Consumers are not namespace isolated

Hi there,

I am using the key-auth plugin by

  1. creating a “foo” namespace
  2. creating a KongPlugin custom resource in the “foo” namespace
  3. annotating a service in the namespace “foo” to use the plugin
  4. creating KongConsumer custom resources with their associated secrets all in the “foo” namespace

When I create a KongConsumer with its associated secret in another “bar” namespace, this consumer’s API key can be used to authenticate to the service in namespace “foo”.

I would not expect the api keys defined in one namespace to be valid to access a service in another namespace.

Is this a bug or the intended behaviour?


This is the intended behavior. KongConsumers are namespaced but are really global resources and this is something that we wish to address in future.

If you want to achieve what you want, please look at ACL plugin in Kong.
You can assign an ACL group to each consumer in a namespace and limit the access based on namespace, KongConsumer and service relationship.