Configure Kourier Gateway for Traffic Routing in Knative - Container Service for Kubernetes

Kourier is a lightweight, open-source Knative-native ingress gateway built on Envoy, provided by the Knative community. Deploy it to route HTTP and HTTPS traffic across Knative revisions, configure gRPC services, set timeouts and retries, manage Transport Layer Security (TLS) certificates, and integrate external authorization services.

Prerequisites

Before you begin, make sure you have:

Knative deployed in your ACK cluster. See Deploy and manage Knative.

Deploy the Kourier gateway

Deploy Kourier either during initial Knative setup (using the ACK console) or after deployment (using kubectl).

For a new Knative installation

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, choose Applications > Knative.
On the Components tab, find Kourier in the Add-on Component section and click Deploy in the Actions column. In the dialog that appears, click Confirm. The Status column for Kourier changes to Deployed.

For an existing Knative installation

Run the following command to open the config-network ConfigMap in your default editor:
```
kubectl -n knative-serving edit configmap config-network
```

In the editor, locate the ingress.class key under the data section and change its value to kourier.ingress.networking.knative.dev, as shown below:

apiVersion: v1
data:
  ...
  ingress.class: kourier.ingress.networking.knative.dev # Use the Kourier gateway
  ...
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving

Save and close the file. Kubernetes applies the change automatically.

(Optional) Configure an internal-facing CLB

By default, Kourier creates an Internet-facing Classic Load Balancer (CLB). To use an internal-facing CLB instead, add the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet" to the Kourier Service manifest:

apiVersion: v1
kind: Service
metadata:
  name: kourier
  namespace: knative-serving
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
  ...
spec:
  ports:
    - name: http2
      port: 80
      protocol: TCP
      targetPort: 8080
    - name: https
      port: 443
      protocol: TCP
      targetPort: 8443
  selector:
    app: 3scale-kourier-gateway
  type: LoadBalancer

The default annotation value is internet. Set it to intranet to switch to an internal-facing CLB.

Access a Knative Service through the Kourier gateway

The following steps use a sample Knative Service named helloworld-go to demonstrate HTTP and HTTPS access. Deploy the Service first, then choose the protocol you need.

The curl commands below pass the domain name in the Host header because DNS is not configured by default. If you configure DNS for the gateway, you can omit the -H "Host:" flag.

Deploy the sample service

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, choose Applications > Knative.

On the Services tab, set Namespace to default, click Create from Template, paste the following YAML into the editor, and click Create.

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
        env:
        - name: TARGET
          value: "Knative"

When Status shows Created, the Service is ready.

On the Services tab, note the domain name in the Default Domain column and the gateway IP address in the Gateway column for the helloworld-go Service. You need these values in the next steps.

Access over HTTP

Run the following command, replacing the gateway IP address and domain name with the values you noted:

curl -H "Host: helloworld-go.default.example.com" http://8.141.XX.XX

Expected output:

Hello Knative!

Access over HTTPS

Step 1: Generate a TLS certificate.

Run the following commands to create a self-signed certificate:

openssl genrsa -out tls.key 4096
openssl req -subj "/CN=*.example.com/L=*.example.com" -sha256 -new -key tls.key -out tls.csr
echo subjectAltName = DNS:helloworld-go.default.example.com,DNS:helloworld-go.default.example.cn > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in tls.csr -signkey tls.key -out tls.crt -extfile extfile.cnf

This generates a 4096-bit RSA key and a certificate valid for 3650 days, with Subject Alternative Names for helloworld-go.default.example.com and helloworld-go.default.example.cn.

Step 2: Create a Secret from the certificate.

kubectl -n knative-serving create secret tls kourier-cert --key tls.key --cert tls.crt

Step 3: Verify the `net-kourier-controller` Deployment exists.

kubectl get deployments -n knative-serving

Step 4: Configure the certificate in the controller.

kubectl -n knative-serving edit deployment net-kourier-controller

Under spec.containers[].env, add the following two environment variables:

...
spec:
  containers:
  - env:
    - name: CERTS_SECRET_NAMESPACE
      value: knative-serving
    - name: CERTS_SECRET_NAME
      value: kourier-cert
...

Parameter	Description
`CERTS_SECRET_NAMESPACE`	The namespace where the Secret was created (`knative-serving`)
`CERTS_SECRET_NAME`	The name of the Secret (`kourier-cert`)

Step 5: Verify the controller pod is running.

kubectl -n knative-serving get po

Expected output:

NAME                               READY   STATUS    RESTARTS   AGE
net-kourier-controller-******      1/1     Running   0          10s

Step 6: Access the Service over HTTPS.

curl -H "Host: helloworld-go.default.example.com" -k --cert tls.crt --key tls.key https://8.141.XX.XX

Expected output:

Hello Knative!

(Optional) View the Knative monitoring dashboard

Knative includes built-in monitoring. On the Knative page, click the Monitoring Dashboards tab to view metrics for your Services. For setup instructions, see View the Knative monitoring dashboard.

What's next

Use custom domain names and paths — configure custom domain names for Knative Services.
Configure a certificate to access Services over HTTPS — set up production-grade TLS certificates.
Deploy gRPC services in Knative — improve network efficiency with gRPC.
Configure port probing in Knative — monitor the health status and availability of Knative Services.
Associate an EIP with the elastic container instance on which a Knative Service runs — connect an elastic container instance to the Internet using an elastic IP address (EIP).