Scoping of KongCredentials

#1

I have an issue with the scoping of consumers/credentials trying to establish the following scenario:

  • We’re exposing kubeless functions (I’ll just call those endpoints from now on) via the kong-ingress-controller
  • Endpoints may require no auth, basic-auth or key-auth
  • The users/tokens allowed to access vary by endpoint

I tried the following approach to do this:

  • Create consumers and credentials and link each credential to a consumer via consumerRef
  • Create a key-auth KongPlugin for each consumer, link the consumer via consumerRef
  • Add a comma-separated list of the created plugins as value to the “plugins.konghq.com”-annotation of the ingress for this endpoint

This works partially: The authentication is enforced and wrong credentials are rejected while valid credentials get access to the endpoint’s response. HOWEVER, the credentials are not scoped to the consumers linked to the plugins linked to the ingress, but ANY credentials of type “key-auth” in this namespace are considered valid.

I understand that having multiple auth-plugins on one endpoint could cause issues, but this also applies to the case where I only have one plugin linked to one consumer with one linked credential. All other unlinked credentials are still considered valid.

Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?

0 Likes

#2

Hello @jmtoball,

Thank you for the detailed explanation.

Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?

This is not a bug but an expected behavior.
The Ingress Controller doesn’t enforce any k8s namespace level scopes in Kong.
Any consumer with valid credential will be authenticated by Kong, no matter which namespace it belongs to.

There are a couple of ways to solve this problem:

  • Run an Ingress Controller in each namespace: Each Ingress Controller will then configure Kong based on configuration objects that are stored in it’s namespace only. So, in effect, each Kong Ingress cluster is aware of only the credentials that are considered valid in your use-case. Credentials from another namespace will be rejected.
  • Use the ACL plugin in Kong
    If you’d like to run a single Ingress Controller, you can have an ACL group for each namespace in your k8s cluster. Then, for each consumer, associate the consumer to it’s namespace. Once you’ve this meta-data configuration in place, you can now enable the ACL plugin on every Ingress rule where you’d like to lock down your API to consumers of a specific namespace. This has an added advantage of allows users of multiple namespaces to be allowed/denied access to specific services.

Hope this helps!

0 Likes