Gloo Platform products
With Gloo Platform, you get a suite of tools to consistently and securely manage your L3-L7 network application traffic. Gloo consists of an installable set of platform management tools that you install in a Kubernetes-based cluster via the Gloo CLI (meshctl) or Helm. Then, you unlock various network management capabilities with product or module licenses, as shown in the following figure.
Shared platform management
When you install Gloo in your cluster, you get several components to provide custom resources, observability, and management capabilities for the product licenses that you have. These components run in your cluster even if you do not add a product license, in which case the components do not report back any data until you start using a product.
The following table describes the components and which products use the components.
| Component | Products that use component | Description |
|---|---|---|
| Gloo management server | Gateway, Mesh, Network | The management server maintains the desired state of your environment based on the configurations that you create. The server translates Gloo custom resources to the appropriate open source custom resources (such as Istio, Envoy, or Cilium). Then, the server pushes config changes to the agents to apply in the workload clusters. |
| Gloo workload agent | Gateway, Mesh, Network | The agents send product-specific metrics and snapshots of the resources from each workload cluster to the management server. |
| Prometheus | Gateway, Mesh, Network | The default Prometheus deployment scrapes metrics from the Gloo management server. You can also bring your own instance. |
| Gloo UI | Gateway, Mesh, Network | With the UI, you can review the health and configuration of Gloo custom resources, including registered clusters, workspaces, networking, policies, and more. You can even set up external authentication that is synchronized with Kubernetes role-based access control to manage how your users access the UI. |
| External auth server | Gateway, Mesh | Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication. |
| Rate limiting server | Gateway, Mesh | Control the rate of requests to destinations within the service mesh. |
| Redis | Gateway, Mesh, Network | Redis instances are used to store state data for several Gloo components. You can optionally bring your own Redis instance.
|
Licensed products
Product licenses unlock certain capabilties in Gloo Platform. For example, with a Gloo Mesh license, your Gloo Platform agent installs Mesh custom resource definitions (CRDs) in each registered cluster. With these CRDs, you can consistently manage your application networking resources across clusters.
| Product | Related open source projects | Description |
|---|---|---|
| Gateway | Envoy, Istio | Gloo Gateway is an API gateway based on Envoy and Istio open source technologies. A gateway license unlocks custom resources such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. |
| Mesh | Istio | Gloo Mesh manages Istio-based service meshes across clusters and infrastructure providers. A mesh license unlocks hardened, FIPS-compliant Istio images with n-4 version support. You get a simplified management experience for multi-tenancy, service isolation, federation, and east-west traffic management. Gloo Mesh even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources so that intelligent, multicluster failover works out of the box. |
| Network | eBPF, Cilium | Gloo Network is a Cilium-based container network interface (CNI) plug-in that leverages the Linux kernel technology eBPF to provide connectivity, security, and observability for containerized workloads. You can use Gloo policies to consistently apply L3 and L4 access control across all the services in your multi-cluster environment. If you use Network with Mesh or Gateway, you can even reuse the same access policies to add L7 access control. |
Licensed modules
Modules further extend select products with licensed capabilities. The license that you use when installing or upgrading Gloo Platform can include both a product and module, instead of separate licenses. For example, you might have a Gloo Gateway with GraphQL license to use the Gateway product along with the GraphQL module.
| Module | Products the module can extend | Description |
|---|---|---|
| Portal | Gateway | With Gloo Portal, you can bundle and secure access to your APIs through a customizable developer portal. The portal supports the OpenAPI specification (OAS), also known as Swagger. Because the APIs must be available externally, Portal works only with Gateway. |
| GraphQL | Gateway, Mesh | GraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests. To set up GraphQL in your Gloo environment, check out the GraphQL guides in the Gloo Gateway documentation. |