►
Description
There are lots of iconic duos out there. Batman and Robin, Jelly and Ice Cream, and now, Kong and Kubernetes.
Join Michael as he shows what Kong Ingress Controller can do for you. We’ll take a look at how to secure your services with the KongPlugin CRD, how to use the Kubernetes events system to help debug when things go wrong, and we’ll even take a sneak peek at the upcoming Kubernetes Gateway API and how you can start using it today.
A
A
We
have
Michael
here
today
who
will
introduce
himself
and
he
will
talk
to
us
about
making
Kong
Cloud
native
with
the
Kong
Ingress
controller,
very
interesting
topic.
We
have
a
nice
long
demo
for
all
of
you,
I'm
excited
to
follow
you
to
see
it
we'll
take
all
of
the
questions
at
the
end.
So
please
input
them
in
the
Q
a
function
that
you
will
see
at
the
bottom
and
yeah.
That's
it
for
me.
Take
it
away!
Michael.
B
Thank
you,
Dalia
Dalia
definitely
stole
my
line.
I
was
going
to
also
say
good
morning,
good
afternoon
and
good
evening,
depending
on
where
you
are
in
the
world.
As
Dolly
said:
I'm
Michael
I'm,
a
director
of
product
management
here
at
Kong
and
I'm.
Currently
the
product
manager
for
the
Congee
invest
controller
or
kick
as
is
more
commonly
known.
B
B
B
B
B
You
might
be
thinking
like
control,
plane
data
plane.
You
didn't
even
mention
that.
What
even
is
this
well
Conga
split
into
two
halves:
the
control
plane,
which
manages
configuration
data
and
the
data
plane
which
receives
and
routes
traffic
in
some
deployments,
a
single
con
Gateway
in
order
fulfills,
both
responsibilities,
it
handles
your
configuration
and
it
moves
traffic.
B
Still
with
me.
Excellent
now
hung
offers
multiple
types
of
control
plane,
one
of
which
is
kick
now.
Kick
that's
the
the
Kong
English
controller.
It's
those
configuration
in
kubernetes
Native
way.
It
translates
that
into
a
format
that
can't
get
away.
Can
understand
it
lets
you
use
native
kubernetes
resources
like
Ingress
and
the
upcoming
Gateway
API
and
the
Ingress
control
the
chase
code
of
Translating
that
to
the
the
cognitive
collaborative
configuration
format.
B
B
All
right
so
now
you
know
what
a
control
plane
is
and
how
kick
handles
configuration
I
just
want
to
spends
60
seconds
on.
Why
manifests
are
important
and
the
great
thing
about
manifests
are
they're
just
text
files.
So
that
means
that
you
can
collaborate
on
them.
You
can
have
a
review
process.
You
can
add
governance.
B
B
You
can
use
the
built-in
con
Gateway
control
plane,
and
this
allows
you
to
configure
Gateway
with
the
administration
API
using
the
Kong
manager
UI
by
tools
such
as
deck,
which
is
our
declarative,
config
tool,
and
you
might
be
thinking,
but
you
can
use
kubernetes
manifest.
Why
do
you
need
your
own
and
that's
because
deck
supports
metal
machines,
virtual
machines
and
kubernetes
deployments?
B
B
You
can
use
a
you,
don't
have
to
use
Kik
if
you're
running
in
kubernetes.
You
can
use
connect
whilst
still
running
your
data
planes
in
a
kubernetes
cluster,
but
it
is
important
to
note
that
data
planes
can
only
connect
to
one
control
plane.
So
there
has
to
be
a
single
source
of
Truth
configuration,
and
that
means
that
if
you're
using
kick,
you
couldn't
use
connect
until
recently.
That
is
because
we've
recently
integrated
kick
and
connect.
We
announced
this
at
cubecon
EU
a
couple
of
weeks
ago.
B
What
this
allows
you
to
do
is
use
the
Kong
Ingress
controller
as
your
source
of
Truth
for
configuration,
whilst
getting
all
the
benefits
of
connect
and
I'll
show
you
some
of
the
benefits
you
get
using
a
combination
of
kick
and
connect
in
the
demo,
which
is
actually
coming
up
next
now.
This
is
going
to
be
a
pretty
intense
demo
I'm
going
to
deploy
a
new
Kong,
Ingress
controller.
B
Show
you
how
to
configure
an
Ingress
resource
and
send
some
traffic
we'll
take
a
look
at
adding
authentication
to
the
API,
using
API
keys
and
I'll
even
do
a
little
detour
into
the
kubernetes
admission
web
Hook
and
the
event
system
for
when
things
go
wrong.
Then.
Finally,
we'll
take
a
brief
look
at
the
Gateway
API
and
how
to
configure
the
same
route
and
authentication
that
I
I
assure
you
with
Ingress
using
kubernetes
latest
networking
resource
the
Gateway
API.
B
So
connect
has
the
concept
of
runtime
groups,
and
a
runtime
group
is
like
a
virtual
control
plane.
It's
a
virtual
container
for
all
of
your
configuration
and
doing
this
live
I'm,
doing
it
from
scratch.
So
I'm
just
going
to
start
with
a
new
conking
Ingress
control,
the
runtime
group
I'll
just
call
it
Tech
talk.
B
And
when
I
click
generate,
it
gives
me
the
instructions
that
I
need
to
run
in
the
terminal
to
deploy
a
new
conking
rest
control
or
some
data
planes
and
connect
it
up
to
kick
and
up
to
connect
and
so
I'm,
just
gonna
download
all
of
the
files
that
I
need
and
then
head
back
to
my
terminal.
B
So
if
I
unzip
the
package
that
I
just
received,
it
contains
five
things:
a
TLS
certificate
in
the
TLs
key.
These
are
used
for
securing
communication
between
your
on
Gateway
instances
and
connect
and
then
two
values
files,
one
for
the
Ingress
controller
itself,
one
for
the
data
planes.
These
are
used
by
Helm
to
actually
deploy
pods
to
kubernetes.
Then.
Finally,
it
has
some
instructions
which
are
the
same
as
these
instructions.
B
Qctl
create
namespace
Kong
and
then
it
asked
me
to
save
the
certificates,
which
I've
already
got
from
the
package
that
I
downloaded
and
actually,
let's
make
this
a
bit
bigger.
So
we
can
see
it.
B
B
No
one
else
has
seen
this.
What
I've
I've
done
here
is
I've
enabled
analytics
using
Kik
so
I'm,
using
a
nightly
version
of
our
Ingress
controller
I'm,
using
a
release
candidate
for
con
Gateway
3.3.
B
B
So
if
I
now
do
the
helm,
installs
first
I
do
a
deployment
for
the
Ingress
controller
and
then
I
do
a
deployment
for
the
gateways.
Now
you
if
you're
familiar
with
kick,
you
might
be
thinking.
Why
did
you
do
two?
I
only
normally
do
one,
and
this
is
because
I'm
using
a
new
feature
in
Kick
2.9,
which
is
called
Gateway
discovery.
B
So
previously
the
Ingress
control
and
the
data
plane
went
together
in
the
the
same
pod
as
separate
containers.
Now
you
can
have
a
separate
controller
to
to
your
data
plans.
This
means,
as
you
scale
up
your
data
planes.
You
don't
also
have
to
scale
up
the
controller
which
leads
to
lower
resource
usage
in
your
cluster.
B
B
So
now
we've
got
three
running
con
Gateway
instances
and
a
running
Kong
Ingress
controller.
It's
time
to
actually
configure
it.
B
B
If
I
apply
that,
then
what
kubernetes
will
do
is
compile
that
to
con
Gateway
rules
and
send
it
off
to
our
running
data
planes.
B
This
is
quite
interesting
when
something
doesn't
work.
For
example,
we
we
can
actually
translate
that
configuration
into
something
that
Congo
understands
it's
because
I've
configured
an
Ingress
but
there's
actually
no
service
to
send
it
to.
B
So,
if
I
go
ahead
and
create
a
service
as
well,
this
is
just
the
standards
kubernetes
service,
an
echo
server.
It's
just
something
where
you
send
a
response,
a
center
request,
and
it
sends
back
what
you
say
as
a
response
and
they've
got
a
service
and
a
deployment,
and
it's
just
a
an
echo
server
written
in
Gore
that
we
mentioned,
and
it
tells
you
what
nodes
you're
running
on
what
pods,
what
namespace
things
like
that.
B
Okay,
that's
that
pod
is
running
the
services
there
and
because
of
the
Ingress
that
I
created
I
should
be
able
to
call
log
host,
slash
Echo
and
con
Gateway
will
root.
My
request
to
the
echo
service.
B
If
I
just
send
some
requests,
maybe
some
404s
as
well
and
then
go
back
to
connect.
B
And
here
you
can
see
all
those
requests.
I
was
just
making
like
there's
the
first
two
that
I
made
to
slash
Echo
before
the
Ingress
was
created
and
then
I
had
some
successful
requests
and
some
failed
requests
so
I'm
starting
to
get
some
immediate
visibility
into
the
the
everywhere
and
the
the
latency
of
my
Upstream
Services
directly
in
Connect
I,
didn't
have
to
configure
anything.
B
B
B
B
So
we
created
a
basic
routing
rule.
This
wouldn't
have
helped
the
photo
showing
app
because
it
would
have
just
passed
all
the
traffic
straight
through
that's
what
I'm
going
to
do.
This
time
is
add
authentication
to
our
API.
B
So
the
way
the
plugins
work
with
Kong
game
best
controller
is
you
create
a
plug-in
definition
and
we
have
custom
resources,
and
this
is
a
Kong
plug-in
custom
resource,
and
here
I'm
saying
this
is
a
an
instance
of
our
key
off.
Plugin
is
going
to
look
for
the
header
name,
API
key,
and
this
resource
is
called
key
off.
This
could
be
called
anything.
We
could
call
this
apples.
We
just
need
a
name
to
refer
to
it
to
later
now.
B
To
apply
it
to
an
Ingress,
well,
we
add
an
annotation,
so
here
I'm
using
a
one-liner,
you
can
also
add
it
to
your
manifest
but
I'm
annotating,
the
Ingress
called
Echo
and
I'm,
adding
the
dentation
conquestq.com
plugins
equals
kiosk
and
that
can
be
a
comma
separated
list
of
multiple
plug-in
instances
as
well.
So
you
can
use,
say,
authentication,
Android,
limiting
I'm
on
the
same
Ingress.
B
So
the
way
that
you
provision
API
credentials
in
Kong
is
using
what's
called
a
consumer,
you
create
a
a
secret
in
kubernetes
that
contains
the
consumer's
API
key.
And
then,
when
you
create
a
consumer,
you
tell
it
which
secret
to
read
from.
B
So
it's
a
generic
Secret,
the
concrete
type
matches
the
the
type
of
plug-in
and
then
the
the
key
is
a
field
that
the
the
key
auth
plug-in
reads:
I'm,
actually
not
going
to
to
run
this
because
I
have
it
in
this
consumer.yaml.
This
is
just
base64
encoded
credentials,
it's
just
for
use
one
with
the
key
key
one.
B
B
Oauth
plugin,
rather
than
the
Consumer,
we'll
see
that
we've
got
an
error
from
the
server
when
applying
the
patch
the
server
denied
the
request.
It
failed,
schema,
validation,
there's
config.net
isn't
unknown
field.
This
is
life-saving.
This
is
the
Kong
English
controller
admission
web
hook,
the
validates
consumers
and
plugins
when
you
send,
when
you
try
to
reply,
changes
to
a
manifest
and
it
won't.
Let
you
break
a
schema.
B
Unfortunately,
we
can't
do
that
for
everything.
So
as
an
example,
if
you
try
and
create
an
Ingress
definition
with
a
root
that
isn't
valid,
I,
say
a
regular
expression
boot
and
the
the
regex
isn't
valid.
We
can't
tell
you
that
in
advance
at
the
moment,
fortunately,
We've
Got
Deep
integration
with
the
kubernetes
event
system.
B
B
B
B
So
during
my
testing
actually
landed
on
Loki
from
grafana
and
Loki
is
a
login
event
ingestion
tool.
It
takes
a
a
minute
or
two
to
spin
up,
but
when
it
does,
what
it
allow
us
to
do
is
forward
on
all
of
the
events
from
kubernetes
into
login
and
then
within
Loki.
We
can
set
up
alerts
that
will
notify
us
when
something
goes
wrong.
B
B
So
I
check
the
the
nodes
coming
up.
Kgpn
is
one
of
my
aliases
Cube
control
get
pods
in
the
name
space
lucky.
B
If
you
work
with
Cube
control
a
lot
and
you're
not
using
these
aliases
I
highly
recommend
it
just
you
Google
Cube
control,
aliases,
it's
an
open
source
project.
It
saves
me
a
ton
of
time.
B
B
B
B
B
So
if
I,
if
I,
should
tell
the
event
exporter
and
then
I
try
and
apply
an
invalid
Ingress.
B
Oh
I
need
to
point
forward:
kpf
Cube
control,
Pull,
It,
Forward
and
I'm,
just
forwarding
the
Loki
service
to
my
localhost
0.3000.
B
So
when
you
install
Loki
and
grid
Pharma,
it
generates
a
password
for
you
and
stores
it
in
a
secret
secrets
and
kubernetes
aren't
really
that
secret.
Unless
you
use
sealed
secrets
so
I
just
basically
called
it
and
now
I
can
log
in.
B
All
right,
let's
give
things
a
kick,
so,
let's
delete
the
the
echoing
dress.
B
There
we
are
so
now
we're
seeing
it
received
an
event,
it's
what
we
saw
before
invalid
paths
invalid
regex
and
when
we
go
back
to
Loki,
and
we
can
see
that
is
showing
up
now,
I'm
not
going
to
actually
create
the
alerting
rule
for
you
today,
but
once
it's
in
Loki,
it's
very
easy
to
go
from
log
message
to
an
alert
that
can
trigger
on
page
Duty
or
I,
get
pushed
to
slack
or
anything
like
that.
B
B
You
have
to
be
careful
with
that,
though,
because
of
things
like
retries
and
multiple
pods
I
actually
enabled
it
direct
slack
earlier
and
got
25
messages
in
three
seconds,
because
I
had
lots
of
can't
get
resolved,
rejecting
the
config
at
the
same
time.
So
my
recommendation
is
to
go
through
something
like
login.
B
All
right,
don't
worry
we're
almost
there
we've
deployed
a
Kong
Ingress
control
and
con
Gateway
we've
configured
it
with
the
Ingress
resource.
We've
added
authentication
we've
taken
a
look
at
Analytics,
we've
deployed
locate,
we've
deployed
the
kubernetes
event
exporter,
like
that's
a
lot
in
the
15
to
20
minutes.
We've
been
doing
this.
We've
just
got
one
more
thing:
to
show
you
and
then
we
are
done
so
what
I'm
going
to
do
is
delete
my
addresses.
B
Why
is
that?
Not
parent.
B
Because
the
Rhino
excellent
I'm
not
trying
to
deleted
it,
what
I'll
also
do
is
delete
the
Ingress
class
of
Kong,
so
the
dingras
class
is
the
the
parent's
wrapper
for
all
of
your
individual
Ingress
routes.
B
I
have
to
apply
the
experimental
cids
so
that
will
create
lots
of
custom
resource
definitions
for
getaway.networking.cubernetes.io.
B
B
So
if
I
call
that
may
cover
it
no
longer
existently
to
my
Ingress
definitions,
it's
just
a
an
empty
con
Gateway.
At
this
point.
B
So
here
the
the
Gateway
class
tells
kubernetes
which
controller
to
use
in
this
case
it's
the
Congress
con
Ingress
controller,
and
then
it
creates
a
Gateway
instance,
and
he
was
just
saying:
listen
on
Port
80.,
using
the
the
Gateway
class
that
we
just
created.
You
can
add
all
kinds
of
listeners
here
for
different
ports
and
different
protocols.
B
Today,
I'm
just
using
plain
old
http.
B
B
And
things
seem
so,
the
Ingress
controller
is
shutting
down
all
the
works
are
finished
and
then,
when
it
restarts,
I
should
be
able
to
use
the
Gateway
API.
B
B
But
if
you
hit
that
issue,
if
you
want
to
deploy
Gateway
API
crds
after
deploying
the
Ingress
controller
and
that's
how
you
fix
it
now
we're
back
to
the
the
point
where
I
can
make
my
my
request.
But
the
final
thing
to
do
is
to
add
my
annotation
again.
B
B
Sorry,
that
is
my
mistake.
It
is
not
the
Gateway
that
I
answered,
because
it
is
not
the
Gateway
that
defines
the
routing
rules.
It
is
the
the
HTTP
route
instead.
B
Now,
if
I
I
go
back
to
my
analytics,
we
see
these
requests
just
keep
coming
in.
It's
5,
40
PM.
Where
I
am
we
just
had
three
films
and
three
successful
requests?
It
doesn't
matter
if
you're
using
Ingress
or
Gateway
API.
All
of
that
analytics
data
is
still
available
for
you
final
thing
like
because
I
didn't
really
explain
the
power
of
Gateway
API
like
in
that
demo.
B
B
B
B
So
if
you
need
to
transform
things
to
things
for
your
V1
back
end,
but
not
your
V2,
the
Gateway
API
supports
that
and
finally
back-end
ref,
so
something
I
couldn't
believe
when
I
first
learned
it
was
that
to
send
requests
across
namespaces.
You
had
to
use
an
external
name
like
that,
just
it
felt
wrong
to
me,
but
the
Gateway
API
allows
you
to
use
back-end
ref,
which
will
expose
services
from
within
a
namespace
for
use
in
other
namespaces.
B
So,
instead
of
having
to
have
your
ingression
service
in
the
same
namespace,
you
can
actually
start
splitting
those
now
with
back
end
ref,
but
it
is
very
much
opt-in,
so
the
the
owners
of
the
service
can
decide
who
gets
to
call
their
services
I'm,
just
scratching
the
service
on
what
Gateway
API
can
do,
I
highly
recommend
going
and
having
a
read
of
the
the
documentation
it's
fairly
accessible.
B
A
B
Deployed
Gateway
we
checked
out,
connect
analytics,
we
secured
an
API.
We
took
a
look
at
the
admission
controller
and
the
event
system.
We
deployed
Loki,
we
deployed
the
event
forwarder.
We
even
took
a
look
at
the
Gateway
API.
It's
a
lot,
I'm
very
happy
to
receive
questions
now
or
if
you've
got
questions
later.
I'm
M
Heap
on
Twitter
back
to
you,
Dalia.
A
B
Maybe
so
he'll
hit
enter
yeah
too
fast
yeah.
So
what
is
the
difference
between
this
latest
release?
B
So
ceil's
been
using
Kong
for
a
while.
If
the
question
is
what
is
the
difference
between
the
latest
versions
of
the
Ingress
controller,
that's
very
different
to
what
differences
in
the
Gateway
I
will
answer
both
starting
with
the
Ingress
controller.
B
B
B
The
second
thing
is
the
event
system,
there's
nothing
worse
than
things,
not
working
and
you're,
not
understanding.
Why
so
being
able
to
use
the
event
system
and
be
notified
when
something
isn't
working?
That's
key
for
me
being
able
to
just
get
a
message
saying:
hey!
There's
an
invalid
Ingress
definition:
please
go
and
fix
it,
so
we
can
carry
on
applying
new
new
routes.
B
As
for
con
Gateway,
if
you've
not
tried
out
the
con
Gateway
3
Series
you're
in
for
retreat,
my
biggest
the
biggest
feature
for
me
is
open,
Telemetry
support
so
being
able
to
see
where
time
is
being
spent
in
the
Gateway
yourself.
B
So
if
you're,
adding
things
like
very
limiting
plugins
and
using
redis
as
your
backing
store-
and
you
can
get
an
end-to-end
span
of
all
of
that,
so
you
can
see
how
much
of
the
time
was
spent.
Looking
up
the
consumer,
how
much
of
the
time
was
spent
going
to
ready
to
see
what
the
real
limit
is
and
how
much
time
was
spent
in
your
Upstream
Service
as
well,
because
understanding
how
your
applications
are
performing
guide
key
and
congas?
B
B
Anonymous
attendee
terraform
is
in
sync
with
this
version:
I'm,
not
too
sure
what
your
your
question
is,
but
I
can
Hazard
a
guess,
so
the
the
conc
admin
apis
have
been
stable
for
many
years.
So
there
is
no
difference
between
the
admin
API
between
Kong
today
and
3.2.
3.3
is
coming
out
soon,
so
any
terraform,
a
provider
that
you
use
for
Kong,
will
work
in
Kong
3.x,
just
as
well
as
it
did
in
com2.x.
B
So
here
is
the
dock
available
on
the
Kong
site.
Yes,
it
is,
if
you
go
to
docs.com
hq.com
you'll,
be
able
to
click
on
the
the
kubernetes
Ingress
controller
and
information
on
everything
like
the
the
Gateway
API.
B
A
Right,
that's
it!
For
now
the
recording
will
be
uploaded
on
our
YouTube
channel.
If
you
want
to
rewatch
it.
Thank
you
so
much
all
of
you
for
joining,
and
we
look
forward
to
seeing
you
at
our
next
events
have
a
great
evening,
great
day
ahead.
We'll
see
you
soon,
bye-bye.