Kong Ingress OAuth2 token introspection plugin in K8S


I am using the Kong Ingress controller (DB-less) to create an API gateway.
I wanted to add OAuth2 token introspection to verify tokens received by the Kong Ingress.

I added a Kuberneted KongPlugin, something like this:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
    kubernetes.io/ingress.class: kong
  name: gateway-oauth-plugin
plugin: oauth2-introspection

and I annotated the Kong Ingress with following annotation:

konghq.com/plugins: gateway-oauth-plugin

This does not work - the Ingress never gets an IP address.

Looking at the docs I am not sure this is meant to work…
It seems the OAuth introspection plugin is not listed under the free teir, but first at the plus tier.

I don’t know much about the Kong stack - so bear with me…
Is it possible (fx by buing the Plus tier) to make the plugin work inside Kubernetes like described above?


Yes, to use that plugin you’d need a paid version of Kong.

You may want to try with some other plugin to separately verify that your config is otherwise correct.

Ingresses won’t receive an IP if you’re not using a LoadBalancer proxy, so that may be normal–you should be able to route requests for that Ingress if you send them through the proxy despite the lack of IP status.

If you are indeed not able to route, check the controller container logs: it should indicate a reason it’s unable to apply configuration. In this case it should be writing logs indicating that it failed to apply configuration because that plugin is not available.