Kuma Star

Delegated gateways

Delegated gateways allow you to integrate existing API gateway solutions into your mesh.

In delegated gateway mode, Kuma configures an Envoy sidecar for your API gateway. Handling incoming traffic is left to the API gateway while Envoy and Kuma take care of traffic leaving the gateway for the mesh. The non-Kuma gateway is in charge of policy like security or timeouts when it comes to incoming traffic and Kuma takes over after traffic leaves the gateway destinated for the mesh.

At a technical level the delegated gateway sidecar is similar to any other sidecar in the mesh except that incoming traffic bypasses the sidecar and directly reaches the gateway.

Delegated gateway

New to Kuma? Checkout our guide to get quickly started with delegated gateways!

Usage

Kuma supports most ingress controllers. However, the recommended gateway in Kubernetes is Kong. You can use Kong Ingress Controller for Kubernetes to implement authentication, transformations, and other functionality across Kubernetes clusters with zero downtime.

Service upstream

Remember that Kuma takes over from kube-proxy when it comes to managing endpoints for Service traffic. Ingress controllers generally do the same thing for upstream traffic. In order for these two functionalities not to conflict with each other, Services are required to have the ingress.kubernetes.io/service-upstream=true annotation. With this annotation the ingress controller sends traffic to the Service IP instead of directly to the endpoints selected by the Service. Kuma then routes this Service traffic to endpoints as configured by the mesh. Kuma automatically injects this annotation for every Service that is part of the mesh.

Delegated gateway Dataplanes

To use the delegated gateway feature, mark your API Gateway’s Pod with the kuma.io/gateway: enabled annotation. The control plane automatically generates Dataplane objects.

For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  ...
spec:
  template:
    metadata:
      annotations:
        kuma.io/gateway: enabled
      ...

Now the gateway can send traffic to any services in the mesh including other zones.

Note that in order to send multi-zone traffic you can either use the .mesh address or create a Service of type ExternalName that points to that URL.