request-id
config:
header_name: my-request-id
echo_downstream: true
plugin: correlation-id
" | kubectl apply -f -
Annotate the Ingress to use the plugin:
kubectl annotate ingress echo konghq.com/plugins=request-id
2. Enable Rate Limiting on a Service
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rl-by-ip
config:
minute: 5
limit_by: ip
policy: local
plugin: rate-limiting
" | kubectl apply -f -
Annotate the Service:
kubectl annotate service echo konghq.com/plugins=rl-by-ip
Test the rate limit:
curl -i http://kong.example/echo --resolve kong.example:80:$PROXY_IP
Best Practices
Use Helm for repeatable, versioned Kong deployments
Store all configuration (Helm values, CRDs, plugins) in Git for GitOps
Use plugins for authentication, rate limiting, and observability
Monitor Kong and application health with Prometheus/Grafana
Restrict external access with network policies and firewalls
References
Tip: Integrate Kong with CI/CD (GitHub Actions, ArgoCD, Flux) for automated API gateway and ingress management in multi-cloud environments.
Last updated