Kong service mesh paid version eases policy management pain

IT pros could cobble together an open source service mesh with Open Policy Agent on their own, but Kong Mesh will let them skip that struggle for a price.

As service mesh technology is adopted by mainstream companies, vendor products such as Kong Mesh are offering a way to bypass the toil of open source integration in exchange for a paid license.

Service mesh, which followed the mass adoption of microservices and containers, uses code packages called sidecar proxies to help IT security and observability keep up with the complex connections between distributed apps.

These proxies are managed via a central control plane that distributes IT security policy throughout the network. While service mesh hides the details of network management from developers, someone -- usually a site reliability or platform engineer -- must set it up and manage it, which can be a painful process for early adopters of open source projects such as Istio.

However, in the last year, Istio became more vulnerable to competition not just from other open source tools such as Linkerd, but also paid products from vendors such as Kong, as well as SaaS managed service mesh offerings from vendors such as HashiCorp.

"Simplicity is a watchword in service mesh as the technology migrates … from the most capable and resourceful of digital natives to a broader base of enterprise customers," said Brad Casemore, research director at IDC. Those enterprises "are willing to pay [to] bring open source components and projects together."

Brad CasemoreBrad Casemore

Kong Mesh adds OPA, subtracts 'configuration nightmare'

Kong Mesh, based on the open source Kuma project, has expanded the incentives for paying customers in version 1.2, which shipped this week. The new release builds in another open source project, policy-as-code tool Open Policy Agent (OPA), and automatically configures the Envoy sidecar proxy for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2 encryption standard.

Users can put these projects together themselves, but that work can be time-consuming and prone to errors, according to a Kong service integrator partner that has, so far, sold Kong Mesh into about half a dozen enterprise accounts.

Aaron WeinkleAaron Weinkle

"These organizations have huge amounts of technical debt, which makes it hard to accelerate their business," said Aaron Weikle, CEO and founder of MS3, a systems integrator in Washington, D.C., that works with federal government agencies, financial services and healthcare customers. "[Kong Mesh] will help them gain velocity."

Kong Mesh builds the Open Policy Agent into its version of the Envoy proxy, so users don't have to deploy multiple agents within the IT infrastructure to use OPA. It can also act as a central management point for IT security policy distribution using these OPA/Envoy bundles or transfer that responsibility to a third-party OPA management product such as Styra's Declarative Authorization Service.

For Kong Mesh, OPA brings IT security policies for authentication and authorization at Layer 7 of the OSI Network Model, which means those policies are expressed in terms of specific applications and services rather than using IP addresses and network ports that may be used by multiple services. Layer 7 policy support has been built into Istio from the beginning and is planned for Linkerd with version 2.11, due out next quarter.

Unlike open source competitors, Kong Mesh automates the distribution of those policies throughout multi-cluster and multi-region deployments without requiring IT pros to configure each of them separately. It also extends the service mesh and OPA to include legacy infrastructure such as virtual machines.

Kong Mesh helps IT teams find their way through the fog of complex cloud-native environments, Weikle said.

"If we get down into the weeds with a lot of these cloud-native technologies around containerization, you're working with multiple YAML files, trying to set them up using Helm charts, and it can get pretty complex," Weikle said, "especially when you're dealing with 10 different possible deployment scenarios that a customer may have."

Without that layer of abstraction, there's going to be a lot more upfront configuration and YAML buildouts, and that is a huge selling point versus being in a configuration nightmare.
Aaron WeikleCEO, MS3

One financial services Kong Mesh customer of MS3's, for example, uses the service mesh with Kubernetes, Docker Enterprise Edition, AWS Fargate and other platforms, all spread among multiple regions.

"Without that layer of abstraction, there's going to be a lot more upfront configuration and YAML buildouts, and that is a huge selling point versus being in a configuration nightmare," Weikle said.

Kong Mesh links in legacy infrastructure

Kong was initially founded as an API gateway vendor, and enterprises that already use its Kong Gateway and Kubernetes ingress controller can mix the service mesh more easily with their existing networks if they use Kong Mesh.

"Kong presents a value proposition that is extensive, with a service connectivity platform that encompasses ingress, API gateway and service mesh, with features addressing governance, security, traffic control, management and observability," IDC's Casemore said.

Security-conscious organizations -- in government, especially -- like Kong's ingress controller because it allows consistent mutual Transport Layer Security (mTLS) for network connections both inside and outside the Kubernetes cluster, Weikle said. Other ingress controllers, instead, terminate mTLS connections at the Kubernetes cluster level and handle internal mTLS separately.

In addition to OPA, version 1.2 of Kong Mesh automatically builds in encryption algorithms compliant with the FIPS 140-2 data security standard. Here, as with OPA, open source Istio users must also do their own configuration to limit Envoy to using these algorithms.

Finally, with this release, Kong Mesh will automatically encrypt communication and apply IT security policies among the management servers at different levels of Kuma's multi-cluster architecture, again sparing IT administrators configuration headaches.

The rising popularity of open source service mesh projects has created the market that proprietary vendors now look to capture, but Weikle predicted that built-in automation from vendor products will be key to the next wave of service mesh adoption and, with it, containers.

"Kong Mesh and its new security features are going to start to bolster a secure feeling in the container environment for a lot of these large organizations," he said.

Meanwhile, however, Kong Mesh pricing remains mysterious. The vendor does not publicly disclose its list prices for the product, said Marco Palladino, CTO at Kong Inc., in an interview this week.

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center