The Kuma workshop at the Kong meetup on February 23, 2023, covered essential topics related to service mesh technology, including its landscape, zero trust security, traffic routing, and observability. The session featured demonstrations of Kuma's capabilities such as installation, canary deployments, and traffic mirroring. It emphasized the evolution of microservices, the complexities involved, and provided insights into the architecture and deployment strategies for modern applications.

1. Kuma Workshop
Presented at Kong Meetup – 23 Feb 2023
@ Microsoft Reactor, Bangalore

2. Agenda ➔ Theory
◆ Service mesh 101 for dummies
◆ The state of the service mesh
landscape
◆ Deep Dive on Kuma
➔ Demo & Interactive workshop
◆ Installation (including auto sidecar
injection)
◆ Zero trust security with mTLS
◆ Routing, Canary deployments,
Circuit Breaking, Load Shedding
◆ Traffic Shadowing
◆ Observability / Opentracing

3. Speaker Info
● Platform engineer @ platformatory.io
● Kong Champion
● Occasional open source contributor to Cloud Native
projects (k8s, ArgoCD, Tekton, Litmus, etc)
● Local meetup organizer for Kong, Grafana and
Docker
● Cofounder @ platformatory.io
● OSS contribs → Envoy, Apache Kafka, Kong
(amongst others)
● Distributed systems, Himalayas, Music
● https://in.linkedin.com/in/pavankmurthy
● https://grahana.net | https://twitter.com/p6

4. Microservices: A web of complex, distributed, network & people-bound problems
- Polyglot services, you-build-it, you-run-it operating
model
- Autonomous (silo’d?) Teams, Reduced centralized
control, capital G- governance
- A new form of dependency hell: APIs, Service
versions
- Proliferation of endpoints with new data formats and
interface standards (and therefore not just endpoint
but holistic security)
- Troubleshooting & debugging is now an expansive
problem cutting across service boundaries
- Deployments in a new emerging breed of hybrid
infrastructure across public cloud, edge, on-premise

5. The evolution of microservices journey: At first, there were only SOA Monoliths
SOA
legacy
On-pre
mise
VM
Security
Mediation
Traffic Management
Observability

6. …and then came some microservices & containers
legacy Team
Boundary
Team
Boundary
On-pre
mise
VM
Public
Cloud
K8S
Private/
Edge
K8S
Security
Mediation
Traffic
Management
Observability
Security
Mediation
Traffic
Management
Observability
Security
Mediation
Traffic
Management
Observability

7. “Enter”Prise API Management
legacy
{External API Gateway| Enterprise API Management}
Team
Boundary
Team
Boundary
Security
Mediation
Traffic Management
Observability
On-pre
mise
VM
Public
Cloud
K8S
Private/
Edge
K8S

8. –with-microgateways
legacy
{External API Gateway| Enterprise API Management}
Team
Boundary
Team
Boundary
Security
Mediation
Traffic Management
Observability
On-pre
mise
VM
Public
Cloud
K8S
Private/
Edge
K8S
Microgateway
Microgateway

9. And finally the world of service meshes
legacy
{External API Gateway}
Team
Boundary
Team
Boundary
Security
Mediation
Traffic Management
Observability
On-pre
mise
VM
Public
Cloud
K8S
Private/
Edge
K8S
{Unified, Global Control Plane}
Mesh
Gateway
Mesh
Gateway

10. - Born @ Lyft
- Written in C++
- High performance L4-L7
Interception
- A ton of capabilities
- HTTP/2, gRPC
- Service Discovery
- Zone-aware load Balancing
- Observability
- ..and much more
- Extendable, Programmable
- Ideal for light-weight out of
process (typically sidecar
container) to handle all network
concerns
What made it all
possible: The
de-facto data plane

11. The Service Mesh Landscape (of mostly Envoy based service meshes)

12. Emerging standardization: Vendor neutrality and ecosystem interfaces to service mesh

13. ● From Kong
○ Donated to CNCF
● SimplifiedMulti-mode support
○ Multi-zone
○ standalone
● Truly Universal
○ First class support for both K8s & VMs
● Adjacent to Kong
○ Blazing fast API-gw (useful for delegated gateway mode support / ingress)
● A beautiful API with abstractions and granular, attribute based selection
○ Mesh
○ TrafficPermission
○ TrafficRoute
○ TrafficTrace
○ TrafficLog
○ FaultInjection
○ HealthCheck
○ CircuitBreaker
○ ProxyTemplate
○ ExternalService
○ Retry
○ TimeOut
○ RateLImit
○ VirtualOutbound
An overview of Kuma
● MeshGateway
● MeshGatewayRoute
● MeshCircuitBreaker
● MeshFaultInjection
● MeshAccessLog
● MeshHealthCheck
● MeshHttpRoute
● MeshProxyPatch
● MeshRateLimit
● MeshRetry
● MeshTimeOut
● MeshTrace
● MeshTrafficPermission

14. A simplified global deployment architecture: abstracting zone, control plane, network (and tenancy models
thereof)

15. - Bounded context & tenant resources
- Mesh per domain / BC for E-W
- Gateway per domain
- While exerting centralized governance
- API Catalog
- And shared services
- Monitoring, observability for SRE / Platform
Teams
- Scale to enterprise requirements
Opportunities in
modern
architecture

16. <<DEMO>>
1. Zero trust security with mutual TLS
2. Observability: OpenTracing (Zipkin) with Kuma, Jaeger;
3. Traffic Routing: Canary deployments (with weighted traffic configurations)
4. Traffic Mirroring: Send shadow traffic to services