Community Plugin: This plugin is developed, tested, and maintained by a third-party contributor.
ArecaBay enables enterprises to Discover, Monitor, and Secure APIs at object/data level.
ArecaBay’s Kong plugin installed in the Kong cluster is one type of ArecaBay MicroSensors that are light-weight software components built to access real-time API call level data without any modification to the applications or their runtime. They enable ArecaBay’s Dynamic API Risk Trackers (DART) and API DLP: a set of API level trackers and Data Leakage Prevention.
DART provides an API data security posture dashboard for DevSecOps to continuously discover and monitor APIs across all clouds with zero-impact to apps. DART’s anomaly detection enables API DLP to take policy action against highly targeted data fields and transactions. Please visit this link for more details.
In addition to API Security, for developers and/or DevOps, ArecaBay’s Kong plugin can be used to monitor and log application API calls with selective object level data.
Installation
The installation of ArecaBay’s Kong Plugin and the corresponding ArecaBay components is extremely simple and easy. It involves the following two steps:
- Install and setup ArecaBay’s Kong Plugin
- Access ArecaBay Cloud Webconsole and configure ArecaBay Kong Plugin as a MicroSensor
Install and setup ArecaBay’s Kong Plugin
Install the ArecaBay’s Kong plugin (ab-microsensor) on each node in your Kong cluster via luarocks. As this plugin source is already hosted in Luarocks.org, please run the below command:
luarocks install kong-plugin-ab-microsensor
Add to the custom_plugins list in your Kong configuration (on each Kong node):
custom_plugins = ab-microsensor
Access ArecaBay Cloud Webconsole and setup LocalBay
Please visit the Partners page and request your ArecaBay Cloud Webconsole account. Follow the quickstart guide within the Webconsole to configure your Kong Plugin as a MicroSensor. This involves providing details for the Kong Plugin MicroSensor and downloading the setup script. Run the setup script which internally uses the Kong Admin API to configure & run the Kong Plugin as a global plugin.
Configuration Reference
This plugin is not compatible with DB-less mode.
Enable the plugin on a service
Admin API
Kubernetes
Declarative (YAML)
For example, configure this plugin on a service by
making the following request:
curl -X POST http://{HOST}:8001/services/{SERVICE}/plugins \
--data "name=ab-microsensor" \
--data "config.ab_localbay_ip=" \
--data "config.ab_localbay_port=" \
--data "config.ab_tenant_id=" \
--data "config.ab_localbay_passphrase=" \
--data "config.ab_microsensor_name=" \
--data "config.ab_microsensor_id="
SERVICE
is the id
or name
of the service that this plugin
configuration will target.
First, create a KongPlugin
resource:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: <ab-microsensor-example>
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
plugin: ab-microsensor
Next, apply the KongPlugin resource to a
Service by annotating the
Service as follows:
apiVersion: v1
kind: Service
metadata:
name: {SERVICE}
labels:
app: {SERVICE}
annotations:
konghq.com/plugins: <ab-microsensor-example>
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: {SERVICE}
selector:
app: {SERVICE}
{SERVICE}
is the id
or name
of the service that this plugin
configuration will target.
Note: The KongPlugin resource only needs to be defined once
and can be applied to any service, consumer, or route in the namespace. If you
want the plugin to be available cluster-wide, create the resource as a
KongClusterPlugin
instead of KongPlugin
.
For example, configure this plugin on a service by
adding this section to your declarative configuration file:
plugins:
- name: ab-microsensor
service: {SERVICE}
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
SERVICE
is the id
or name
of the service that this plugin
configuration will target.
Enable the plugin on a route
Admin API
Kubernetes
Declarative (YAML)
For example, configure this plugin on a route with:
$ curl -X POST http://{HOST}:8001/routes/{ROUTE}/plugins \
--data "name=ab-microsensor" \
--data "config.ab_localbay_ip=" \
--data "config.ab_localbay_port=" \
--data "config.ab_tenant_id=" \
--data "config.ab_localbay_passphrase=" \
--data "config.ab_microsensor_name=" \
--data "config.ab_microsensor_id="
ROUTE
is the id
or name
of the route that this plugin configuration
will target.
First, create a KongPlugin
resource:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: <ab-microsensor-example>
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
plugin: ab-microsensor
Then, apply it to an ingress (Route or Routes)
by annotating the ingress as follows:
apiVersion: networking/v1beta1
kind: Ingress
metadata:
name: {ROUTE}
annotations:
kubernetes.io/ingress.class: kong
konghq.com/plugins: <ab-microsensor-example>
spec:
rules:
- host: examplehostname.com
http:
paths:
- path: /bar
backend:
serviceName: echo
servicePort: 80
ROUTE
is the id
or name
of the route that this plugin configuration
will target.
Note: The KongPlugin resource only needs to be defined once
and can be applied to any service, consumer, or route in the namespace. If you
want the plugin to be available cluster-wide, create the resource as a
KongClusterPlugin
instead of KongPlugin
.
For example, configure this plugin on a route by
adding this section to your declarative configuration file:
plugins:
- name: ab-microsensor
route: <route>
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
ROUTE
is the id
or name
of the route that this plugin configuration
will target.
Enabling the plugin on a consumer
Admin API
Kubernetes
Declarative (YAML)
For example, configure this plugin on a consumer with:
$ curl -X POST http://{HOST}:8001/consumers/{CONSUMER}/plugins \
--data "name=ab-microsensor" \
--data "config.ab_localbay_ip=" \
--data "config.ab_localbay_port=" \
--data "config.ab_tenant_id=" \
--data "config.ab_localbay_passphrase=" \
--data "config.ab_microsensor_name=" \
--data "config.ab_microsensor_id="
CONSUMER
is the id
or username
of the consumer that this plugin
configuration will target.
You can combine consumer.id
, service.id
, or route.id
in the same request, to further narrow the scope of the plugin.
First, create a KongPlugin
resource:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: <ab-microsensor-example>
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
plugin: ab-microsensor
Then, apply it to a consumer by
annotating the KongConsumer resource as follows:
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: {CONSUMER}
annotations:
konghq.com/plugins: <ab-microsensor-example>
kubernetes.io/ingress.class: kong
CONSUMER
is the id
or username
of the consumer that this plugin
configuration will target.
Note: The KongPlugin resource only needs to be defined once
and can be applied to any Service, Consumer, or Route in the namespace. If you
want the plugin to be available cluster-wide, create the resource as a
KongClusterPlugin
instead of KongPlugin
.
For example, configure this plugin on a consumer by
adding this section to your declarative configuration file:
plugins:
- name: ab-microsensor
consumer: {CONSUMER}
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
CONSUMER
is the id
or username
of the consumer that this plugin
configuration will target.
Enable the plugin globally
A plugin which is not associated to any service, route, or consumer is
considered global, and will be run on every request. Read the
Plugin Reference and the Plugin Precedence
sections for more information.
Admin API
Kubernetes
Declarative (YAML)
For example, configure this plugin globally with:
$ curl -X POST http://{HOST}:8001/plugins/ \
--data "name=ab-microsensor" \
--data "config.ab_localbay_ip=" \
--data "config.ab_localbay_port=" \
--data "config.ab_tenant_id=" \
--data "config.ab_localbay_passphrase=" \
--data "config.ab_microsensor_name=" \
--data "config.ab_microsensor_id="
Create a KongClusterPlugin
resource and label it as global:
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: <global-ab-microsensor>
annotations:
kubernetes.io/ingress.class: kong
labels:
global: \"true\"
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
plugin: ab-microsensor
For example, configure this plugin using the plugins:
entry in the declarative
configuration file:
plugins:
- name: ab-microsensor
config:
ab_localbay_ip:
ab_localbay_port:
ab_tenant_id:
ab_localbay_passphrase:
ab_microsensor_name:
ab_microsensor_id:
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
Form Parameter |
Description |
name
required
Type: string |
The name of the plugin, in this case ab-microsensor . |
service.id
Type: string |
The ID of the Service the plugin targets. |
route.id
Type: string |
The ID of the Route the plugin targets. |
consumer.id
Type: string |
The ID of the Consumer the plugin targets. |
enabled
required
Type: boolean
Default value: true |
Whether this plugin will be applied. |
api_id
Type: string |
The ID of the API the plugin targets.
Note: The API Entity is deprecated in favor of Services since CE 0.13.0 and EE 0.32. |
config.ab_localbay_ip
required
|
The ArecaBay LocalBay IP that this plugin will connect and provide API event data.
|
config.ab_localbay_port
required
|
The ArecaBay LocalBay Port that this plugin will connect and provide API event data.
|
config.ab_tenant_id
required
|
The tenant id specific to the ArecaBay LocalBay.
|
config.ab_localbay_passphrase
required
|
The passphrase for authentication with LocalBay.
|
config.ab_microsensor_name
required
|
The name of this microsensor to be used for display purposes in the web console.
|
config.ab_microsensor_id
required
|
The id of this microsensor.
|