Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • FAQ
    • Version Support Policy
    • Stages of Software Availability
    • Changelog
    • Architecture
    • Custom Resources
    • Deployment Methods
    • Kong for Kubernetes with Kong Enterprise
    • High-Availability and Scaling
    • Resource Classes
    • Security
    • Ingress Resource API Versions
    • Gateway API
    • Kong Ingress on Minikube
    • Kong for Kubernetes
    • Kong for Kubernetes Enterprise
    • Kong for Kubernetes with Kong Enterprise
    • Kong Ingress on AKS
    • Kong Ingress on EKS
    • Kong Ingress on GKE
    • Admission Webhook
    • Installing Gateway APIs
    • Getting Started with KIC
    • Upgrading from previous versions
    • Upgrading to Kong 3.x
    • Getting Started using Istio
      • Using the KongPlugin Resource
      • Using the KongIngress Resource
      • Using KongConsumer and KongCredential Resources
      • Using the TCPIngress Resource
      • Using the UDPIngress Resource
    • Using the ACL and JWT Plugins
    • Using cert-manager with Kong
    • Allowing Multiple Authentication Methods
    • Configuring a Fallback Service
    • Using an External Service
    • Configuring HTTPS Redirects for Services
    • Using Redis for Rate Limiting
    • Integrate KIC with Prometheus/Grafana
    • Configuring Circuit-Breaker and Health-Checking
    • Setting up a Custom Plugin
    • Using Ingress with gRPC
    • Setting up Upstream mTLS
    • Exposing a TCP Service
    • Exposing a UDP Service
    • Using the mTLS Auth Plugin
    • Configuring Custom Entities
    • Using the OpenID Connect Plugin
    • Rewriting Hosts and Paths
    • Preserving Client IP Address
    • Using Kong with Knative
    • Using Multiple Backend Services
    • KIC Annotations
    • CLI Arguments
    • Custom Resource Definitions
    • Plugin Compatibility
    • Version Compatibility
    • Supported Kong Router Flavors
    • Troubleshooting
    • Prometheus Metrics
    • Feature Gates
    • Supported Gateway API Features

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Kubernetes RBAC
  • Kong Admin API Protection
    • Authentication on Kong’s Admin API
    • Kong Enterprise RBAC
Kubernetes Ingress Controller
2.8.x (latest)
  • Home
  • Kubernetes Ingress Controller
  • Concepts
  • Security

Security

This document explains the security aspects of the Kubernetes Ingress Controller.

The Kubernetes Ingress Controller communicates with Kubernetes API-server and Kong’s Admin API. APIs on both sides offer authentication/authorization features and the controller integrates with them gracefully.

Kubernetes RBAC

The Kubernetes Ingress Controller is deployed with RBAC permissions as explained in the deployment document. It has read and list permissions on most resources but requires update and create permission for a few resources to provide seamless integration. The permissions can be locked down further if needed depending on the specific use-case. This RBAC policy is associated with a ServiceAccount and the ServiceAccount is associated with the Kubernetes Ingress Controller. The Controller uses the ServiceAccount credential to authenticate and authorize itself against the Kubernetes API-server.

Kong Admin API Protection

Kong’s Admin API is used to control configuration of Kong and proxying behavior. If an attacker happens to gain access to Kong’s Admin API, they will be able to perform all actions as an authorized user like modifying or deleting Kong’s configuration. Hence, it is important that the deployment ensures that the likelihood of this happening is as small as possible.

In the example deployments, the Controller and Kong’s Admin API communicate over the loopback (lo) interface of the pod. Kong is not performing any kind of authorization or authentication on the Admin API, hence the API is accessible only on the loopback interface to limit the attack surface. Although not ideal, this setup requires fewer steps to get started and can be further hardened as required.

Please note that it is very important that Kong’s Admin API is not accessible inside the cluster as any malicious service can change Kong’s configuration. If you’re exposing Kong’s Admin API itself outside the cluster, please ensure that you have the necessary authentication in place first.

Authentication on Kong’s Admin API

If Kong’s Admin API is protected with one of the authentication plugins, the Controller can authenticate itself against it to add another layer of security. The Controller comes with support for injecting arbitrary HTTP headers in the requests it makes to Kong’s Admin API, which can be used to inject authentication credentials. The headers can be specified using the CLI flag --kong-admin-header in the Ingress Controller.

The Ingress Controller will support mutual-TLS-based authentication on Kong’s Admin API in future.

Kong Enterprise RBAC

Kong Enterprise comes with support for authentication and authorization on Kong’s Admin API.

Once an RBAC token is provisioned, the Kubernetes Ingress Controller can use the RBAC token to authenticate against Kong Enterprise. Use the --kong-admin-header CLI flag to pass the RBAC token the Ingress Controller.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023