Kubernetes

Don’t forget! The Official Documentation of Kuma is a great place to learn about both basic and more advanced topics.

To install and run Kuma on Kubernetes execute the following steps:

1. Download and run Kuma

To run Kuma on Kubernetes, you need to download a compatible version of Kuma for the machine where you will be executing the commands.

Once downloaded, we can extract the content of the archive with:

  1. $ tar xvzf [FILE]
  2. $ cd bin && ls
  3. envoy kuma-dp kuma-tcp-echo kuma-cp kuma-prometheus-sd kumactl

Note: On Kubernetes - of all the Kuma binaries in the bin folder - we only need kumactl.

To install and run Kuma execute:

  1. $ ./kumactl install control-plane | kubectl apply -f -

By executing this operation, a new kuma-system namespace will be created.

2. Start services

On Kubernetes, we can start a simple service by executing the following command:

  1. ./kubectl apply -f https://raw.githubusercontent.com/Kong/kuma-demo/master/kubernetes/kuma-demo-aio.yaml

Note that two things are happening in the YAML file:

  • We are including a kuma.io/sidecar-injection: enabled label in the Namespace to automatically inject Kuma sidecars into every Pod belonging to the namespace.
  • We are adding a kuma.io/mesh: default annotation to determine on what Mesh the service belongs.

3. Apply Policies

Now you can start applying Policies to your default Service Mesh, like Mutual TLS:

  1. $ echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabled: true
  8. ca:
  9. builtin: {}" | ./kubectl apply -f -

With mTLS enabled, all traffic is restricted by default unless we specify a Traffic Permission policy that enables it again. For example, we can apply the following permissive policy to enable all traffic across every data-plane again:

  1. $ echo "apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5. namespace: default
  6. name: enable-all-traffic
  7. spec:
  8. sources:
  9. - match:
  10. service: '*'
  11. destinations:
  12. - match:
  13. service: '*'" | ./kubectl apply -f -

4. Done!

You can configure kumactl to point to any remote kuma-cp instance by running:

  1. $ ./kumactl config control-planes add --name=XYZ --address=http://address.to.kuma:5681

You can now review the entities created by Kuma by using the kumactl CLI. For example you can list the Meshes and the Traffic Permissions:

  1. $ ./kumactl get meshes
  2. NAME mTLS CA METRICS
  3. default on builtin off
  4. $ ./kumactl get traffic-permissions
  5. MESH NAME
  6. default enable-all-traffic

and you can list the data-planes that have been registered, and their status:

  1. $ ./kumactl get dataplanes
  2. MESH NAME TAGS
  3. default dp-echo-1 service=echo
  4. $ ./kumactl inspect dataplanes
  5. MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS
  6. default dp-echo-1 service=echo Online 19s 18s 2 0