How to avoid free access to upstream service after deleting kong plugin?

rurus9 · February 10, 2020, 12:02pm

I observed, when you have proper configured Kong ingress with authorization (for example with JWT plugin), when you accidentally remove Kong CRD plugin instance, you have full access to upstream without any authorization.

Is there any way to defend against this behavior? Something like: when you have plugins.konghq.com definied on your ingress, you get the 502 error code until there is no proper kong CRD plugin instance available for ingress?

hbagdi · February 10, 2020, 4:36pm

There is no such mechanism available out of the box. One way you can do it is to not give delete permissions for KongPlugin resource to users and keep it available only for Cluste such users.

The controller parses all the resources and configures Kong with all the resources that it can find.

Topic		Replies	Views
Kong route plugin recreates automatically after deletion Questions	2	545	May 25, 2021
Kong remove enabled plugin Installation/Setup	10	4572	February 15, 2019
Request Termination plugin as K8s KongPlugin crd doesn't work Questions	1	398	May 1, 2019
Kong Ingress Controller deleting configuration after time Kubernetes	3	2183	November 26, 2018
Minimal Kong deployment on GKE Kubernetes	2	666	August 15, 2020

How to avoid free access to upstream service after deleting kong plugin?

Related Topics