Kong Mesh

Basic Information

Kong Mesh is an enterprise-grade service mesh built on CNCF's Kuma and Envoy, designed for simplicity, security, and scalability across any cloud or environment. It provides out-of-the-box service connectivity, discovery, zero-trust security, traffic reliability, and global observability for microservices.

• Model: Kong Mesh (based on Kuma and Envoy)
• Version: Latest stable version is 2.12.x, with recent updates including 2.12.3 and 2.11.6.
• Release Date: Kong Mesh 2.0 was released in October 2022. Kong Mesh 2.9 was announced for mid-September 2024. Kong Mesh 2.12 was recently announced.
• Minimum Requirements:
  • Control Plane: 4vCPU and 2GB of memory to accommodate over 1000 data planes.
  • Data Plane Proxy: Approximately 1MB of memory per data plane.
  • Kubernetes Sidecar Container: Requests 50m CPU and 64Mi memory; limits 1000m CPU and 512Mi memory.
• Supported Operating Systems: Universal support for Kubernetes and VM-based services. This includes Red Hat OpenShift, Red Hat Enterprise Linux, and Amazon ECS.
• Latest Stable Version: Kong Mesh 2.12.x.
• End of Support Date: Kong Mesh follows a version support policy outlining its lifecycle from release to sunset. Specific end-of-support dates are not explicitly detailed in public search results but are governed by this policy.
• End of Life Date: Not explicitly detailed in public search results.
• Auto-update Expiration Date: Not explicitly detailed in public search results.
• License Type: Commercial enterprise license. A pre-bundled demo license allows up to 5 Data Plane Proxies and expires in 30 days. Full licenses are based on the total number of connected Data Plane Proxies and their expiration date.
• Deployment Model: Can be deployed in single-zone or multi-zone topologies, supporting multi-cloud and multi-cluster environments with global/remote control plane modes. It runs on Kubernetes, VMs, and bare metal.

Technical Requirements

Kong Mesh is designed for flexibility across diverse infrastructure.

• RAM:
  • Control Plane: Minimum 2GB for managing over 1000 data planes.
  • Data Plane Proxy: Approximately 1MB per data plane.
  • Kubernetes Sidecar: Requests 64Mi, limits 512Mi.
• Processor:
  • Control Plane: Minimum 4vCPU for managing over 1000 data planes; benefits from more CPUs for quicker propagation of changes due to excellent parallelism.
  • Architecture: Supports x86_64 and arm64 architectures.
  • Kubernetes Sidecar: Requests 50m CPU, limits 1000m CPU.
• Storage: Not explicitly detailed, but requires persistent storage for the control plane, especially for configurations and status updates, often utilizing a PostgreSQL database.
• Display: Not applicable for core functionality, but a web UI is available for management.
• Ports: Control Plane and Data Plane proxies communicate via various ports, with TLS encryption for secure communication.
• Operating System: Kubernetes (any distribution, including OpenShift), Virtual Machines (VMs), and bare metal.

Analysis of Technical Requirements

Kong Mesh's technical requirements are scalable, allowing for efficient deployment from small to large enterprise environments. The control plane's ability to handle over 1000 data planes with modest CPU and memory resources highlights its efficiency. The minimal memory footprint for data plane proxies (1MB) and Kubernetes sidecars (64Mi requested) makes it suitable for microservices architectures where resource optimization is crucial. The support for both x86_64 and arm64 architectures ensures broad compatibility across modern hardware. The system is designed to be flexible, running on various platforms including Kubernetes, VMs, and bare metal, accommodating diverse infrastructure strategies.

Support & Compatibility

Kong Mesh offers comprehensive support and compatibility across various environments and integrates with other Kong products.

• Latest Version: Kong Mesh 2.12.x.
• OS Support: Kubernetes (including Red Hat OpenShift), Virtual Machines, and bare metal environments.
• End of Support Date: Governed by Kong Mesh's version support policy.
• Localization: Documentation is primarily in English, with some pages indicating translation in progress (e.g., Japanese).
• Available Drivers: Kong Mesh leverages Envoy as its data plane, which is highly compatible with various network drivers and configurations. It also supports eBPF for traffic redirection, enhancing performance.

Analysis of Overall Support & Compatibility Status

Kong Mesh demonstrates strong support and compatibility, particularly for enterprise environments. Its foundation on Kuma and Envoy, both widely adopted open-source projects, ensures a robust and well-maintained core. The universal support for Kubernetes and VMs, including specific integrations with Red Hat OpenShift and Amazon ECS, makes it highly adaptable to diverse deployment strategies. Kong provides enterprise-grade 24x7 support and maintenance for its licensed products. The continuous release cycle, with versions like 2.12.x, indicates active development and ongoing improvements. Compatibility with previous Envoy minor versions is also maintained.

Security Status

Kong Mesh prioritizes zero-trust security for microservices with a robust set of features.

• Security Features:
  • Mutual TLS (mTLS) Encryption: Automatic certificate management, two-way authentication, and end-to-end encryption for all traffic within the mesh, transparent to applications.
  • Traffic Permissions: Restrict service-to-service communication.
  • Open Policy Agent (OPA) Integration: Fine-grained authorization of service requests and policy enforcement.
  • Role-Based Access Control (RBAC): Restrict access to resources and actions based on user roles, with auditing capabilities.
  • FIPS 140-2 Support: Compliance for government agencies, implemented via Envoy's FIPS-compliant BoringSSL mode.
  • Multi-zone Authentication: Secure authentication of zone Control Planes to the global Control Plane.
  • Certificate Authority Rotation: Secure communication between applications with mTLS.
  • Secrets Management: Integration with Hashicorp Vault, AWS, and GCP secret management services.
  • MeshTLS Policy: Granular configuration of TLS behaviors, including versions and ciphers, targeting specific services.
• Known Vulnerabilities: Not explicitly detailed in public search results, but regular updates and security features suggest active management of potential vulnerabilities.
• Blacklist Status: No indication of blacklist status.
• Certifications: FIPS 140-2 compliance. Certified in the Red Hat ecosystem for UBI images.
• Encryption Support: Mutual TLS (mTLS) for all in-mesh communication, TLS for control plane communication.
• Authentication Methods: Mutual TLS, multi-zone authentication, and integration with external identity providers via OPA.
• General Recommendations: Implement zero-trust principles, leverage mTLS, traffic permissions, and OPA policies for robust microservices security. Regularly update to the latest versions to benefit from security enhancements.

Analysis on the Overall Security Rating

Kong Mesh offers a strong security posture, particularly for enterprise microservices environments. Its core design principle of zero-trust security, enforced through automatic mTLS, traffic policies, and OPA integration, significantly reduces the attack surface. The inclusion of FIPS 140-2 support and robust RBAC capabilities makes it suitable for highly regulated industries. The continuous development of security features, such as the granular MeshTLS policy in version 2.9, demonstrates a commitment to addressing evolving security needs. While specific vulnerability lists are not publicly detailed, the comprehensive security suite and regular updates suggest a proactive approach to maintaining a secure platform.

Performance & Benchmarks

Kong Mesh is built for performance and scalability, leveraging Envoy and Kuma's architecture.

• Benchmark Scores: While specific benchmark scores for Kong Mesh are not extensively detailed in public search results, its underlying components (Kuma and Envoy) are known for high performance. Kong Gateway, which can integrate with Kong Mesh, has published performance results, showing strong performance up to the 99th percentile, though latency can spike at higher percentiles compared to alternatives like NGINX.
• Real-world Performance Metrics:
  • Control Plane: A 4vCPU, 2GB memory control plane can manage over 1000 data planes.
  • Data Plane Proxy: Approximately 1MB memory per data plane.
  • Latency: Kong Mesh 2.0 introduced eBPF support, resulting in up to a 12% latency improvement for sidecar performance.
  • Scalability: Designed to scale horizontally for numerous data planes and support multiple clusters or hybrid service meshes.
• Power Consumption: Not explicitly detailed, but efficient resource utilization (low memory per data plane, optimized CPU usage for control plane) suggests a focus on operational efficiency.
• Carbon Footprint: Not explicitly detailed.
• Comparison with Similar Assets:
  • Often compared to other service mesh solutions like VMware Tanzu Platform, HAProxy, Red Hat OpenShift Service Mesh, NGINX Service Mesh, and Linkerd.
  • Users rate Kong Mesh higher than NGINX Service Mesh (Legacy) and Linkerd in service and support, and easier integration and deployment than Linkerd.
  • Some users find other service meshes like Istio to be overly complex, with Kuma (the foundation of Kong Mesh) appearing simpler.

Analysis of the Overall Performance Status

Kong Mesh is engineered for high performance and scalability in microservices environments. Its architecture, built on Envoy and Kuma, is optimized for efficient traffic management and low latency. The ability of the control plane to manage a large number of data planes with relatively modest resources, coupled with the low memory footprint of individual data plane proxies, underscores its efficiency. Performance enhancements like eBPF support further reduce latency. While direct comparative benchmarks against all competitors are not readily available, user feedback and comparisons with other service meshes suggest a favorable position in terms of ease of use and integration, which indirectly contributes to operational performance. Performance fine-tuning options, such as optimizing database connections and configuring reachable services, allow for further customization to meet specific workload demands.

User Reviews & Feedback

User reviews highlight Kong Mesh's strengths in enterprise features, security, and scalability, while also pointing out areas for improvement in documentation and initial complexity.

• Strengths:
  • Enterprise-grade functionality and support for Kubernetes and VMs across any cloud.
  • Built on widely used open-source projects (Envoy and Kuma).
  • Ease of understanding, security, and good performance via load balancer.
  • Seamless integration with Kong Enterprise for a full-stack connectivity platform.
  • Robust features like fine-grained traffic control, observability tools, and comprehensive security mechanisms (authentication, encryption).
  • Multi-zone and multi-mesh support for distributed deployments.
  • Simplifies managing microservices, enhances security, boosts performance, and ensures seamless communication.
  • Easy to install, configure, and manage.
• Weaknesses:
  • Service mesh implementation can be complex to start.
  • Desire for more examples and tutorials in official documentation.
  • GUI interface could benefit from more customization and filtering choices.
  • Initial setup can be complicated, especially when integrating with existing automation tools like Helm instead of Kuma's CLI.
  • Upgrades can be painful and documentation is sometimes poor.
  • Generating certificates for TLS can be tricky to set up.
• Recommended Use Cases:
  • Setting up communication among services in microservices architectures.
  • Organizations seeking streamlined service mesh implementation with robust features.
  • Enterprises focused on zero-trust security and GDPR compliance.
  • Deploying a distributed service mesh across Kubernetes and VMs in any environment.
  • Modernizing developer focus on solving customer problems by achieving high availability and end-to-end security.

Summary

Kong Mesh is a powerful, enterprise-grade service mesh solution built upon the robust foundations of CNCF's Kuma and Envoy. It excels in providing a unified platform for managing microservices across diverse environments, including Kubernetes, virtual machines, and bare metal, supporting both single and multi-zone deployments. Its strengths lie in its comprehensive security features, particularly its native zero-trust capabilities with automatic mTLS encryption, granular traffic permissions, and deep integration with Open Policy Agent (OPA) for fine-grained authorization. The platform also offers strong observability, traffic reliability, and scalability, with a control plane capable of managing a large number of data planes efficiently. Users appreciate its enterprise-grade support and the seamless integration with other Kong products, forming a full-stack connectivity platform.

However, Kong Mesh does present some challenges. The initial setup and implementation can be complex, and users have expressed a desire for more extensive tutorials and documentation, particularly regarding advanced use cases and integration with existing automation workflows. While its performance is generally strong, specific detailed benchmarks are not always readily available, and some users have noted difficulties with upgrades and TLS certificate management.

Overall, Kong Mesh is highly recommended for enterprise organizations seeking a secure, scalable, and feature-rich service mesh to manage complex microservices architectures. Its strengths in security, broad compatibility, and enterprise support make it a strong contender for critical applications. Organizations should be prepared for a learning curve during initial implementation and leverage Kong's support resources to navigate complexities. Continuous engagement with official documentation and community forums is advisable for optimizing deployment and operations.

The information provided is based on publicly available data and may vary depending on specific device configurations. For up-to-date information, please consult official manufacturer resources.