Plugins lets you extend Konnect functionality. You can find a full list of all Kong plugins on the Plugin Hub.
Kong plugins in Kong Konnect
Manage Konnect plugins through the Service Hub or the Runtime Manager.
You can scope a plugin to an object, or apply it globally.
A scoped plugin applies configuration only to a specific service, route, or consumer. You can configure plugins on services and routes through Service Hub, and on consumers through the Runtime Manager.
If you want to apply a plugin globally – that is, to all services, routes, and consumers in a runtime group, using the Runtime Manager.
Application registration is built into the Service Hub. Enabling it on a service also enables two plugins in read-only mode: ACL, and one of Key Auth or OpenID Connect. These plugins appear in the service’s plugin list, and you can view their configurations, but you can’t edit or delete them directly.
Rate limiting plugins default to the
redis strategy, for which you must
provide your own Redis server. You can also use
local to apply rate limiting
per individual data plane.
The following plugins are not available with Kong Konnect:
- OAuth2 Authentication
- Apache OpenWhisk
- Vault Auth
- GraphQL Rate Limiting Advanced
- Key Authentication Encrypted
See the plugin compatibility chart for a full comparison of plans and network configurations that each plugin supports.
Kong Konnect supports the use of custom plugins. You can write new custom plugins using this template as a guide. Every custom plugin must meet the following requirements:
- Admin API extensions must not contain an
- Custom plugin database tables must not contain a
- Custom validation functions must be written in Lua and be self-contained within the schema.
schema.luafile must not contain any
- Plugins that require third-party libraries must reference them in the
If your plugin meets these requirements and you want to use it in Kong Konnect, contact Kong Support.
Custom plugins can’t be added directly through the Kong Konnect application.