Configure ACL using Kong Ingress Controller


#1

Hi,

I am looking for how to set up ACL using KongPlugin and KongConsumer in the following two area.

  1. Whitelist and blacklist
  2. GET, POST, PUT, and DELETE ACL

Thanks.


#2

Hello @chlung,

Please configure the ACL plugin using KongPlugin.

Then, to create a consumer in Kong, use the KongConsumer CRD.
Once, you have the Consumer in Kong, to configure ACL for a consumer, use KongCredential custom resource of type acl.


#3

@hbagdi

I tried KongPlugin with type acl, but the blacklist does not work as expected. Do I miss something here?

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: test-acl
plugin: acl 
config:
  blacklist: foo.bar
  hide_group_header: true 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: acl-apis
  namespace: dummy
  annotations:
    configuration.konghq.com: kongingress-api
    plugins.konghq.com: acl-basic-auth
    plugins.konghq.com: test-acl
spec:
  rules:
  - host: foo.bar 
    http:
      paths:
      - path: /
        backend:
          serviceName: http-svc
          servicePort: 80

I am still able to access blacklist api. I did notice an error in Kong-Ingress-Controller log,

E1018 10:19:19.464105 7 controller.go:130] unexpected failure updating Kong configuration:

creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] nil [] } [] 0 0} basic-auth map[hide_credentials:false] false }: the server reported a conflict (post plugins.meta.k8s.io)

Thanks.


#4

Hello,

Did you try:

plugins.konghq.com: acl-basic-auth,test-acl

I do not think you can add multiple annotation with the same name


#5

@Ngob Thanks. I just tried, and I am still get the result back.


#6

Isn’t the error about basic-auth ? I can see acl-basic-auth,test-acl in your configuration but not basic-auth


#7

@Ngob My issue is about blacklist not error. I also notice the error in log. As you said, the error in log goes away after I combine the plugin into a list, but the blacklist still return result. Do I miss-interpret the behavior?

Thanks.