How Does API7 Enterprise Proxy Applications in Kubernetes Clusters?

In the dynamic era of cloud-native technologies, Kubernetes has emerged as the go-to solution for many enterprises seeking to build resilient and scalable applications. API7 Enterprise offers powerful capabilities in security and traffic management, coupled with exceptional performance. API7 Enterprise integrates with the Kubernetes Service Discovery, serving as a proxy for applications deployed within a Kubernetes cluster. Let's go exploring the process of utilizing API7 Enterprise to proxy applications in your Kubernetes cluster.

Prerequisites

1. Install API7 Enterprise

Note: If API7 Enterprise is not already deployed within Kubernetes clusters, configure the network settings of the machine hosting API7 EE to ensure accessibility to upstream pods in the Kubernetes environment.

2. Deploy Services in Kubernetes

If you've already deployed services in Kubernetes, you can skip this step. Otherwise, execute the following command to create services:

# create a new namespace
kubectl create namespace api7ee

kubectl create deployment httpbin --image=kennethreitz/httpbin:latest -n api7ee
kubectl create service clusterip httpbin --tcp=80:80 -n api7ee

3. Create a Kubernetes Service Account

• API7 Enterprise relies on this credential for accessing the Kubernetes API and fetching upstream configurations. Consequently, We need to create an RBAC resource first. The following is the specific YAML file configuration:

    # rbac.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: api7-k8s-sd-watcher
    rules:
      - apiGroups: [""]
        resources: ["endpoints"]
        verbs: ["list", "watch"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: api7-k8s-sd-watcher-binding
    subjects:
      - kind: ServiceAccount
        name: api7-k8s-sd-sa
        namespace: api7ee
    roleRef:
      kind: ClusterRole
      name: api7-k8s-sd-watcher
      apiGroup: rbac.authorization.k8s.io
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: api7-k8s-sd-sa
      namespace: api7ee
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: api7-k8s-sd-secret
      namespace: api7ee
      annotations:
        kubernetes.io/service-account.name: api7-k8s-sd-sa
    type: kubernetes.io/service-account-token
  
  

• Create RBAC resources and get this token.

  kubectl apply -f rbac.yaml -n api7ee
  kubectl get secrets api7-k8s-sd-secret -n api7ee -ojsonpath='{.data.token}' | base64 -d
  

Implementation of Kubernetes Service Discovery in API7 Enterprise

Connecting to the Kubernetes Service Registry

1. Go to an existing gateway group and access the Service Registry through the left-hand menu.

2. Click the Add Service Registry Connection button. Select Kubernetes as the discovery type and provide the Kubernetes API service access address and token.

3. Once API7 Enterprise establishes a successful connection to the service registry, you will see a healthy status.

Publishing the Service for Testing

1. Navigate to the service page, click to create a new service, and add the /anything route.

2. Proceed to publish the service, and choose the appropriate upstream:

3. After publishing, you can test it using curl.

Summary

In conclusion, we have talked about the steps to leverage the API7 Enterprise for proxying Kubernetes services. For more information about the features of the API7 Enterprise, please don't hesitate to get in touch with us.