Manage Administrative Teams
In this topic, you’ll learn how to manage and configure user authorization using workspaces and teams in Kong Gateway (Enterprise).
If you are following the getting started workflow, make sure you have completed Set Up Intelligent Load Balancing before moving on.
Overview of Workspaces and Teams
Many organizations have strict security requirements. For example, organizations need the ability to segregate the duties of an administrator to ensure that a mistake or malicious act by one administrator doesn’t cause an outage. Kong Gateway (Enterprise) provides a number of security capabilities to help customers secure the administration environment.
Workspaces enable an organization to segment objects and admins into namespaces. The segmentation allows teams of admins sharing the same Kong Gateway cluster to adopt roles for interacting with specific objects. For example, one team (Team A) may be responsible for managing a particular service, whereas another team (Team B) may be responsible for managing another service. Teams should only have the roles they need to perform the administrative tasks within their specific workspaces.
Kong Gateway does all of this through Role-Based Access Control (RBAC). All administrators can be given specific roles, whether you are using Kong Manager or the Admin API, which control and limit the scope of administrative privileges within specific workspaces.
In this example, you’ll start by creating a simple workspace called
SecureWorkspace. Then, you’ll create an administrator for that workspace, with rights to administer only the objects in the SecureWorkspace and nothing else.
Note: The steps in this topic cannot be performed using declarative
Securing your Gateway Installation
At a high level, securing Kong Gateway administration is a two-step process:
- Turn on RBAC.
- Create a Workspace and an admin for segregated administration.
At this point in the Getting Started Guide, you have been interacting with your environment as the built-in Super Admin,
kong_admin. The password for this
kong_admin user was “seeded” during the installation process using the KONG_PASSWORD environment variable. After RBAC is enabled, you will need to authenticate to the Kong Manager and the Kong Gateway Admin API using the proper credentials.
In the following sections, you will need the
kong_admin account’s password to log in to Kong Gateway, and the
kong_admin_uri needs to be configured to avoid getting CORS errors.
Turn on RBAC
To enable RBAC, you will need the initial KONG_PASSWORD that was used when you first installed Kong Gateway and ran migrations. This is also the default password for the Super Admin, and will be required once RBAC is on.
Outside of this guide, you will likely want to modify these settings differently, depending on your installation. You can read more about these settings here: Basic Auth for Kong Manager.
Create a Workspace
Create an Admin
Next, create an admin for the SecureWorkspace, granting them permissions to manage only that workspace.
Verify the New Admin
That’s it! You are now controlling access to Kong Gateway administration with RBAC.
Reference: Using decK with RBAC and Workspaces
Once RBAC is enabled, you will have to pass the
kong-admin-token in a header
any time you use decK:
$ deck sync --headers "kong-admin-token:mytoken"
Note: You should not use an RBAC token with Super Admin
privileges for decK. Always scope down to the exact permissions you need to
When you have multiple workspaces, decK creates a file for each one. Export
them as follows:
$ deck dump --all-workspaces
Or, to export the configuration for only one workspace:
$ deck dump --workspace SecureWorkspace
You can use these flags with any decK commands to update and export your
Summary and next steps
In this topic, you:
- Enabled RBAC.
- Created a workspace named
- Created an admin named
secureworkspaceadmin and granted them permissions to manage to everything in the
Next, set up the Kong Developer Portal.