Kubernetes

To install and run Kuma on Kubernetes execute the following steps:

1. Download and run Kuma

To run Kuma on Kubernetes, you need to download a compatible version of Kuma for the machine where you will be executing the commands.

Once downloaded, we can extract the content of the archive with:

  1. $ tar xvzf [FILE]
  2. $ cd bin && ls
  3. envoy   kuma-dp   kuma-tcp-echo   kuma-cp   kuma-prometheus-sd   kumactl

Note: On Kubernetes - of all the Kuma binaries in the bin folder - we only need kumactl.

To install and run Kuma execute:

  1. $ ./kumactl install control-plane | kubectl apply -f -

By executing this operation, a new kuma-system namespace will be created.

2. Start services

On Kubernetes, we can start a simple service by executing the following command:

  1. ./kubectl apply -f https://raw.githubusercontent.com/Kong/kuma-demo/master/kubernetes/kuma-demo-aio.yaml

Note that two things are happening in the YAML file:

  • We are including a kuma.io/sidecar-injection: enabled label in the Namespace to automatically inject Kuma sidecars into every Pod belonging to the namespace.
  • We are adding a kuma.io/mesh: default annotation to determine on what Mesh the service belongs.

3. Apply Policies

Now you can start applying Policies to your default Service Mesh, like Mutual TLS:

  1. $ echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   name: default
  5. spec:
  6.   mtls:
  7.     enabled: true
  8.     ca:
  9.       builtin: {}" | ./kubectl apply -f -

With mTLS enabled, all traffic is restricted by default unless we specify a Traffic Permission policy that enables it again. For example, we can apply the following permissive policy to enable all traffic across every data-plane again:

  1. $ echo "apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: enable-all-traffic
  7. spec:
  8.   sources:
  9.     - match:
  10.         service: '*'
  11.   destinations:
  12.     - match:
  13.         service: '*'" | ./kubectl apply -f -

4. Done!

You can configure kumactl to point to any remote kuma-cp instance by running:

  1. $ ./kumactl config control-planes add --name=XYZ --address=http://address.to.kuma:5681

You can now review the entities created by Kuma by using the kumactl CLI. For example you can list the Meshes and the Traffic Permissions:

  1. $ ./kumactl get meshes
  2. NAME      mTLS   CA        METRICS
  3. default   on     builtin   off
  5. $ ./kumactl get traffic-permissions
  6. MESH      NAME
  7. default   enable-all-traffic

and you can list the data-planes that have been registered, and their status:

  1. $ ./kumactl get dataplanes
  2. MESH      NAME        TAGS
  3. default   dp-echo-1   service=echo
  5. $ ./kumactl inspect dataplanes
  6. MESH      NAME        TAGS              STATUS   LAST CONNECTED AGO   LAST UPDATED AGO   TOTAL UPDATES   TOTAL ERRORS
  7. default   dp-echo-1   service=echo      Online   19s                  18s                2               0