Selective authorization and routing on Kong Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    konghq.com/strip-path: "true"
    kubernetes.io/ingress.class: kong
  labels:
    app: my-api
  name: my-api-endpoint
spec:
  rules:
  - host: my-api.mydomain.com
    http:
      paths:
      - backend:
          serviceName: service1
          servicePort: 80
        path: /play
        pathType: ImplementationSpecific
      - backend:
          serviceName: service1
          servicePort: 80
        path: /play/authenticate
        pathType: ImplementationSpecific
      - backend:
          serviceName: service1
          servicePort: 80
        path: /play/move/right
        pathType: ImplementationSpecific

Above is the configuration of my Ingress. What I am trying to achieve is that I want to put authorization on /play route which I am able to with the help of an API Key. Further to that there are few routes which I want to keep open explicitly without any API key but the configuration for other routes is somehow not helping me much.

e.g. /play/authenticate should go to service1/authenticate which is not happening right now. Any hint or clue I can take from here?

Kong Image: kong:2.0.3
Kubernetes Version: 1.18
AWS Load balancer being used: Classic

If you want separate plugin configurations for those paths (i.e. authentication for some, but not for others), you’ll need separate Ingress resources for them. There’s no way to apply a plugin to some paths on an Ingress but not others.

In some cases you can instead apply separate plugin annotations to the Service resources to achieve something equivalent, but as all paths in your example use service1, that’s not an option here.