# Set up and explore the Kubernetes demo app

To start learning how Kuma works, you can download and run a simple demo application that consists of two services:

  • demo-app: web application that lets you increment a numeric counter
  • redis: data store for the counter

This guide also introduces some of the tools Kuma provides to help you control and monitor traffic, track resource status, and more.

The demo-app service listens on port 5000. When it starts, it expects to find a zone key in Redis that specifies the name of the datacenter (or cluster) where the Redis instance is running. This name is displayed in the browser.

The zone key is purely static and arbitrary. Different zone values for different Redis instances let you keep track of which Redis instance stores the counter if you manage routes across different zones, clusters, and clouds.

# Prerequisites

# Set up and run

Two different YAML files are available:

  • demo.yaml installs the basic resources
  • demo-v2.yaml installs the frontend service with different colors. This lets you more clearly view routing across multiple versions, for example.
  1. Install resources in a kuma-demo namespace:

    $ kubectl apply -f demo.yaml
    
    1
  2. Port forward the service to the namespace on port 5000:

    $ kubectl port-forward svc/demo-app -n kuma-demo 5000:5000
    
    1
  3. In a browser, go to 127.0.0.1:5000 and increment the counter.

# Explore the mesh

The demo app includes the kuma.io/sidecar-injection annotation enabled on the kuma-demo namespace. This means that Kuma already knows that it needs to automatically inject a sidecar proxy to every Kubernetes deployment in the default Mesh resource:

apiVersion: v1
kind: Namespace
metadata:
  name: kuma-demo
  namespace: kuma-demo
  annotations:
    kuma.io/sidecar-injection: enabled
1
2
3
4
5
6
7

Run:

$ kubectl get namespace kuma-demo -oyaml
1

to see what the full namespace looks like:

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{"kuma.io/sidecar-injection":"enabled"},"name":"kuma-demo"}}
    kuma.io/sidecar-injection: enabled
  creationTimestamp: "2021-08-13T09:17:48Z"
  labels:
    kubernetes.io/metadata.name: kuma-demo
  name: kuma-demo
  resourceVersion: "749"
  uid: 66b1279e-e49c-427d-af01-3adc91e505c1
spec:
  finalizers:
  - kubernetes
status:
  phase: Active
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

You can view the sidecar proxies that are connected to the Kuma control plane:

    # Enable Mutual TLS and Traffic Permissions

    By default the network is unsecure and not encrypted. We can change this with Kuma by enabling the Mutual TLS policy to provision a dynamic Certificate Authority (CA) on the default Mesh resource that will automatically assign TLS certificates to our services (more specifically to the injected dataplane proxies running alongside the services).

    We can enable Mutual TLS with a builtin CA backend by executing:

    $ echo "apiVersion: kuma.io/v1alpha1
    kind: Mesh
    metadata:
      name: default
    spec:
      mtls:
        enabledBackend: ca-1
        backends:
        - name: ca-1
          type: builtin" | kubectl apply -f -
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10

    Once Mutual TLS has been enabled, Kuma will not allow traffic to flow freely across our services unless we explicitly create a Traffic Permission policy that describes what services can be consumed by other services. You can try to make requests to the demo application at 127.0.0.1:5000/ (opens new window) and you will notice that they will not work.

    In a live environment we suggest to setup the Traffic Permission policies prior to enabling Mutual TLS in order to avoid unexpected interruptions of the service-to-service traffic.

    We can setup a very permissive policy that allows all traffic to flow in our application in an encrypted way with the following command:

    $ echo "apiVersion: kuma.io/v1alpha1
    kind: TrafficPermission
    mesh: default
    metadata:
      namespace: default
      name: all-traffic-allowed
    spec:
      sources:
        - match:
            kuma.io/service: '*'
      destinations:
        - match:
            kuma.io/service: '*'" | kubectl apply -f -
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13

    By doing so every request we now make on our demo application at 127.0.0.1:5000/ (opens new window) is not only working again, but it is automatically encrypted and secure.

    As usual, you can visualize the Mutual TLS configuration and the Traffic Permission policies we have just applied via the GUI, the HTTP API or kumactl.

    # Explore Traffic Metrics

    One of the most important policies that Kuma provides out of the box is Traffic Metrics.

    With Traffic Metrics we can leverage Prometheus and Grafana to provide powerful dashboards that visualize the overall traffic activity of our application and the status of the service mesh.

    To enable traffic metrics we need to first install Prometheus and Grafana:

    $ kumactl install metrics | kubectl apply -f -
    
    1

    This will provision a new kuma-metrics namespace with all the services required to run our metric collection and visualization. Please note that this operation can take a while as Kubernetes downloads all the required containers.

    Once we have installed the required dependencies, we can now go ahead and enable metrics on our Mesh object by executing:

    $ echo "apiVersion: kuma.io/v1alpha1
    kind: Mesh
    metadata:
      name: default
    spec:
      mtls:
        enabledBackend: ca-1
        backends:
        - name: ca-1
          type: builtin
      metrics:
        enabledBackend: prometheus-1
        backends:
        - name: prometheus-1
          type: prometheus" | kubectl apply -f -
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15

    This will enable the prometheus metrics backend on the default Mesh and automatically collect metrics for all of our traffic.

    Increment the counter to generate traffic. Then you can expose the Grafana dashboard:

    $ kubectl port-forward svc/grafana -n kuma-metrics 3000:80
    
    1

    and access the dashboard at 127.0.0.1:3000 (opens new window) with default credentials for both the username (admin) and the password (admin).

    Kuma automatically installs three dashboard that are ready to use:

    • Kuma Mesh: to visualize the status of the overall Mesh.
    • Kuma Dataplane: to visualize metrics for a single individual dataplane.
    • Kuma Service to Service: to visualize traffic metrics for our services.

    You can now explore the dashboards and see the metrics being populated over time.

    # Next steps

    • Explore the Policies available to govern and orchestrate your service traffic.
    • Read the full documentation to learn about all the capabilities of Kuma.
    • Chat with us at the official Kuma Slack for questions or feedback.
    Last Updated: 9/13/2021, 2:26:29 PM