KIC high availability

Kong Ingress Controller reads state from the Kubernetes API server and generates a Kong Gateway configuration. If Kong Ingress Controller isn’t running, new Kong Gateway instances won’t receive a configuration. Existing Kong Gateway instances will continue to process traffic using their existing configuration.

When a Kong Ingress Controller instance is offline, it’s a major issue. The configuration loaded by Kong Gateway will quickly become outdated, especially the upstream endpoints hosting your applications. Without Kong Ingress Controller running, Kong Gateway won’t detect new application pods or remove old pods from it’s routing configuration.

Kong recommends running at least two Kong Ingress Controller instances. Kong Ingress Controller elects a leader when connected to a database-backed cluster or when Gateway Discovery is configured. This ensures that only a single controller pushes configuration to Kong Gateway’s database or to Kong Gateway’s Admin API to avoid potential conflicts and race conditions.

When a leader controller shuts down, other instances will detect that there is no longer a leader, and one will promote itself to the leader.

Leader election is controlled using the Lease resource. For this reason, Kong Ingress Controller needs permission to create a Lease resource. By default, the permission is given at the Namespace level.

The name of the Lease is derived from the value of the election-id CLI flag or CONTROLLER_ELECTION_ID environment variable (default: 5b374a9e.konghq.com) and election-namespace (default: "") as: “$ELECTION_ID-$ELECTION_NAMESPACE”.

The Kong Ingress Controller Helm chart sets a custom value of kong-ingress-controller-leader for CONTROLLER_ELECTION_ID. If the Kong Ingress Controller was deployed using Helm, the default Lease that is used for leader election is named kong-ingress-controller-leader-kong, and it will be present in the same namespace that the controller is deployed in.