Kourier is an Ingress for Knative Serving. Kourier is a lightweight alternative for the Istio ingress as its deployment consists only of an Envoy proxy and a control plane for it.
Kourier is passing the knative serving e2e and conformance tests: Kourier Testgrid.
kubectl apply -f https://github.com/knative/serving/releases/latest/download/serving-crds.yaml
kubectl apply -f https://github.com/knative/serving/releases/latest/download/serving-core.yaml
kubectl apply -f https://github.com/knative/net-kourier/releases/latest/download/kourier.yaml
kubectl patch configmap/config-network \
-n knative-serving \
--type merge \
-p '{"data":{"ingress.class":"kourier.ingress.networking.knative.dev"}}'
kubectl patch configmap/config-domain \
-n knative-serving \
--type merge \
-p '{"data":{"127.0.0.1.nip.io":""}}'
cat <<-EOF | kubectl apply -f -
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld-go
spec:
template:
spec:
containers:
- image: gcr.io/knative-samples/helloworld-go
env:
- name: TARGET
value: Go Sample v1
EOF
kubectl port-forward --namespace kourier-system $(kubectl get pod -n kourier-system -l "app=3scale-kourier-gateway" --output=jsonpath="{.items[0].metadata.name}") 8080:8080 19000:9000 8443:8443
curl -v -H "Host: helloworld-go.default.127.0.0.1.nip.io" http://localhost:8080
By default, the deployment of the Kourier components is split between two different namespaces:
knative-serving
namespacekourier-system
namespaceTo change the Kourier gateway namespace, you will need to:
config/
and replace all the namespaces fields that have
kourier-system
with the desired namespace.KOURIER_GATEWAY_NAMESPACE
env var in the kourier-control deployment
to the new namespace.Create a secret containing your TLS certificate and Private key:
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
Add the following env vars to net-kourier-controller in the "kourier" container :
CERTS_SECRET_NAMESPACE: ${NAMESPACES_WHERE_THE_SECRET_HAS_BEEN_CREATED}
CERTS_SECRET_NAME: ${CERT_NAME}
You can specify the cipher suites for TLS external listener.
To specify the cipher suites you want to allow, run the following command to patch config-kourier
ConfigMap:
kubectl -n "knative-serving" patch configmap/config-kourier \
--type merge \
-p '{"data":{"cipher-suites":"ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305"}}'
The default uses the default cipher suites of the envoy version.
If you want to enable the external authorization support you can set these ENV
vars in the net-kourier-controller
deployment:
KOURIER_EXTAUTHZ_HOST*
: The external authorization service and port,
my-auth:2222KOURIER_EXTAUTHZ_FAILUREMODEALLOW*
: Allow traffic to go through if the ext
auth service is down. Accepts true/falseKOURIER_EXTAUTHZ_PROTOCOL
: The protocol used to query the ext auth
service. Can be one of : grpc, http, https. Defaults to grpcKOURIER_EXTAUTHZ_MAXREQUESTBYTES
: Max request bytes, if not set, defaults to
8192 Bytes. More info
Envoy DocsKOURIER_EXTAUTHZ_TIMEOUT
: Max time in ms to wait for the ext authz service.
Defaults to 2sKOURIER_EXTAUTHZ_PATHPREFIX
: If KOURIER_EXTAUTHZ_PROTOCOL
is equal to
http or https, path to query the ext auth service. Example : if set to
/verify
, it will query /verify/
(notice the trailing /
).
If not set, it will query /
KOURIER_EXTAUTHZ_PACKASBYTES
: If KOURIER_EXTAUTHZ_PROTOCOL
is equal to
grpc, sends the body as raw bytes instead of a UTF-8 string. Accepts only true/false, t/f or 1/0.
Attempting to set another value will throw an error. Defaults to false. More info
Envoy Docs.*
Required
Note: this is an experimental/alpha feature.
To enable proxy protocol feature, run the following command to patch config-kourier
ConfigMap:
kubectl patch configmap/config-kourier \
-n knative-serving \
--type merge \
-p '{"data":{"enable-proxy-protocol":"true"}}'
Ensure that the file was updated successfully:
kubectl get configmap config-kourier --namespace knative-serving --output yaml
We need to:
local
so the LB we'll preserve the client source IP and avoids a second hop for LoadBalancer.Example (Scaleway provider):
apiVersion: v1
kind: Service
metadata:
name: kourier
namespace: kourier-system
annotations:
service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: '*'
service.beta.kubernetes.io/scw-loadbalancer-use-hostname: "true"
labels:
networking.knative.dev/ingress-provider: kourier
spec:
ports:
- name: http2
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: 3scale-kourier-gateway
externalTrafficPolicy: Local
type: LoadBalancer
Domain Mapping is configured to explicitly use http2
protocol only. This behaviour can be disabled by adding the following annotation to the Domain Mapping resource
kubectl annotate domainmapping <domain_mapping_name> kourier.knative.dev/disable-http2=true --namespace <namespace>
A good use case for this configuration is DomainMapping with Websocket
Note: This annotation is an experimental/alpha feature. We may change the annotation name in the future.