Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • FAQ
    • Version Support Policy
    • Stages of Software Availability
    • Changelog
    • Architecture
    • Custom Resources
    • Deployment Methods
    • Kong for Kubernetes with Kong Enterprise
    • High-Availability and Scaling
    • Resource Classes
    • Security
    • Ingress Resource API Versions
    • Gateway API
    • Kong Ingress on Minikube
    • Kong for Kubernetes
    • Kong for Kubernetes Enterprise
    • Kong for Kubernetes with Kong Enterprise
    • Kong Ingress on AKS
    • Kong Ingress on EKS
    • Kong Ingress on GKE
    • Admission Webhook
    • Installing Gateway APIs
    • Getting Started with KIC
    • Upgrading from previous versions
    • Upgrading to Kong 3.x
    • Getting Started using Istio
      • Using the KongPlugin Resource
      • Using the KongIngress Resource
      • Using KongConsumer and KongCredential Resources
      • Using the TCPIngress Resource
      • Using the UDPIngress Resource
    • Using the ACL and JWT Plugins
    • Using cert-manager with Kong
    • Allowing Multiple Authentication Methods
    • Configuring a Fallback Service
    • Using an External Service
    • Configuring HTTPS Redirects for Services
    • Using Redis for Rate Limiting
    • Integrate KIC with Prometheus/Grafana
    • Configuring Circuit-Breaker and Health-Checking
    • Setting up a Custom Plugin
    • Using Ingress with gRPC
    • Setting up Upstream mTLS
    • Exposing a TCP Service
    • Exposing a UDP Service
    • Using the mTLS Auth Plugin
    • Configuring Custom Entities
    • Using the OpenID Connect Plugin
    • Rewriting Hosts and Paths
    • Preserving Client IP Address
    • Using Kong with Knative
    • Using Multiple Backend Services
    • KIC Annotations
    • CLI Arguments
    • Custom Resource Definitions
    • Plugin Compatibility
    • Version Compatibility
    • Supported Kong Router Flavors
    • Troubleshooting
    • Prometheus Metrics
    • Feature Gates
    • Supported Gateway API Features

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Installation
  • Installing the Gateway APIs
  • Testing connectivity to Kong Gateway
  • Deploy an upstream HTTP application
  • Create a configuration group
  • Add routing configuration
  • Configuring plugins for routing configuration
    • Create a plugin
    • Associate the plugin with routing configuration
    • Test the plugin
  • Configuring plugins on Service resource
    • Create a plugin
    • Associate the plugin with the Service
    • Test the plugin
    • Remove a plugin
  • Configuring global plugins
    • Create a cluster plugin
  • Configure a consumer and credential
  • Configure a plugins for consumers and multiple resources
    • Create plugins
    • Associate a plugin with a consumer
    • Associate a plugin with a consumer and route
  • Next steps
Kubernetes Ingress Controller
2.8.x (latest)
  • Home
  • Kubernetes Ingress Controller
  • Guides
  • Using Plugin Resources

Using Plugin Resources

This guide walks you through applying the Kubernetes Ingress Controller KongPlugin and KongClusterPlugin custom resources other configuration. These resources change how Kong Gateway handles proxied requests. This guide configures plugins that modify headers and enforce authentication requirements.

See the concept documentation for more information about the purpose of the KongPlugin resource.

Installation

Please follow the deployment documentation to install the Kubernetes Ingress Controller onto your Kubernetes cluster.

Installing the Gateway APIs

If you wish to use the Gateway APIs examples, follow the supplemental Gateway APIs installation instructions.

Testing connectivity to Kong Gateway

This guide assumes that PROXY_IP environment variable is set to contain the IP address or URL pointing to Kong Gateway. If you’ve not done so, follow one of the deployment guides to configure this environment variable.

If everything is setup correctly, making a request to Kong Gateway should return back a HTTP 404 Not Found status code:

curl -i $PROXY_IP

Response:

HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 0
Server: kong/3.0.0

{"message":"no Route matched with those values"}

This is expected since Kong Gateway doesn’t know how to proxy the request yet.

Deploy an upstream HTTP application

To proxy requests, you need an upstream application to proxy to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:

kubectl apply -f https://bit.ly/echo-service

Response:

service/echo created
deployment.apps/echo created

Create a configuration group

Ingress and Gateway APIs controllers need a configuration that indicates which set of routing configuration they should recognize. This allows multiple controllers to coexist in the same cluster. Before creating individual routes, you need to create a class configuration to associate routes with:

Ingress
Gateway APIs

Official distributions of Kubernetes Ingress Controller come with a kong IngressClass by default. If kubectl get ingressclass kong does not return a not found error, you can skip this command.

echo "
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: kong
spec:
  controller: ingress-controllers.konghq.com/kong
" | kubectl apply -f -

Response:

ingressclass.networking.k8s.io/kong configured
echo "
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'

spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
  - name: proxy-ssl
    port: 443
    protocol: HTTPS
" | kubectl apply -f -

Response:

gatewayclass.gateway.networking.k8s.io/kong created
gateway.gateway.networking.k8s.io/kong created

Once the controller has acknowledged the Gateway, it will show the proxy IP in its status:

kubectl get gateway kong

Response:

NAME   CLASS   ADDRESS        READY   AGE
kong   kong    203.0.113.42   True    4m46s

Kubernetes Ingress Controller recognizes the kong IngressClass and konghq.com/kic-gateway-controller GatewayClass by default. Setting the CONTROLLER_INGRESS_CLASS or CONTROLLER_GATEWAY_API_CONTROLLER_NAME environment variable to another value overrides these defaults.

Add routing configuration

Create routing configuration to proxy /lemon requests to the echo server:

Ingress
Gateway APIs
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: lemon
  annotations:
    konghq.com/strip-path: 'true'
spec:
  ingressClassName: kong
  rules:
  - host: kong.example
    http:
      paths:
      - path: /lemon
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 80
" | kubectl apply -f -

Response:

ingress.networking.k8s.io/lemon created
echo "
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: lemon
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
  hostnames:
  - 'kong.example'
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /lemon
    backendRefs:
    - name: echo
      kind: Service
      port: 80
" | kubectl apply -f -

Response:

httproute.gateway.networking.k8s.io/lemon created

Test the routing rule:

curl -i http://kong.example/lemon --resolve kong.example:80:$PROXY_IP

Response:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Thu, 10 Nov 2022 22:10:40 GMT
Server: echoserver
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 0
Via: kong/3.0.0



Hostname: echo-fc6fd95b5-6lqnc

Pod Information:
	node name:	kind-control-plane
	pod name:	echo-fc6fd95b5-6lqnc
	pod namespace:	default
	pod IP:	10.244.0.9
...

If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.

Once the first route is working, create a second pointing to the same Service:

Ingress
Gateway APIs
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: lime
  annotations:
    konghq.com/strip-path: 'true'
spec:
  ingressClassName: kong
  rules:
  - host: kong.example
    http:
      paths:
      - path: /lime
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 80
" | kubectl apply -f -

Response:

ingress.networking.k8s.io/lime created
echo "
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: lime
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
  hostnames:
  - 'kong.example'
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /lime
    backendRefs:
    - name: echo
      kind: Service
      port: 80
" | kubectl apply -f -

Response:

httproute.gateway.networking.k8s.io/lime created

Configuring plugins for routing configuration

Kong Gateway plugins can apply to a variety of resources. Plugins apply to different sets of requests depending on what type of resource they are applied to. Applying a plugin an Ingress or HTTPRoute will modify requests that match that resource’s routing rules.

The validating admission webhook is not installed by this guide, but is recommended for all environments. The webhook is required to validate plugin configuration. Not installing the webhook can allow invalid plugin configuration, and invalid plugin configuration will block configuration updates until fixed.

Create a plugin

To try this out, first create a KongPlugin resource that adds a response header:

echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: add-header-route
config:
  add:
    headers:
    - "x-added-route: demo"
plugin: response-transformer
' | kubectl apply -f -

Response:

kongplugin.configuration.konghq.com/add-header-route created

Associate the plugin with routing configuration

After creating the plugin, associate it with other resources by adding a konghq.com/plugins annotation whose value is the KongPlugin’s name:

Ingress
Gateway APIs
kubectl annotate ingress lemon konghq.com/plugins=add-header-route

Response:

ingress.networking.k8s.io/lemon annotated
kubectl annotate httproute lemon konghq.com/plugins=add-header-route

Response:

httproute.gateway.networking.k8s.io/lemon annotated

Test the plugin

Requests that match the lemon rules will now include the plugin header:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP | grep x-added-route

Response:

x-added-route: demo

Requests to the lime rules will not:

curl -si http://kong.example/lime --resolve kong.example:80:$PROXY_IP | grep x-added-route | wc -l

Response:

0

Configuring plugins on Service resource

Associating a plugin with a Service will apply it to any requests that match a routing rule that uses that Service as a backend.

Create a plugin

To try this out, first create a KongPlugin resource that adds a response header:

echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: add-header-service
config:
  add:
    headers:
    - "x-added-service: demo"
plugin: response-transformer
' | kubectl apply -f -

Response:

kongplugin.configuration.konghq.com/add-header-service created

Associate the plugin with the Service

After creating the second plugin, annotate the Service to apply it:

kubectl annotate service echo konghq.com/plugins=add-header-service

Response:

service/echo annotated

Test the plugin

With the Service plugin in place, send requests through the lemon and lime routes:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP | grep x-added-

Response:

x-added-route: demo
curl -si http://kong.example/lime --resolve kong.example:80:$PROXY_IP | grep x-added-

Response:

x-added-service: demo

Although both routes use the echo Service, only the lime route applies the echo Service’s plugin. This is because only one instance of a particular plugin can execute on a request, determined by a precedence order. Route plugins take precedence over service plugins, so the lemon route still uses the header from the first plugin you created.

Remove a plugin

Removing the plugin annotation will remove plugin(s) from a resource:

Ingress
Gateway APIs
kubectl annotate ingress lemon konghq.com/plugins-

Response:

ingress.networking.k8s.io/lemon annotated
kubectl annotate httproute lemon konghq.com/plugins-

Response:

httproute.gateway.networking.k8s.io/lemon annotated

Requests through the lemon route now use the Service’s plugin:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP | grep x-added-

Response:

x-added-service: demo

Configuring global plugins

Global plugins apply to all requests, regardless of which resources they match. Because this applies across Kubernetes namespaces, global plugins require a cluster-scoped KongClusterPlugin instead of a namespaced KongPlugin.

Although not shown in this guide, you can also apply a KongClusterPlugin to resources using konghq.com/plugins annotations, to reuse plugin configurations across namespaces.

Create a cluster plugin

KongClusterPlugin configuration is largely the same as KongPlugin configuration, though this resource uses a different plugin and therefore uses different configuration inside its config key:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: auth
  annotations:
    kubernetes.io/ingress.class: "kong"
  labels:
    global: 'true'
plugin: key-auth
config:
  key_in_header: true
  key_in_body: false
  key_in_query: false
" | kubectl apply -f -

Response:

kongclusterplugin.configuration.konghq.com/auth created

The global='true' label tells Kubernetes Ingress Controller to create a global plugin. These plugins do not need annotations on other resources for them to take effect, but they do need an ingress.class annotation for the controller to recognize them.

Kong Gateway will now reject requests to any route, because the global plugin requires authentication for all of them:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP

Response:

HTTP/1.1 401 Unauthorized
Date: Fri, 09 Dec 2022 20:10:11 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
WWW-Authenticate: Key realm="kong"
Content-Length: 45
x-added-service:  demo
X-Kong-Response-Latency: 0
Server: kong/3.0.1

{
  "message":"No API key found in request"
}

Note that the earlier header plugins are still applied. Plugins that affect responses can modify both proxied responses and responses generated by Kong Gateway.

Configure a consumer and credential

First, create a credential Secret:

kubectl create secret generic kotenok-key-auth \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=gav

Response:

secret/kotenok-key-auth created

Second, create a KongConsumer resource that uses the Secret:

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: kotenok
  annotations:
    kubernetes.io/ingress.class: kong
username: kotenok
credentials:
- kotenok-key-auth
" | kubectl apply -f -

Response:

kongconsumer.configuration.konghq.com/kotenok created

Including this key will now satisfy the authentication requirement enforced by the global plugin:

curl -sI http://kong.example/lemon --resolve kong.example:80:$PROXY_IP -H "apikey: gav"

Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 9593
Connection: keep-alive
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
x-added-service: demo
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/3.1.1

Configure a plugins for consumers and multiple resources

Plugins can match requests made by a consumer and match requests that meet multiple criteria, such as requests made by a consumer for a specific route.

Create plugins

First, create two additional header KongPlugins:

echo '
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: add-header-consumer
config:
  add:
    headers:
    - "x-added-consumer: demo"
plugin: response-transformer
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: add-header-multi
config:
  add:
    headers:
    - "x-added-multi: demo"
plugin: response-transformer
' | kubectl apply -f -

Response:

kongplugin.configuration.konghq.com/add-header-consumer created
kongplugin.configuration.konghq.com/add-header-multi created

Associate a plugin with a consumer

Similar to the other resources, consumers can use the konghq.com/plugins annotation to associate a plugin:

kubectl annotate kongconsumer kotenok konghq.com/plugins=add-header-consumer

Response:

kongconsumer.configuration.konghq.com/kotenok annotated

Requests made by the kotenok consumer will now include this header, since consumer plugins take precedence over both route and service plugins:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP -H "apikey: gav" | grep x-added

Response:

x-added-consumer: demo

Associate a plugin with a consumer and route

Plugins can be associated with more than one resource. Although routing and Service configuration is implicitly linked (a routing rule cannot proxy to multiple Services), consumers are not. Assigning plugins to multiple resources allows a consumer to use different plugin configuration depending on which route they hit.

First, add the add-header-multi plugin to a route:

Ingress
Gateway APIs
kubectl annotate ingress lemon konghq.com/plugins=add-header-multi

Response:

ingress.networking.k8s.io/lemon annotated
kubectl annotate httproute lemon konghq.com/plugins=add-header-multi

Response:

httproute.gateway.networking.k8s.io/lemon annotated

Then, update the consumer configuration to include both plugins:

kubectl annotate kongconsumer kotenok konghq.com/plugins=add-header-consumer,add-header-multi --overwrite

Response:

kongconsumer.configuration.konghq.com/kotenok annotated

The header returned now depend on which route the consumer uses:

echo "lemon\!"; curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP -H "apikey: gav" | grep x-added
echo "lime\!"; curl -si http://kong.example/lime --resolve kong.example:80:$PROXY_IP -H "apikey: gav" | grep x-added

Response:

lemon!
x-added-multi: demo
lime!
x-added-consumer: demo

Sending a request to the lemon route without the consumer credentials will not activate the multi-resource plugin, and will instead fall back to the Service plugin. When plugins are associated with multiple resources, requests must match all of them:

curl -si http://kong.example/lemon --resolve kong.example:80:$PROXY_IP | grep x-added 

Response:

x-added-service:  demo

More specific plugins (for example, a route and consumer, versus just a consumer or just a route) always take precedence over less specific plugins.

Next steps

There’s a lot more you can do with Kong plugins. Check the Plugin Hub to see all of the available plugins and how to use them.

Next, you might want to learn more about Ingress with the KongIngress resource guide.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023