Bypass kong by using cluster ip


Since a service is not mandatory on Kubernetes, it’s possible to bypass any kong plugin by accessing a pod directly by it’s clusterIP.
-> the security is then only perimeter and not within the cluster

How can we prevent such situation ? Using network policies to enforce the network for a service to come from Kong?

Another solution would be using sidecar but its more a service mesh architecture.

It’s an open question :blush:

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ