Admission Webhook
The Kong Ingress Controller ships with an admission webhook for KongPlugin
and KongConsumer resources in the configuration.konghq.com
API group.
You can generate TLS certificate and key pair that you need for admission webhook.
The admission webhook is enabled by default when installing Kong Ingress Controller via the Helm chart. To disable the webhook set ingressController.admissionWebhook.enabled=false
in your values.yaml
.
The admission webhook should not be disabled unless you are asked to do so by a member of the Kong team.
To learn how to manually enable the webhook for an existing non-Helm deployment, see the Kong Ingress Controller 2.x documentation.
Test the configuration
You can test if the admission webhook is enabled for duplicate KongConsumers, incorrect KongPlugins, incorrect credential secrets, and incorrect routes.
Prerequisites: Install Kong Ingress Controller in your Kubernetes cluster and connect to Kong.
Prerequisites
Install Kong
You can install Kong in your Kubernetes cluster using Helm.
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update
-
Install Kong Ingress Controller and Kong Gateway with Helm:
helm install kong kong/ingress -n kong --create-namespace
Test connectivity to Kong
Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP
:
-
Populate
$PROXY_IP
for future commands:export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $PROXY_IP
-
Ensure that you can call the proxy IP:
curl -i $PROXY_IP
The results should look like this:
HTTP/1.1 404 Not Found Content-Type: application/json; charset=utf-8 Connection: keep-alive Content-Length: 48 X-Kong-Response-Latency: 0 Server: kong/3.0.0 {"message":"no Route matched with those values"}
Verify duplicate KongConsumers
-
Create a KongConsumer with username as
alice
:echo "apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: alice annotations: kubernetes.io/ingress.class: kong username: alice" | kubectl apply -f -
The results should look like this:
kongconsumer.configuration.konghq.com/alice created
-
Create another KongConsumer with the same username:
echo "apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: alice2 annotations: kubernetes.io/ingress.class: kong username: alice" | kubectl apply -f -
The results should look like this:
Error from server: error when creating "STDIN": admission webhook "validations.kong.konghq.com" denied the request: consumer already exists
The validation webhook rejected the KongConsumer resource as there already exists a consumer in Kong with the same username.
Verify incorrect KongPlugins
Try to create the following KongPlugin resource. The foo
config property does not exist in the configuration definition and
hence the admission webhook returns back an error. If you remove the foo: bar
configuration line, the plugin will be
created successfully.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: request-id
config:
foo: bar
header_name: my-request-id
plugin: correlation-id
" | kubectl apply -f -
The results should look like this:
Error from server: error when creating "STDIN": admission webhook "validations.kong.konghq.com" denied the request: plugin failed schema validation: schema violation (config.foo: unknown field)
Verify incorrect credential secrets
With 0.7 and later versions of Kong Ingress Controller, validations also take place for incorrect secret types and wrong parameters to the secrets.
echo '
apiVersion: v1
kind: Secret
metadata:
name: missing-password-credential
labels:
konghq.com/credential: basic-auth
stringData:
username: foo
' | kubectl apply -f -
The results should look like this:
Error from server: "STDIN": error when creating "STDIN": admission webhook "validations.kong.konghq.com" denied the request: consumer credential failed validation: missing required field(s): password
echo '
apiVersion: v1
kind: Secret
metadata:
name: wrong-cred-credential
labels:
konghq.com/credential: wrong-auth
stringData:
sdfkey: my-sooper-secret-key
' | kubectl apply -f -
The results should look like this:
Error from server: error when creating "STDIN": admission webhook "validations.kong.konghq.com" denied the request: consumer credential failed validation: invalid credential type wrong-auth
Verify incorrect routes
In versions 2.12 and later, the controller validates route definitions