Configure ACL using Kong Ingress Controller

Kubernetes
1

Hi,

I am looking for how to set up ACL using KongPlugin and KongConsumer in the following two area.

  1. Whitelist and blacklist
  2. GET, POST, PUT, and DELETE ACL

Thanks.

2

Hello @chlung,

Please configure the ACL plugin using KongPlugin.

Then, to create a consumer in Kong, use the KongConsumer CRD.
Once, you have the Consumer in Kong, to configure ACL for a consumer, use KongCredential custom resource of type acl.

3

@hbagdi

I tried KongPlugin with type acl, but the blacklist does not work as expected. Do I miss something here?

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: test-acl
plugin: acl 
config:
  blacklist: foo.bar
  hide_group_header: true 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: acl-apis
  namespace: dummy
  annotations:
    configuration.konghq.com: kongingress-api
    plugins.konghq.com: acl-basic-auth
    plugins.konghq.com: test-acl
spec:
  rules:
  - host: foo.bar 
    http:
      paths:
      - path: /
        backend:
          serviceName: http-svc
          servicePort: 80

I am still able to access blacklist api. I did notice an error in Kong-Ingress-Controller log,

E1018 10:19:19.464105 7 controller.go:130] unexpected failure updating Kong configuration:

creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] nil [] } [] 0 0} basic-auth map[hide_credentials:false] false }: the server reported a conflict (post plugins.meta.k8s.io)

Thanks.

4

Hello,

Did you try:

plugins.konghq.com: acl-basic-auth,test-acl

I do not think you can add multiple annotation with the same name

5

@Ngob Thanks. I just tried, and I am still get the result back.

6

Isn’t the error about basic-auth ? I can see acl-basic-auth,test-acl in your configuration but not basic-auth

7

@Ngob My issue is about blacklist not error. I also notice the error in log. As you said, the error in log goes away after I combine the plugin into a list, but the blacklist still return result. Do I miss-interpret the behavior?

Thanks.

8

@hbagdi the KongCredential CRD type acl doesn’t work properly. The group is never associated to the consumer.
ingress annotations:
plugins.konghq.com: tokenizer-auth,tokenizer-prometheus,tokenizer-ratelimit,tokenizer-acl

tokenizer-acl plugin:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: tokenizer-acl
  namespace: dev
plugin: acl
config:
  whitelist: tokenizer-group  
  hide_groups_header: "true"

consumer and one api-key credential:

apiVersion: v1
items:
- apiVersion: configuration.konghq.com/v1
  kind: KongConsumer
  metadata:
    name: tokenizer
  username: tokenizer
kind: List
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: tokenizer
consumerRef: tokenizer
type: key-auth
config:
  key: REDACTED

Finally acl credential of type acl:

apiVersion: configuration.konghq.com/v1
kind: KongCredential
group: "tokenizer-group"
metadata:
  name: tokenizer-group4
  namespace: dev
consumerRef: tokenizer
type: acl
config:
  group: "tokenizer-group"

I also tried different ways to define the credential:

apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: tokenizer-group4
  namespace: dev
consumerRef: tokenizer
type: acl
config:
  group: "tokenizer-group"

Was tried and doesn’t work either.

Response from kong:

/ # curl http://localhost:8001/consumers/tokenizer/acls
{"total":0,"data":[]}

Nothing of note in the logs except entity 'acl' not registered
but i think this is because the acl plugin didn’t get added to the ingress before the credential got applied.

9

Hi guys,

I can confirm that this will not work as expected in the current Ingress Controller versions.

Kong Ingress Controller 0.3.0 is in the works which will add support for ACLs.
The ACL plugin was supported but associating ACL groups to consumers was not.

The following commit adds support for ACLs in the underlying library used to talk to Kong:

Stay tuned for the next release!

1 Like
10

@hbagdi will this PR allow us to associate other plugins to consumers? or is it strictly for ACL?
It seems even associating a ratelimiter plugin is not possible currently.

11

It should be possible using the consumerRef property:

12

@hbagdi I just tried and ACL works as expected, however I don’t think i quite understand how other plugins are supposed to work.
in konga it’s possible to add a plugin to a consumer:

image
image.png1401Ă—470 23.9 KB

How would i go about achieving the same behavior? I can’t seem to attach two different plugins of the same type to the ingress:

    plugins.konghq.com: dev-service-ratelimit, dev-service-consumer-ratelimit

Kong invariably picks just one. And when i create a rate limit plugin with just the consumerRef, without attaching to ingress, it just seems to be ignored.

My use case is basically to be able to set multiple rate limits. One at the ingress level that applies to all consumers, and others at individual consumers so they can be throttled separately.

13

I got the same problem using prometheus plugin. When i assign the plugin to the consumer using consumerRef: doesn’t work.

Consumer doesn’t have any plugin. Konga problem or kong problem ?

I think is a kong problem because the plugin doesn’t work.

14

Prometheus plugin doesn’t have a notion of consumer and enabling it on a consumer level doesn’t make much sense.

15

This is a limitation currently and is expected to go away in future.
You can also track the following issue: