Using plugins across namespaces

Plugins can interact with resources across different Kubernetes namespaces. KongClusterPlugin resources can be referenced from any namespace, but require cluster-level permissions and may not be appropriate for all environments. This guide covers the use of ReferenceGrant to grant selective permissions that allow KongPlugin resources in one namespace to modify resources in another.

Prerequisites: Install Kong Ingress Controller with Gateway API support in your Kubernetes cluster and connect to Kong.

Prerequisites

Install the Gateway APIs

Install the Gateway API CRDs before installing Kong Ingress Controller.

 kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Create a Gateway and GatewayClass instance to use.

echo "
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'

spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
         from: All
" | kubectl apply -f -

The results should look like this:

gatewayclass.gateway.networking.k8s.io/kong created
gateway.gateway.networking.k8s.io/kong created

Install Kong

You can install Kong in your Kubernetes cluster using Helm.

Add the Kong Helm charts:

 helm repo add kong https://charts.konghq.com
 helm repo update

Install Kong Ingress Controller and Kong Gateway with Helm:

 helm install kong kong/ingress -n kong --create-namespace 

Test connectivity to Kong

Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:

Populate $PROXY_IP for future commands:

 export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo $PROXY_IP

Ensure that you can call the proxy IP:

 curl -i $PROXY_IP

The results should look like this:

 HTTP/1.1 404 Not Found
 Content-Type: application/json; charset=utf-8
 Connection: keep-alive
 Content-Length: 48
 X-Kong-Response-Latency: 0
 Server: kong/3.0.0
  
 {"message":"no Route matched with those values"}

The examples provided use HTTPRoute from the Gateway API project, but ReferenceGrant resources may be used with Ingress too.

Note: This guide requires Kong Ingress Controller version 3.2 or higher and the ReferenceGrant resource definition from the Gateway API. ReferenceGrant may not be available on all Kubernetes clusters.

Example use case

Alice manages consumers for ACME Inc. They have permission to creates consumers and credentials in the golf namespace.

Bob manages ACME Inc’s httpbin Service in the foxtrot namespace. Bob wants to apply different rate limits to different consumers, but they do not have full access to the golf namespace, and Alice does not have access to the foxtrot namespace. To manage these limits, Alice can create ReferenceGrants that permit Bob’s KongPlugins in foxtrot to interact with KongConsumers in the golf namespace.

Create namespaces

Create the two test namespaces:

kubectl create namespace golf
kubectl create namespace foxtrot

The result should look like:

namespace/golf created
namespace/foxtrot created

Create routes and services

Create a Service and Deployment in foxtrot:

kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/httpbin-service.yaml -n foxtrot

The result should look like:

service/httpbin created
deployment.apps/httpbin created

Create an HTTPRoute to access the Service:

echo "
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: demo-route
  namespace: foxtrot
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
    namespace: default
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /demo-route
    backendRefs:
    - name: httpbin
      kind: Service
      port: 80
" | kubectl apply -f -

The result should look like:

httproute.gateway.networking.k8s.io/demo-route created

Create an authentication plugin:

echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-basic-auth
  namespace: foxtrot
config:
  hide_credentials: true
plugin: basic-auth
' | kubectl apply -f -

The result should look like:

kongplugin.configuration.konghq.com/httpbin-basic-auth created

and attach it to the Service:

kubectl annotate service httpbin -n foxtrot konghq.com/plugins=httpbin-basic-auth

The result should look like:

service/httpbin annotated

Create consumers and credentials

Create Secrets to add basic-auth credentials for two consumers:

 echo '
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: charlie-basic-auth
   namespace: golf
   labels:
     konghq.com/credential: basic-auth
 stringData:
     username: charlie
     password: charlie-password
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: david-basic-auth
   namespace: golf
   labels:
     konghq.com/credential: basic-auth
 stringData:
     username: david
     password: david-password
 ' | kubectl apply -f -

The results should look like:

 secret/charlie-basic-auth created
 secret/david-basic-auth created

Create consumers named charlie and david that use these credentials:

 echo "apiVersion: configuration.konghq.com/v1
 kind: KongConsumer
 metadata:
   name: charlie
   namespace: golf
   annotations:
     kubernetes.io/ingress.class: kong
 username: charlie
 credentials:
 - charlie-basic-auth
" | kubectl apply -f -

The results should look like this:

 kongconsumer.configuration.konghq.com/charlie created

 echo "apiVersion: configuration.konghq.com/v1
 kind: KongConsumer
 metadata:
   name: david
   namespace: golf
   annotations:
     kubernetes.io/ingress.class: kong
 username: david
 credentials:
 - david-basic-auth
" | kubectl apply -f -

The results should look like this:

 kongconsumer.configuration.konghq.com/david created

Grant cross-namespace permissions

Bob and Alice wants to limit the amount of requests to the httpbin Service on a per-consumer basis. Because they only have access to their own namespaces, they need to create rules that allow interactions across them.

By default, resources that support the konghq.com/plugins annotation can only attach plugins in their same namespace. ReferenceGrant resources can grant permission to use plugins to resources in other namespaces.

To allow this cross-namespace interaction, Alice asks Bob to create a ReferenceGrant in foxtrot that allows KongConsumers in golf to use KongPlugins in foxtrot:

echo '
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: golf-rate-limit
  namespace: foxtrot
spec:
  from:
  - group: "configuration.konghq.com"
    kind: KongConsumer
    namespace: golf
  to:
  - group: "configuration.konghq.com"
    kind: KongPlugin
' | kubectl apply -f -

The results should look like:

referencegrant.gateway.networking.k8s.io/golf-rate-limit created

Such ReferenceGrants allow the from resource (KongConsumers in the golf namespace) to interact with KongPlugins in the ReferenceGrant’s namespace (foxtrot).

Create the cross-namespace plugins

With the ReferenceGrant in place, Bob can create the rate-limiting KongPlugins:

echo '
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limit-charlie
  namespace: foxtrot
  annotations:
    kubernetes.io/ingress.class: kong
config:
  minute: 10
  policy: local
plugin: rate-limiting
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limit-david
  namespace: foxtrot
  annotations:
    kubernetes.io/ingress.class: kong
config:
  minute: 5
  policy: local
plugin: rate-limiting
' | kubectl apply -f -

The result should look like:

kongplugin.configuration.konghq.com/rate-limit-charlie created
kongplugin.configuration.konghq.com/rate-limit-david created

Attach the plugins to their resources

With the plugins in place, each namespace administrator can attach them to the resources in their respective namespaces.

Alice attaches the plugins to the KongConsumers in golf. They use the <namespace>:<kongplugin-resource-name> format in the plugin name to indicate that the requested KongPlugin resides in another namespace:

kubectl annotate kongconsumer charlie -n golf konghq.com/plugins=foxtrot:rate-limit-charlie
kubectl annotate kongconsumer david -n golf konghq.com/plugins=foxtrot:rate-limit-david

The result should look like:

kongconsumer.configuration.konghq.com/charlie annotated
kongconsumer.configuration.konghq.com/david annotated

Bob attaches the plugins to the httpbin Service in foxtrot:

kubectl annotate service httpbin --overwrite -n foxtrot konghq.com/plugins=httpbin-basic-auth,rate-limit-charlie,rate-limit-david

Note that this command overrides the entire plugin annotation, so it needs to include the httpbin-basic-auth plugin from earlier in the list, not just the new rate limiting plugins.

The result should look like:

service/httpbin annotated

Test the configuration

Send a request using the charlie consumer:

curl -sv $PROXY_IP/demo-route/status/200 -u charlie:charlie-password 2>&1 | grep "X-RateLimit-Remaining-Minute"

The results should show the remaining limit expected for charlie. Since charlie can send 10 requests per minute, and has sent 1, the response should indicate there are 9 requests remaining:

< X-RateLimit-Remaining-Minute: 9

Send a request using the david consumer:

curl -sv $PROXY_IP/demo-route/status/200 -u david:david-password 2>&1 | grep "X-RateLimit-Remaining-Minute"

The results should show the remaining limit expected for david. Since david can send 5 requests per minute, and has sent 1, the response should indicate there are 4 requests remaining:

< X-RateLimit-Remaining-Minute: 4