kuadrant-operator

README

Kuadrant Operator

The Operator to install and manage the lifecycle of the Kuadrant components deployments.

• Overview
• Architecture
  • Kuadrant components
  • Provided APIs
• Getting started
  • Pre-requisites
  • Installing Kuadrant
  • Protect Your Service
    • If you are an API Provider
    • If you are a Cluster Operator
• User guides
• Kuadrant Rate Limiting
• Documentation
• Contributing
• Licensing

Overview

Kuadrant is a re-architecture of API Management using Cloud Native concepts and separating the components to be less coupled, more reusable and leverage the underlying kubernetes platform. It aims to deliver a smooth experience to providers and consumers of applications & services when it comes to rate limiting, authentication, authorization, discoverability, change management, usage contracts, insights, etc.

Kuadrant aims to produce a set of loosely coupled functionalities built directly on top of Kubernetes. Furthermore it only strives to provide what Kubernetes doesn’t offer out of the box, i.e. Kuadrant won’t be designing a new Gateway/proxy, instead it will opt to connect with what’s there and what’s being developed (think Envoy, Istio, GatewayAPI).

Kuadrant is a system of cloud-native k8s components that grows as users’ needs grow.

• From simple protection of a Service (via AuthN) that is used by teammates working on the same cluster, or “sibling” services, up to AuthZ of users using OIDC plus custom policies.
• From no rate-limiting to rate-limiting for global service protection on to rate-limiting by users/plans

Architecture

Kuadrant relies on Istio and the Gateway API to operate the cluster (istio's) ingress gateway to provide API management with authentication (authN), authorization (authZ) and rate limiting capabilities.

Kuadrant components

CRD	Description
Control Plane	The control plane takes the customer desired configuration (declaratively as kubernetes custom resources) as input and ensures all components are configured to obey customer's desired behavior. This repository contains the source code of the kuadrant control plane
Kuadrant Operator	A Kubernetes Operator to manage the lifecycle of the kuadrant deployment
Authorino	The AuthN/AuthZ enforcer. As the external istio authorizer (envoy external authorization serving gRPC service)
Limitador	The external rate limiting service. It exposes a gRPC service implementing the Envoy Rate Limit protocol (v3)
Authorino Operator	A Kubernetes Operator to manage Authorino instances
Limitador Operator	A Kubernetes Operator to manage Limitador instances

Provided APIs

The kuadrant control plane owns the following Custom Resource Definitions, CRDs:

CRD	Description	Example
RateLimitPolicy CRD [doc] [reference]	Enable access control on workloads based on HTTP rate limiting	RateLimitPolicy CR
AuthPolicy CRD	Enable AuthN and AuthZ based access control on workloads	AuthPolicy CR

Additionally, Kuadrant provides the following CRDs

CRD	Owner	Description	Example
Kuadrant CRD	Kuadrant Operator	Represents an instance of kuadrant	Kuadrant CR
Limitador CRD	Limitador Operator	Represents an instance of Limitador	Limitador CR
Authorino CRD	Authorino Operator	Represents an instance of Authorino	Authorino CR

Getting started

Pre-requisites

• Istio is installed in the cluster. Otherwise, refer to the Istio getting started guide.
• Kubernetes Gateway API is installed in the cluster. Otherwise, configure Istio to expose a service using the Kubernetes Gateway API.

Installing Kuadrant

1. Create the namespace for the Operator

kubectl create namespace kuadrant-system

1. Install Kuadrant dependencies: Authorino and Limitador operators.

make install-dependencies

1. Install the Operator manifests

make install

1. Deploy the Operator

make deploy

Tip: Deploy a custom image of the Operator

To deploy an image of the Operator other than the default quay.io/kuadrant/kuadrant-operator:latest, specify by setting the OPERATOR_IMAGE parameter. E.g.:

make deploy OPERATOR_IMAGE=kuadrant-operator:local

1. Create Kuadrant CR This will setup the required dependencies for protecting your service. At the moment there's no major configuration needed:

kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec: {}
EOF

Protect your service

If you are an API Provider

• Deploy the service/API to be protected ("Upstream")
• Expose the service/API using the kubernetes Gateway API, ie HTTPRoute object.
• Write and apply the Kuadrant's RateLimitPolicy and/or AuthPolicy custom resources targeting the HTTPRoute resource to have your API protected.

If you are a Cluster Operator

• (Optionally) deploy istio ingress gateway using the Gateway resource.
• Write and apply the Kuadrant's RateLimitPolicy and/or AuthPolicy custom resources targeting the Gateway resource to have your gateway traffic protected.

User guides

The user guides section of the docs gathers several use-cases as well as the instructions to implement them using kuadrant.

• Simple rate limiting for API owners
• Authenticated rate limiting for API owners
• Gateway rate limiting for cluster operators
• Authenticated rate limiting with JWTs and Kubernetes authnz

Kuadrant Rate Limiting

Documentation

Docs can be found on the Kuadrant website.

Contributing

The Development guide describes how to build the kuadrant operator and how to test your changes before submitting a patch or opening a PR.

Join us on kuadrant.slack.com for live discussions about the roadmap and more.

Licensing

This software is licensed under the Apache 2.0 license.

See the LICENSE and NOTICE files that should have been provided along with this software for details.