Skip to content

Plugin: Kourier #6456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Plugin: Kourier #6456

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e1b40e7
Create installing-kourier.md
iRaindrop Oct 17, 2025
0f64acf
Added to nav and small edit
iRaindrop Oct 17, 2025
c31c34b
Update installing-kourier.md
iRaindrop Oct 18, 2025
e5956c0
Update installing-kourier.md
iRaindrop Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/versioned/.nav.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,8 @@ nav:
- Configuring Knative Eventing CRDs: install/operator/configuring-eventing-cr.md
- Installing plugins:
- Install Istio for Knative: install/installing-istio.md
# TODO: docs for kourier, contour, gateway-api
- Install Kourier for Knative: install/installing-kourier.md
# TODO: docs for contour, gateway-api
- Install Kafka for Knative: install/eventing/kafka-install.md
- Install RabbitMQ for Knative: install/eventing/rabbitmq-install.md
# N.B. this duplicates an "eventing" topic above, cross-referenced here.
Expand Down
220 changes: 220 additions & 0 deletions docs/versioned/install/installing-kourier.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
---
audience: administrator
components:
- serving
function: how-to
---

# Installing Kourier for Knative

This page walks you through manually installing and customizing Kourier for use with Knative. Kourier is an ingress for Knative Serving. Kourier is a lightweight alternative for the Istio ingress as its deployment consists only of an [Envoy proxy](https://www.envoyproxy.io) and a control plane for it.

## Before you begin

This installation is recommended for Knative installations without Istio installed.

You need:

- A Kubernetes cluster with the Knative Serving component installed.

## Supported Kourier versions

You can view the latest tested Kourier version on the [Kourier releases page](https://github.com/knative-extensions/net-kourier/releases).

## Installing Kourier

1. Install Knative Serving if not already installed:

``` bash
kubectl apply -f https://github.com/knative/serving/releases/latest/download/serving-crds.yaml
kubectl apply -f https://github.com/knative/serving/releases/latest/download/serving-core.yaml
```
Comment on lines +26 to +31
Copy link
Member

@dprotaso dprotaso Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Link to Serving installation page?

Copy link
Contributor Author

@iRaindrop iRaindrop Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Dave - yes we should link to installing a network layer for both kourier and Contour. Will consult with Evan.

Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'd link this to ./yaml-install/serving/install-serving-with-yaml.md, rather than including inline instructions.

Also, we say that having Knative Serving installed is a pre-requisite, so it's weird to also have install instructions here.

I don't recall what the equivalent Operator version is, so you might want to leave a <!-- TODO: add operator-equivalent instructions --> somewhere in this file.


1. Install Kourier:

```bash
kubectl apply -f https://github.com/knative/net-kourier/releases/latest/download/kourier.yaml
Copy link
Member

@dprotaso dprotaso Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

latest should be a release version - we have a macro somewhere for that

Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
kubectl apply -f https://github.com/knative/net-kourier/releases/latest/download/kourier.yaml
kubectl apply -f {{ artifact(repo="net-kourier",org="knative-extensions",file="kourier.yaml" }}

(Taken from the install-serving-with-yaml.md instructions.)

```

1. Configure Knative Serving to use the proper `ingress.class`:

```bash
kubectl patch configmap/config-network \
-n knative-serving \
--type merge \
-p '{"data":{"ingress.class":"kourier.ingress.networking.knative.dev"}}'
```

1. Optional - Set your desired domain (replace `127.0.0.1.nip.io` to your preferred domain):

```bash
kubectl patch configmap/config-domain \
-n knative-serving \
--type merge \
-p '{"data":{"127.0.0.1.nip.io":""}}'
```
Comment on lines +48 to +55
Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not Kourier-specific, though we should describe how to find Kourier's external IP address (from install-serving-with-yaml.md):

kubectl --namespace kourier-system get service kourier

I would put this in a separate section (since we have its own page). Something like "DNS configuration"


1. Optional - Deploy a sample hello world app:

```bash
cat <<-EOF | kubectl apply -f -
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld-go
spec:
template:
spec:
containers:
- image: gcr.io/knative-samples/helloworld-go
env:
- name: TARGET
value: Go Sample v1
EOF
```
Comment on lines +59 to +74
Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, I would either omit this, or put it in a "verification" section, since it's not required for the installation.


1. Optional - For testing purposes, you can use port-forwarding to make requests to Kourier from your machine:

```bash
kubectl port-forward --namespace kourier-system $(kubectl get pod -n kourier-system -l "app=3scale-kourier-gateway" --output=jsonpath="{.items[0].metadata.name}") 8080:8080 19000:9000 8443:8443

curl -v -H "Host: helloworld-go.default.127.0.0.1.nip.io" http://localhost:8080
```
Comment on lines +76 to +82
Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I probably wouldn't include this at all. If we do want to include these commands, I'd put them under verification / troubleshooting, with the detail that these commands can help take external DNS resolution and cluster loadbalancing out of the picture if you think you're having trouble with those components. But I'd expect most administrators to be able to check those components themselves, since we're assuming that they have cluster administration experience, and a cluster with malfunctioning load balancing or DNS is probably going to have problems beyond Knative Serving.


## Deployment

By default, the deployment of the Kourier components is split between two different namespaces:

- `knative-serving` - Namespace where Kourier control is deployed.
Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `knative-serving` - Namespace where Kourier control is deployed.
- `knative-serving` - Namespace where Kourier controlle is deployed.

- `kourier-system` - Namespace where gateways are deployed.

To change the Kourier gateway namespace, you will need to:

- Modify the files in `config/` and replace all the namespaces fields that have `kourier-system` with the desired namespace.
- Set the `KOURIER_GATEWAY_NAMESPACE` environmental variable in the `kourier-control` deployment to the new namespace.

## Features

Kourier provides the following features:

- Traffic splitting between Knative revisions.
- Automatic update of endpoints as they are scaled.
- Support for gRPC services.
- Timeouts and retries.
- TLS
- Cipher Suite
- External Authorization support.
- Proxy Protocol (AN EXPERIMENTAL / ALPHA FEATURE)

## Setup TLS certificate
Copy link
Member

@evankanderson evankanderson Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would put this and the remaining topics under a "Configuration" header, and move e.g. h2 elements to h3, and h3 to h4.


Create a secret containing your TLS certificate and Private key:

```bash
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
```

Add the following env vars to net-kourier-controller in the "kourier" container:

```bash
CERTS_SECRET_NAMESPACE: ${NAMESPACES_WHERE_THE_SECRET_HAS_BEEN_CREATED}
CERTS_SECRET_NAME: ${CERT_NAME}
```

### Cipher Suites

You can specify the cipher suites for TLS external listener. To specify the cipher suites you want to allow, run the following command to patch config-kourier ConfigMap:

```bash
kubectl -n "knative-serving" patch configmap/config-kourier \
--type merge \
-p '{"data":{"cipher-suites":"ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305"}}'
```

The default uses the default cipher suites of the envoy version.

## External Authorization Configuration

If you want to enable the external authorization support you can set these environment variables in the `net-kourier-controller` deployment:

| Environment Variable | Description |
|---| --- |
| `KOURIER_EXTAUTHZ_HOST` | Required. The external authorization service and port: `my-auth:2222` |
| `KOURIER_EXTAUTHZ_FAILUREMODEALLOW` | Required. Allow traffic to go through if the ext auth service is down. Accepts true/false |
| `KOURIER_EXTAUTHZ_PROTOCOL` | The protocol used to query the ext auth service. Can be one of: GRPC, HTTP, or HTTPS. Defaults to GRPC |
| `KOURIER_EXTAUTHZ_MAXREQUESTBYTES` | Max request bytes defaults to 8192 bytes. For more information, see [BufferSettings](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto.html#extensions-filters-http-ext-authz-v3-buffersettings) in Envoy documentation.|
| `KOURIER_EXTAUTHZ_TIMEOUT` | Max time in ms to wait for the ext authz service. Defaults to 2s |
| `KOURIER_EXTAUTHZ_PATHPREFIX` | If `KOURIER_EXTAUTHZ_PROTOCOL` is equal to HTTP or HTTPS path to query the ext auth service. For example, if set to `/verify` it will query `/verify/` (notice the trailing `/`). If not set it will query `/` |
| `KOURIER_EXTAUTHZ_PACKASBYTES` | If `KOURIER_EXTAUTHZ_PROTOCOL` is equal to grpc sends the body as raw bytes instead of a UTF-8 string. Accepts only true/false t/f or 1/0. Attempting to set another value will throw an error. Defaults to false. For more information, see [BufferSettings](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto.html#extensions-filters-http-ext-authz-v3-buffersettings) in Envoy documentation. |

## Proxy Protocol Configuration

Note: this is an experimental/alpha feature.

To enable proxy protocol feature, run the following command to patch config-kourier ConfigMap:

```bash
kubectl patch configmap/config-kourier \
-n knative-serving \
--type merge \
-p '{"data":{"enable-proxy-protocol":"true"}}'
```

Ensure that the file was updated successfully:

```bash
kubectl get configmap config-kourier --namespace knative-serving --output yaml
```

### LoadBalancer configuration

Use your load balancer provider annotation to enable proxy-protocol.

- If you are planning to enable external-domain-tls, use your load balancer (LB) provider annotation to specify a custom name to use for the load balancer. This is used to work around the issue of kube-proxy adding external LB address to node local iptables rule, which will break requests to an LB from in-cluster if the LB is expected to terminate SSL or proxy protocol.

- Change the external Traffic Policy to local so the LB we'll preserve the client source IP and avoids a second hop for LoadBalancer.

Example (Scaleway provider):

```bash
apiVersion: v1
kind: Service
metadata:
name: kourier
namespace: kourier-system
annotations:
service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: '*'
service.beta.kubernetes.io/scw-loadbalancer-use-hostname: "true"
labels:
networking.knative.dev/ingress-provider: kourier
spec:
ports:
- name: http2
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: 3scale-kourier-gateway
externalTrafficPolicy: Local
type: LoadBalancer
```

## Tips

Domain Mapping is configured to explicitly use http2 protocol only. This behaviour can be disabled by adding the following annotation to the Domain Mapping resource

```bash
kubectl annotate domainmapping <domain_mapping_name> kourier.knative.dev/disable-http2=true --namespace <namespace>
```

A good use case for this configuration is DomainMapping with Websocket

This annotation is an experimental feature. The annotation name my change in the future.

## What's next

- View the [Knative Serving documentation](../serving/README.md).
Loading