To start learning how Kong Mesh works, you run and secure a simple demo application that consists of two services:
demo-app: a web application that lets you increment a numeric counter. It listens on port 5050kv: an in-memory http database that lets you increment a numeric counter. It listens on port 5050--- title: Service graph of the demo app --- flowchart LR demo-app(demo-app :5050) kv(kv :5050) demo-app --> kv
Start a new Kubernetes cluster on your local machine by executing the command below. The -p option creates a new profile named ‘mesh-zone’.”
minikube start -p mesh-zone
You can skip this step if you already have a Kubernetes cluster running. It can be a cluster running locally or in a public cloud like AWS EKS, GCP GKE, etc.
Install Kong Mesh control plane with Helm by executing:
helm repo add kong-mesh https://kong.github.io/kong-mesh-charts
helm repo update
helm install --create-namespace --namespace kong-mesh-system kong-mesh kong-mesh/kong-mesh
kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/refs/heads/main/k8s/000-with-kuma.yaml
kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90s
Port-forward the service to the namespace on port 5000:
kubectl port-forward svc/demo-app -n kuma-demo 5050:5050
You can also use the command line
curl -XPOST localhost:5050/api/counteror play with the demo in Insomnia.
The demo app includes the kuma.io/sidecar-injection label enabled on the kuma-demo namespace.
apiVersion: v1
kind: Namespace
metadata:
name: kuma-demo
labels:
kuma.io/sidecar-injection: enabled
This means that Kong Mesh already knows that it needs to automatically inject a sidecar proxy to every Kubernetes pod in the kuma-demo namespace.
You can view the sidecar proxies that are connected to the Kong Mesh control plane.
Kong Mesh ships with a read-only GUI that you can use to retrieve Kong Mesh resources. By default, the GUI listens on the API port which defaults to 5681.
To access Kong Mesh we need to first port-forward the API service with:
kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681
And then navigate to 127.0.0.1:5681/gui to see the GUI.
To learn more, read the documentation about the user interface.
By default, the network is insecure and not encrypted. We can change this with Kong Mesh by enabling the Mutual TLS policy to provision a Certificate Authority (CA) that will automatically assign TLS certificates to our services (more specifically to the injected data plane proxies running alongside the services).
We can enable Mutual TLS with a builtin CA backend by executing:
kubectl patch mesh default --type merge --patch "$(curl https://raw.githubusercontent.com/kumahq/kuma-counter-demo/refs/heads/main/kustomize/overlays/001-with-mtls/mesh.yaml)"
Which will update Mesh config to:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
meshServices:
mode: Exclusive
mtls:
backends:
- name: ca-1
type: builtin
enabledBackend: ca-1
The traffic is now encrypted and secure. Kong Mesh does not define default traffic permissions, which means that no traffic will flow with mTLS enabled until we define a proper MeshTrafficPermission policy.
For now, the demo application won’t work.
You can verify this by clicking the increment button again and seeing the error message in the browser.
We can allow the traffic from the demo-app to kv by applying the following MeshTrafficPermission:
kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/refs/heads/main/kustomize/overlays/001-with-mtls/mesh-traffic-permission.yaml
Which will create resource:
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-demo
name: kv
spec:
targetRef:
kind: Dataplane
labels:
app: kv
from:
- targetRef:
kind: MeshSubset
tags:
app: demo-app
k8s.kuma.io/namespace: kuma-demo
default:
action: Allow
You can click the increment button, the application should function once again.
However, the traffic to kv from any other service than demo-app is not allowed.