Plugins lets you extend Konnect functionality. You can
find a full list of all Kong plugins on the Plugin Hub.
Kong plugins in Kong Konnect
Manage Konnect plugins through the Service Hub or
the Runtime Manager.
You can scope a plugin to an object, or apply it globally.
A scoped plugin applies configuration only to a specific service, route,
or consumer. You can configure plugins on
routes through Service Hub, and on
through the Runtime Manager.
If you want to apply a plugin globally – that is, to all services,
routes, and consumers in a runtime group, using the
Application registration is built into the Service Hub.
Enabling it on a service
also enables two plugins in read-only mode: ACL, and one of Key Auth or OpenID
Connect. These plugins appear in the service’s plugin list, and you can view their
configurations, but you can’t edit or delete them directly.
Rate limiting plugins default to the
redis strategy, for which you must
provide your own Redis server. You can also use
local to apply rate limiting
per individual data plane.
The following plugins are not available with Kong Konnect:
- OAuth2 Authentication
- Apache OpenWhisk
- Vault Auth
- GraphQL Rate Limiting Advanced
- Key Authentication Encrypted
See the plugin compatibility chart
for a full comparison of plans and network configurations that each plugin
Kong Konnect supports the use of custom plugins. You can write new custom plugins using this template as a guide. Every custom plugin must meet the following requirements:
- Admin API extensions must not contain an
- Custom plugin database tables must not contain a
- Custom validation functions must be written in Lua and be self-contained within the schema.
schema.lua file must not contain any
- Plugins that require third-party libraries must reference them in the
If your plugin meets these requirements and you want to use it in
Kong Konnect, contact Kong Support.
Custom plugins can’t be added directly through the Kong Konnect application.