Hello @jmtoball,
Thank you for the detailed explanation.
Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?
This is not a bug but an expected behavior.
The Ingress Controller doesn’t enforce any k8s namespace level scopes in Kong.
Any consumer with valid credential will be authenticated by Kong, no matter which namespace it belongs to.
There are a couple of ways to solve this problem:
- Run an Ingress Controller in each namespace: Each Ingress Controller will then configure Kong based on configuration objects that are stored in it’s namespace only. So, in effect, each Kong Ingress cluster is aware of only the credentials that are considered valid in your use-case. Credentials from another namespace will be rejected.
- Use the ACL plugin in Kong
If you’d like to run a single Ingress Controller, you can have an ACL group for each namespace in your k8s cluster. Then, for each consumer, associate the consumer to it’s namespace. Once you’ve this meta-data configuration in place, you can now enable the ACL plugin on every Ingress rule where you’d like to lock down your API to consumers of a specific namespace. This has an added advantage of allows users of multiple namespaces to be allowed/denied access to specific services.
Hope this helps!