Presenters

Source

Unleash Your gRPC Services: Securely & Confidently on Kubernetes with APK! 🚀

gRPC services are powerful, fast, and production-ready. They’ve revolutionized how microservices communicate with their efficiency and performance. But let’s be honest, deploying and exposing these high-performance services to the outside world – external users, partners, or even other internal teams – often feels like navigating a minefield. How do you maintain control, security, and scalability without burdening your backend teams?

That’s the core challenge we’re tackling today, and we’re thrilled to introduce an elegant open-source solution that makes it all possible: APK (API Platform for Kubernetes).

The Hidden Hurdles of Exposing gRPC Services 🚧

While gRPC shines in backend communication, exposing it externally introduces a unique set of complexities that can slow down development and introduce risks. Here are the major pain points developers and teams face:

  • Authentication & Authorization: You need robust mechanisms like OAuth, JWT, or basic authentication to ensure only authorized users access your services. Implementing these consistently across many services is a significant effort.
  • Policy Enforcement: Organizations often require rate limiting, throttling, or custom governance policies. Applying these uniformly and dynamically to gRPC endpoints can be incredibly difficult, often requiring backend code changes.
  • Request & Response Mediation: Some policies demand intercepting and mediating request and response flows. This can be complex to manage, especially when you want to avoid tightly coupling these concerns with your core service logic.
  • API Lifecycle Management: As your services evolve, managing API versions, deprecation, and retirement becomes critical. Without a centralized approach, this quickly spirals into chaos.
  • Developer Burden: Constantly asking backend teams to implement these cross-cutting concerns for every gRPC service is inefficient and distracts them from core business logic.
  • Kubernetes Complexity: In a Kubernetes environment with numerous nodes and pods, orchestrating and managing these policies across a dynamic microservices landscape becomes even more challenging.

Trying to fix all these issues from the backend side is not only difficult but also unsustainable, especially in a large-scale Kubernetes deployment.

Enter APK: Your Kubernetes-Native gRPC Guardian ✨

Good news! An open-source solution called APK (API Platform for Kubernetes) steps up to solve these challenges head-on. Designed natively for the Kubernetes environment, APK acts as your intelligent gateway for gRPC services.

APK is:

  • Completely Open-Source: Giving you full control and transparency.
  • Microservices-Native: Built with a microservices architecture in mind.
  • Envoy-Powered: It leverages the powerful Envoy Gateway for high-performance traffic management.
  • Java-Based: Utilizing Java as its primary language for robust development.

APK deeply understands Kubernetes, leveraging core components like namespaces, custom resources (CRs), and pods. This means you can define your gRPC API exposures and policies using simple YAML configuration files, applying them directly to your Google Kubernetes clusters.

The Brains Behind the Brawn: APK’s Architecture 🧠

APK’s architecture is intelligently divided into two key layers, ensuring both comprehensive control and real-time efficiency:

  1. Control Plane 🕹️: This is the central hub for managing your APIs. It’s responsible for:

    • Deploying services and creating APIs.
    • Defining and deploying policies (like rate limiting and throttling).
    • Setting up interceptors and mediation flows.
    • Essentially, you define what you want to achieve here, and the Control Plane prepares it for deployment to the gateway.

  2. Data Plane 📡: This is where the real-time action happens. The Data Plane handles all incoming requests, acting as the frontline for your gRPC services. It:

    • Enforces security mechanisms (authentication).
    • Applies rate limiting and throttling policies.
    • Engages mediation policies in both request and response flows.
    • If a policy isn’t applicable, it intelligently bypasses it, ensuring minimal overhead.
    • After the backend service responds, it again checks for any response-flow mediation policies before returning the final response to the client.

This clear separation ensures that policy definition and management are distinct from high-performance traffic handling. API developers start with proto files, generate APK configurations, and then deploy these APIs using either REST APIs or Kubernetes custom resources. The Data Plane then routes requests to your microservices, applies policies, and returns responses efficiently.

Scaling Your gRPC Empire with Ease 📈

When it comes to scaling gRPC services in Kubernetes, APK provides robust solutions for both high traffic and extensive API configurations:

  • Horizontal Scaling for Traffic (Data Plane): For a massive influx of requests (from 10 to 100,000 and beyond), APK supports horizontal scaling. You can easily use Kubernetes’ Horizontal Pod Autoscaler (HPA) to scale up your Data Plane instances, ensuring your gateway can handle increasing load effortlessly.
  • Vertical Scaling for API Configurations (Control Plane): If you have a huge number of API configurations (hundreds or thousands), you can scale the Control Plane by using gateway partitioning. This allows you to deploy specific APIs to designated gateways, optimizing resource usage and management.

APK covers all crucial scaling aspects, letting you grow your gRPC ecosystem with confidence.

Live Demo Highlights: From Zero to Secure gRPC in Minutes! 🛠️

The session included a compelling live demo showcasing APK’s capabilities:

  1. Kubernetes Cluster Setup: A Kubernetes cluster was created, and APK was deployed using its well-crafted Helm charts.
  2. Backend Deployment: A simple “order backend service” was deployed.
  3. API Deployment via REST API:
    • The speaker generated an APK configuration from a proto file.
    • After adding backend endpoint information, the API was deployed using a curl command and a JWT token.
    • The deployed API was then successfully invoked using the gRPCurl CLI tool, demonstrating secure access with a JWT token.
  4. API Deployment via Custom Resources (YAML):
    • The previously deployed API was deleted.
    • A Kubernetes YAML file (a custom resource) was generated from the proto definitions and APK configuration.
    • This YAML file was then applied to the cluster using kubectl apply, showcasing how to deploy APIs declaratively.
  5. Controlling Authentication:
    • A rule was created to disable authentication for an API.
    • This rule was applied, demonstrating how to toggle security mechanisms on the fly.
  6. Implementing Rate Limiting:
    • A rate limiting policy was configured, allowing only 2 requests per minute.
    • The API was invoked multiple times, successfully demonstrating that after two requests, subsequent calls were throttled out, highlighting APK’s policy enforcement.
  7. Header Modification:
    • A rule was defined to change the expected authorization header from Authorization to Test. This is particularly useful for organizations with specific governance policies that require custom header handling.

The demo clearly illustrated APK’s flexibility and power in managing gRPC services within Kubernetes.

Your Burning Questions Answered! 💡

During the Q&A, key insights emerged:

  • Documentation: APK’s documentation is available on GitHub and through WSO2 APK configuration resources.
  • Kubernetes Native: Yes, APK internally creates Custom Resource Definitions (CRDs) in Kubernetes, and you apply configurations over these CRDs.
  • CI/CD Integration: APK fully supports CI/CD pipelines. You can define your YAML configurations and integrate them into your continuous integration and deployment workflows.
  • Kubernetes Version Support: APK supports the latest Kubernetes versions, including recent releases like 1.24, ensuring compatibility with modern cluster environments.
  • Dashboard: Currently, APK is primarily CLI-driven. However, a user-friendly dashboard is actively under development, aiming to provide a more visual experience in the future.

Ready to Elevate Your gRPC Game? 🚀

APK offers a compelling, open-source solution to the intricate challenges of exposing gRPC services. By providing robust authentication, flexible policy enforcement, sophisticated lifecycle management, and seamless scalability, it empowers you to deploy your gRPC microservices on Kubernetes with unmatched confidence.

Dive into APK, explore its capabilities, and transform how you manage your gRPC APIs. The future of secure and scalable gRPC on Kubernetes is here!

Appendix