3 Tips for Deploying APISIX in Kubernetes (Part 1)
March 14, 2024
The era of cloud-native computing has seen widespread adoption of Kubernetes as a container orchestration platform, with Apache APISIX emerging as a high-performance, cloud-native dynamic API gateway. Deploying Apache APISIX in Kubernetes has become increasingly common. However, despite the relatively straightforward deployment process of Apache APISIX on Kubernetes, there are still some key issues to consider. In this series of articles, we will delve into the following topics:
- Considerations for deployment methods
- Health checks, logging, and monitoring
- Handling custom plugins and configurations
In this article, we will focus on the first point, which is the considerations for deployment methods when deploying Apache APISIX in Kubernetes.
Deployment Methods for APISIX in Kubernetes
To smoothly deploy and manage APISIX in Kubernetes while ensuring system stability and reliability, several factors need to be considered in the deployment methods.
1. Separation of Data Plane and Control Plane
When deploying in Kubernetes, it is crucial to keep APISIX's data plane (nodes handling actual traffic) separate from its control plane (nodes managing configurations and processing API calls). This separation offers several benefits:
-
Elastic Scalability: The data plane handles actual request processing, while the control plane manages configuration and policy distribution. With separation, the system can independently scale the data and control planes horizontally, dynamically adjusting the system based on actual workload demands. This facilitates elastic scalability, enhancing the overall system's scalability.
-
Fault Isolation: Separating the data and control planes helps achieve fault isolation. If the control plane fails, the data plane can continue processing requests, ensuring service availability, and vice versa. This separation helps prevent single-point failures from affecting the entire system, thereby improving fault tolerance and stability.
-
Enhanced Security: Separating the data and control planes enhances system security. The control plane typically contains sensitive information such as access control policies and authentication configurations, while the data plane processes actual requests. By deploying them separately, the security of the control plane can be better protected, reducing potential attack risks.
2. etcd Persistent Deployment Solution
Apache APISIX offers various configuration modes, such as standalone mode and etcd configuration center mode. If you opt for an etcd cluster as the configuration center for Apache APISIX, there are several considerations to keep in mind:
-
Use of StatefulSet: In Kubernetes, StatefulSet is commonly used to deploy etcd. StatefulSet provides stable network identifiers and ordered Pod deployments, crucial for a distributed system. Each etcd node can have a unique identifier and maintain persistent storage to ensure data security.
-
Proper resource limits: Set appropriate resource limits for etcd Pods to ensure they run smoothly in the cluster. Adjust according to cluster size and workload to avoid resource shortages or waste.
-
Configuring persistent storage: To ensure data persistence and reliability, it is recommended to store etcd data in persistent storage. Kubernetes' Persistent Volumes (PVs) and Persistent Volume Claims (PVCs) can be used for this purpose.
-
Enabling TLS encryption: Enable TLS encryption in the etcd cluster to protect data transmission. Use certificates and private keys to authenticate the etcd cluster and encrypt communication between nodes. This can be achieved by creating and using self-signed certificates or certificates issued by trusted certificate authorities (CAs).
-
Enabling authentication and authorization: etcd supports authentication based on usernames and passwords, as well as role-based authorization. It is advisable to enable these features in a production environment to ensure that only authorized users can access and modify data in etcd. When connecting the Apache APISIX control plane and data plane to etcd, it is recommended to assign different roles, such as granting read-write capabilities to the control plane and read-only capabilities to the data plane.
-
Regular backups: Regularly back up etcd data to prevent data loss or corruption. Use backup tools provided by etcd and store backups in a secure location for recovery when needed. Backup methods include hot and cold backup methods. For data security, it is recommended to use the etcd learner method for hot backup and combine it with snapshot cold backup methods to maximize data recovery capabilities.
-
Monitoring and alerts: Deploy monitoring tools to monitor the health status of the etcd cluster in real-time. Prometheus is a commonly used monitoring tool that can be integrated with etcd. Set up alert rules to take timely action when problems occur.
-
Handling node changes properly: Node additions, removals, or replacements may occur in the etcd cluster. Ensure proper handling of node changes to avoid data inconsistency and service interruptions.
3. Using APISIX Ingress Controller Instead of K8s Ingress Controller
APISIX Ingress Controller is a tool focused on API management, offering high performance and flexible configuration options. If you require more complex routing rules, rate limiting, circuit breaking, and other advanced features, APISIX Ingress Controller may be a better choice. It provides a rich plugin system, allowing integration of plugins through APISIX Ingress CRD using declarative configuration to handle authentication, authorization, monitoring, logging, and other functionalities. This enriches the capabilities of APISIX Ingress Controller and simplifies configuration.
If you need a comprehensive configuration interface and deep integration with Kubernetes, consider the Full API Lifecycle Management Platform API7 Enterprise based on Apache APISIX. API7 Enterprise provides a comprehensive solution for advanced automation, monitoring, and troubleshooting, offering more reliable support for businesses.
Conclusion
When deploying APISIX in Kubernetes, attention needs to be paid to several aspects. Firstly, focus on the separation of data plane and control plane to achieve elastic scalability, fault isolation, and enhanced security. Secondly, adopt an etcd-based persistence deployment scheme to ensure the persistence and reliability of configurations. Additionally, consider using a more suitable APISIX Ingress Controller instead of the K8s Ingress Controller to gain richer functionality and simpler configuration. Only by adhering to these best practices can system stability and reliability be ensured.