Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Kourier: A lightweight Knative Serving ingress

June 30, 2020
David Ortiz Joaquim Prusi
Related topics:
Event-DrivenKubernetesOperatorsServerless
Related products:
Developer Tools

Share:

    Until recently, Knative Serving used Istio as its default networking component for handling external cluster traffic and service-to-service communication. Istio is a great service mesh solution, but it can add unwanted complexity and resource use to your cluster if you don't need it.

    That's why we created Kourier: To simplify the ingress side of Knative Serving. Knative recently adopted Kourier, so it is now a part of the Knative family! This article introduces Kourier and gets you started with using it as a simpler, more lightweight way to expose Knative applications to an external network.

    Let's begin with a brief overview of Knative and Knative Serving.

    What is Knative?

    Knative is a Kubernetes-based platform for deploying and managing serverless workloads. It is split into two projects:

    • Knative Serving focuses on triggering containers using HTTP traffic.
    • Knative Eventing focuses on triggering containers using events.

    This article addresses how Kourier works with Knative Serving.

    Knative Serving

    Knative Serving provides the following features: deployment, autoscaling, and resource conservation. When it comes to deployment, Knative Serving simplifies how we deploy applications to Kubernetes and adds the concept of revisions. Revisions are an immutable service configuration taken when a service is created or modified. This feature lets you quickly roll back changes and gives Knative advanced traffic management, like blue-green deployments and mirror traffic.

    For autoscaling, Knative Serving automatically scales your containers based on the defined max concurrent requests for that service. For example, if the desired max concurrency is set to one, a Kubernetes pod is spun for each new request.

    When it comes to resource conservation, Knative Serving ensures that dormant applications are scaled to zero and ready for the next request.

    Here is an example of a simple application deployment using Knative Serving:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: helloworld-go
      namespace: default
    spec:
      template:
        spec:
          containers:
            - image: docker.io/jmprusi/helloworld-go
              env:
                - name: TARGET
                  value: "Go Sample v1"
    

    As you can see, this is a "Hello, world" application. We only need to define the container image and the required environment variables. We do not need to define the service, deployment, or selectors. See the Knative API specification for more details.

    What is Kourier?

    Like Istio, Kourier is a lightweight ingress based on the Envoy gateway with no additional custom resource definitions (CRDs). It is composed of two parts:

    • The Kourier gateway is Envoy running with a base bootstrap configuration that connects back to the Kourier control plane.
    • The Kourier control plane handles Knative ingress objects and keeps the Envoy configuration up to date.

    How Kourier works

    Kourier does the following:

    • Reads the ingress objects created by Knative Serving.
    • Transforms these objects into an Envoy configuration.
    • Exposes the configuration to the Envoys that it manages.

    Figure 1 shows in more detail how Kourier works with Knative Serving to expose Knative applications to the network.

    A flow diagram of Kourier in the Knative Serving workflow.
    Figure 1. Kourier in the Knative Serving workflow.

    When a new service is deployed in Knative Serving, it creates an Ingress object that contains information about how the service should be exposed. An ingress object includes the following elements:

    • Hosts, paths, and headers: These elements are matched against the same elements included in incoming requests. When there's a match, we know that the request should be proxied to the Knative service associated with the ingress object.
    • Splits: We use splits to divide incoming traffic between different revisions of a deployed service.
    • Visibility: Defines whether the service should be accessible from within the cluster or from outside.
    • Transport Layer Security (TLS): Specifies the Red Hat OpenShift secret that contains the certificate and the key needed to expose the service with HTTPS.

    Kourier subscribes to changes in ingresses that are managed by Knative Serving. Kourier is notified every time an ingress is created, deleted, or modified. When that happens, Kourier analyzes the information in the ingress and transforms the information into objects in an Envoy configuration. Envoy configurations can be complicated, but clusters and routes are two of the objects that they include. A cluster is a collection of Internet Protocol addresses (IPs) that belong to the same service. Routes contain all of the information used to match a given request: the host, path, headers, and so on. A route can also specify which cluster proxy the request should go to when there is a match.

    After an ingress has been transformed into objects in an Envoy configuration, we can use the Envoy xDS APIs to expose that configuration to the Envoys in the cluster. Kourier manages the cluster.

    When Knative scales up the number of pods in a service, Kourier automatically selects the IP of the newest pod and starts proxying traffic to it. Similarly, when the number of pods is reduced, Kourier is notified and stops sending requests to pods that are scheduled to be deleted.

    It is important to note that in all of this process, Kourier does not create any custom resources that only it can understand. Instead, Kourier only works with objects managed by Knative Serving (the ingresses), and objects managed by Kubernetes—like endpoints, secrets (the ones that include the TLS configuration), and so on. This is why we say that Kourier is a "Knative-native" ingress.

    Kourier's integration with Knative

    As well as being Knative-native, Kourier is a Knative-conformant ingress. By that, we mean that all of the features of Knative Serving work well when using Kourier. These include traffic splitting between different revisions of a service, TLS, timeouts, retries, automatic endpoint discovery when a service is scaled, and more.

    To ensure that Kourier is conformant and that it supports every new feature added to Knative Serving, we have configured a continuous integration (CI) system that runs the Knative Serving conformance test suite. As you can see from the test grid, Kourier is one of the few Knative ingress implementations that consistently passes all of the tests in the suite.

    Using the Envoy external authorization filter with Kourier

    It is possible to configure Kourier to use the Envoy external authorization filter for traffic authorization. For every incoming request, Kourier will contact an external service to check whether the request should be authorized. If it is authorized, Kourier will proxy the request to the appropriate service. If it is not, it will return an error to the caller. One way to use this feature would be to build a service based on the Open Policy Agent (OPA) framework. OPA supports Envoy's external authorization protocol and allows us to define authorization rules using a high-level language designed specifically for writing authorization policies.

    Get started with Kourier

    If you are using OpenShift, you can find the Red Hat OpenShift Serverless Operator in your Operator catalog. The Serverless Operator automatically installs Kourier. (For installation details, see Installing the OpenShift Serverless Operator.)

    Alternatively, you can install Kourier in a cluster that is already running Knative Serving. In this case, just enter:

    $ kubectl apply --filename https://github.com/knative/net-kourier/releases/download/v0.15.0/kourier.yaml

    Note: Replace the version number (in this case, v0.15.0) with the version that you want to install.

    Here is the code that configures Knative to use Kourier:

    kubectl patch configmap/config-network \
      --namespace knative-serving \
      --type merge \
      --patch '{"data":{"ingress.class":"kourier.ingress.networking.knative.dev"}}'
    

    That should be enough to get started. For more complex installations, see the installation instructions in the Knative documents.

    Conclusion

    As we mentioned at the beginning of this article, Knative was recently adopted by Kourier, so it's one of the currently supported implementations for Knative Serving. Check out Kourier's GitHub repository under the Knative project.

    Last updated: February 5, 2024

    Recent Posts

    • Expand Model-as-a-Service for secure enterprise AI

    • OpenShift LACP bonding performance expectations

    • Build container images in CI/CD with Tekton and Buildpacks

    • How to deploy OpenShift AI & Service Mesh 3 on one cluster

    • JVM tuning for Red Hat Data Grid on Red Hat OpenShift 4

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue