Scoping of KongCredentials

jmtoball · April 1, 2019, 11:19am

I have an issue with the scoping of consumers/credentials trying to establish the following scenario:

We’re exposing kubeless functions (I’ll just call those endpoints from now on) via the kong-ingress-controller
Endpoints may require no auth, basic-auth or key-auth
The users/tokens allowed to access vary by endpoint

I tried the following approach to do this:

Create consumers and credentials and link each credential to a consumer via consumerRef
Create a key-auth KongPlugin for each consumer, link the consumer via consumerRef
Add a comma-separated list of the created plugins as value to the “plugins.konghq.com”-annotation of the ingress for this endpoint

This works partially: The authentication is enforced and wrong credentials are rejected while valid credentials get access to the endpoint’s response. HOWEVER, the credentials are not scoped to the consumers linked to the plugins linked to the ingress, but ANY credentials of type “key-auth” in this namespace are considered valid.

I understand that having multiple auth-plugins on one endpoint could cause issues, but this also applies to the case where I only have one plugin linked to one consumer with one linked credential. All other unlinked credentials are still considered valid.

Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?

hbagdi · April 4, 2019, 9:22pm

Hello @jmtoball,

Thank you for the detailed explanation.

Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?

This is not a bug but an expected behavior.
The Ingress Controller doesn’t enforce any k8s namespace level scopes in Kong.
Any consumer with valid credential will be authenticated by Kong, no matter which namespace it belongs to.

There are a couple of ways to solve this problem:

Run an Ingress Controller in each namespace: Each Ingress Controller will then configure Kong based on configuration objects that are stored in it’s namespace only. So, in effect, each Kong Ingress cluster is aware of only the credentials that are considered valid in your use-case. Credentials from another namespace will be rejected.
Use the ACL plugin in Kong
If you’d like to run a single Ingress Controller, you can have an ACL group for each namespace in your k8s cluster. Then, for each consumer, associate the consumer to it’s namespace. Once you’ve this meta-data configuration in place, you can now enable the ACL plugin on every Ingress rule where you’d like to lock down your API to consumers of a specific namespace. This has an added advantage of allows users of multiple namespaces to be allowed/denied access to specific services.

Hope this helps!

Topic		Replies	Views
Unable to link a KongPlugin JWT to a specific consumer Kubernetes	3	2637	March 21, 2019
Consumers are not namespace isolated	1	369	March 6, 2020
Jwt plugin change db-mode to db-less-mode Installation/Setup	4	1210	November 12, 2019
Invalid authentication credentials - basic-auth Questions	0	407	December 20, 2020
Creating an APIkey when declaratively creating a KongCredential	3	711	August 5, 2019

Scoping of KongCredentials

Related Topics