Global KongPlugin is not defiend

Kubernetes
1

I have installed Kong Ingress on Kubernetes cluster (AKS) using following these steps:
https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/deployment/aks.md

Defined Ingress and can access my API, checked Postgres routes table and can see the route is there.

I wanted to define global KongPlugin and then to use it via annotations in my Ingress but the plugin is not defined, there is no plugin in plugins table and no plugin in via the admin api.

Used documentation from:
https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/custom-resources.md#kongplugin

KongPlugin yaml:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ip-restriction-global
  namespace: kong
  labels:
global: "true"
enabled: true
config:
key: value
plugin: ip-restriction

Tried with/without “enabled” /“disabled” field.

2

The same problem to me.
I create a kongplugin just the same with


and patch the annotation to ingress.

But when i curl http {KONG_ADMIN_IP}:{KONG_ADMIN_PORT}/plugins
i got this { “total”: 0, “data”: [] }

Add plugins with http interface is working

3

Hello @alx8

The following KongPlugin spec looks incorrect as global : "true" is not nested under labels.

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ip-restriction-global
  namespace: kong
  labels:
global: "true"
enabled: true
config:
key: value
plugin: ip-restriction

Could you instead try the following?

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ip-restriction-global
  namespace: kong
  labels:
    global: "true"
config:
  key: value
plugin: ip-restriction

Could you verify if this works for you and then mark this post as resolved if this helps?

4

@hbagdi Hello,
Thank you for you answer.
I used the global : "true" nested under labels as you suggested, indentation probably was broke when I pasted the yaml here.
But still, the plugin is not available.

5

@alx8 Do you see any errors in the logs of the Ingress controller?
Also, which version of Kong Ingress controller are you using?

6

@hbagdi This is my Kong Ingress Version:
-------------------------------------------------------------------------------
Kong Ingress controller
Release: 0.2.0
Build: git-de9e38c6
Repository: git@github.com:Kong/kubernetes-ingress-controller.git

This is the error I see in the Kong Ingress controller pod log:

I1205 09:44:46.944359       6 controller.go:127] syncing Ingress configuration...

I1205 09:44:47.262917 6 kong.go:124] syncing global plugins
E1205 09:44:47.266002 6 controller.go:130] unexpected failure updating Kong configuration:
creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC map map nil } 0 0} ip-restriction map[key:value] false }: the server rejected our request for an unknown reason (post plugins.meta.k8s.io)
W1205 09:44:47.266037 6 queue.go:113] requeuing kong/ip-restriction-global, err creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC map map nil } 0 0} ip-restriction map[key:value] false }: the server rejected our request for an unknown reason (post plugins.meta.k8s.io)
I1205 09:44:50.277855 6 controller.go:127] syncing Ingress configuration…
I1205 09:44:50.595904 6 kong.go:124] syncing global plugins
E1205 09:44:50.598290 6 controller.go:130] unexpected failure updating Kong configuration:
creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC map map nil } 0 0} ip-restriction map[key:value] false }: the server rejected our request for an unknown reason (post plugins.meta.k8s.io)

Tried without
config:
key: value
Got same error:

I1205 09:48:50.413536 6 kong.go:124] syncing global plugins
E1205 09:48:50.415775 6 controller.go:130] unexpected failure updating Kong configuration:
creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC map map nil } 0 0} ip-restriction map false }: the server rejected our request for an unknown reason (post plugins.meta.k8s.io)
W1205 09:48:50.415832 6 queue.go:113] requeuing kong/ip-restriction-global, err creating a global Kong plugin &{{{ } { 0 0001-01-01 00:00:00 +0000 UTC map map nil } 0 0} ip-restriction map false }: the server rejected our request for an unknown reason (post plugins.meta.k8s.io)

7

I’d assumed that the key: value was an actual config but the first error log seems to indicate that you had put in the key: value part in the YAML as is.

The request fails without the config because IP restrictions plugin, as per the docs, needs a bare minimum config and won’t work without a config.

The following should work fine:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ip-restriction-global
  namespace: kong
  labels:
    global: "true"
config:
  whitelist:
  - "10.0.0.0/8"
plugin: ip-restriction
8

@hbagdi thank you, this way the plugin is deployed.
In our current deployment we have ip-restriction plugin per API.
The question is if I config whitlist in KongPlugin like you suggested it will effect all Ingresses?
How I deploy ip-restriction plugin per API with different whitelist/blacklist configs in each API ?

Actually what I am asking is how to set the plugin config for each Ingress independently from the KongPlugin config ?

Thank you

9

@alx8

You can create KongPlugin resources without the global : "true" label. This will actually not create a plugin in Kong.

Then you associate the plugin with the Ingress using the plugins.konghq.com annotation. This will create the plugin on the Route corresponding to your Ingress. This let’s you finely control which plugins run on each Ingress.

10

This was the missing part (:
Then last question, I deployed Kongplugin and KongIngress, how do I use the configuration.konghq.com annotation properly.
How to set config in Ingress for the plugin?
How to associate config to plugin , for example if I have few plugins used with one Ingress , let’s say ip-restriction and udp-logs.

This is my Ingress (tried different options for configuration.konghq.com) :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kong-admin
  namespace:  kong
  annotations:
    kubernetes.io/ingress.class: "nginx"
    plugins.konghq.com: ip-restriction-global
    configuration.konghq.com: "config.whitelist=54.13.21.1"
spec:
  rules:
    - host: kongadmin.kong.example
      http:
        paths:
          - path: "/"
            backend:
              serviceName: kong-ingress-controller
              servicePort: 8001

Thanks a lot!

11

@alx8,

configuration.konghq.com annotation is used to associate a KongIngress resource with an Ingress resource. It has nothing to do with a plugin.

You define configs for the plugins in the KongPlugin custom resource under the config property.

Also, a global plugin (KongPlugin with a label global: "true") doesn’t need to be applied at the Ingress level, it will be applied for every request that is proxied via Kong.

Hope this helps!