Consumers are not namespace isolated

jumal · March 2, 2020, 2:13pm

Hi there,

I am using the key-auth plugin by

creating a “foo” namespace
creating a KongPlugin custom resource in the “foo” namespace
annotating a service in the namespace “foo” to use the plugin
creating KongConsumer custom resources with their associated secrets all in the “foo” namespace

When I create a KongConsumer with its associated secret in another “bar” namespace, this consumer’s API key can be used to authenticate to the service in namespace “foo”.

I would not expect the api keys defined in one namespace to be valid to access a service in another namespace.

Is this a bug or the intended behaviour?

Regards,
JP

hbagdi · March 6, 2020, 7:04pm

This is the intended behavior. KongConsumers are namespaced but are really global resources and this is something that we wish to address in future.

If you want to achieve what you want, please look at ACL plugin in Kong.
You can assign an ACL group to each consumer in a namespace and limit the access based on namespace, KongConsumer and service relationship.

Topic		Replies	Views
Scoping of KongCredentials Questions kubernetes	1	1202	April 4, 2019
2 KongConsumer for apikey authentication for 1 service with different path kubernetes	4	524	September 10, 2021
Unable to link a KongPlugin JWT to a specific consumer Questions kubernetes	3	2930	March 21, 2019
Creating an APIkey when declaratively creating a KongCredential	3	838	August 5, 2019
Need to understand Consumer -> Service / Routes relationship Questions	3	2467	June 5, 2018

Consumers are not namespace isolated

Related topics