Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.9.x (latest)
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • FAQ
    • Version Support Policy
    • Stages of Software Availability
    • Changelog
    • Architecture
    • Custom Resources
    • Deployment Methods
    • Kong for Kubernetes with Kong Enterprise
    • High-Availability and Scaling
    • Resource Classes
    • Security
    • Ingress Resource API Versions
    • Gateway API
    • Kong Ingress on Minikube
    • Kong for Kubernetes
    • Kong for Kubernetes Enterprise
    • Kong for Kubernetes with Kong Enterprise
    • Kong Ingress on AKS
    • Kong Ingress on EKS
    • Kong Ingress on GKE
    • Admission Webhook
    • Installing Gateway APIs
    • Getting Started with KIC
    • Upgrading from previous versions
    • Upgrading to Kong 3.x
    • Getting Started using Istio
      • Using the KongPlugin Resource
      • Using the KongIngress Resource
      • Using KongConsumer and KongCredential Resources
      • Using the TCPIngress Resource
      • Using the UDPIngress Resource
    • Using the ACL and JWT Plugins
    • Using cert-manager with Kong
    • Allowing Multiple Authentication Methods
    • Configuring a Fallback Service
    • Using an External Service
    • Configuring HTTPS Redirects for Services
    • Using Redis for Rate Limiting
    • Integrate KIC with Prometheus/Grafana
    • Configuring Circuit-Breaker and Health-Checking
    • Setting up a Custom Plugin
    • Setting up Upstream mTLS
      • Exposing a TCP Service
      • Exposing a UDP Service
      • Exposing a gRPC service
    • Using the mTLS Auth Plugin
    • Configuring Custom Entities
    • Using the OpenID Connect Plugin
    • Rewriting Hosts and Paths
    • Preserving Client IP Address
    • Using Kong with Knative
    • Using Multiple Backend Services
    • Using Gateway Discovery
    • KIC Annotations
    • CLI Arguments
    • Custom Resource Definitions
    • Plugin Compatibility
    • Version Compatibility
    • Supported Kong Router Flavors
    • Troubleshooting
    • Prometheus Metrics
    • Feature Gates
    • Supported Gateway API Features

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Installation
  • Testing connectivity to Kong
  • Create a Kubernetes service
  • Setup Ingress rules
Kubernetes Ingress Controller
2.9.x (latest)
  • Home
  • Kubernetes Ingress Controller
  • Guides
  • Allowing Multiple Authentication Methods

Allowing Multiple Authentication Methods

This guide walks you through the steps for configuring multiple authentication options for consumers using the Kubernetes Ingress Controller. The default behavior for Kong authentication plugins is to require credentials for all requests without regard for whether a request has been authenticated via another plugin. Configuring an anonymous consumer on your authentication plugins allows you to offer clients authentication options.

Installation

Please follow the deployment documentation to install the Kubernetes Ingress Controller onto your Kubernetes cluster.

Testing connectivity to Kong

This guide assumes that the PROXY_IP environment variable is set to contain the IP address or URL pointing to Kong. If you’ve not done so, please follow one of the deployment guides to configure this environment variable.

If everything is set up correctly, making a request to Kong should return HTTP 404 Not Found.

curl -i $PROXY_IP

In this document, the expected output follows each command:

HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 1
Server: kong/2.8.1

{"message":"no Route matched with those values"}

This message is expected as Kong does not yet know how to proxy the request.

Create a Kubernetes service

Let’s create a Kubernetes service using the hostname of the application we want to expose.

echo '
apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/protocol: https
  name: httpbin
spec:
  externalName: httpbin.org
  ports:
    - port: 443
      protocol: TCP
  type: ExternalName
' | kubectl apply -f -
service/httpbin created

Setup Ingress rules

Let’s expose these services outside the Kubernetes cluster by defining Ingress rules.

echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  annotations:
    konghq.com/strip-path: "true"
    kubernetes.io/ingress.class: kong
spec:
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: httpbin
            port:
              number: 443
' | kubectl apply -f -
ingress.networking.k8s.io/demo created

Let’s test these endpoints:

curl -i $PROXY_IP/foo/status/200
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 0
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
x-kong-upstream-latency: 151
x-kong-proxy-latency: 2
via: kong/2.8.1

Next, let’s create three consumers.

echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: medvezhonok
username: medvezhonok
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/medvezhonok created
echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: ezhik
username: ezhik
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/ezhik created
echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: anonymous
username: anonymous
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/anonymous created

The anonymous consumer does not correspond to any real user, and will only serve as a fallback.

Let’s create Key Auth and Basic Auth plugins and set the anonymous fallback to the consumer we created earlier.

echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-basic-auth
config:
  anonymous: anonymous
  hide_credentials: true
plugin: basic-auth
' | kubectl apply -f -
kongplugin.configuration.konghq.com/httpbin-basic-auth created
echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-key-auth
config:
  key_names:
    - apikey
  anonymous: anonymous
  hide_credentials: true
plugin: key-auth
' | kubectl apply -f -
kongplugin.configuration.konghq.com/httpbin-key-auth created

Now, associate both Key Auth and Basic Auth plugins with the previous Ingress rule we created using the konghq.com/plugins annotation:

echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  annotations:
    konghq.com/strip-path: "true"
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: httpbin-basic-auth, httpbin-key-auth
spec:
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: httpbin
            port:
              number: 443
' | kubectl apply -f -
ingress.networking.k8s.io/demo configured

At this point unauthenticated requests and requests with invalid credentials are still allowed. The anonymous consumer is allowed, and will be applied to any request that does not pass a set of credentials associated with some other consumer.

curl -i $PROXY_IP/foo/status/200
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 0
www-authenticate: Key realm="kong"
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
x-kong-upstream-latency: 150
x-kong-proxy-latency: 3
via: kong/2.8.1
curl -i $PROXY_IP/foo/status/200?apikey=nonsense
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 0
www-authenticate: Key realm="kong"
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
x-kong-upstream-latency: 155
x-kong-proxy-latency: 2
via: kong/2.8.1

We’ll now add a Key Auth credential for one consumer, and a Basic Auth credential for another. For this we will create a Secret resource with an API-key, username and password inside it:

kubectl create secret generic medvezhonok-basic-auth  \
  --from-literal=kongCredType=basic-auth  \
  --from-literal=username=medvezhonok \
  --from-literal=password=hunter2
secret/medvezhonok-basic-auth created
kubectl create secret generic ezhik-key-auth \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=hunter3
secret/ezhik-key-auth created

The type of credential is specified via kongCredType. You can create the Secret using any other method as well.

Next, we will associate these keys with the consumer we created previously.

Please note that we are not re-creating the KongConsumer resource but only updating it to add the credentials array:

echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: medvezhonok
credentials:
  - medvezhonok-basic-auth
username: medvezhonok
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/medvezhonok configured
echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: ezhik
credentials:
  - ezhik-key-auth
username: ezhik
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/ezhik configured

Lastly, we will create a Request Termination plugin and add it to the anonymous consumer.

echo '
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: anonymous-request-termination
config:
  message: "Authentication required"
  status_code: 401
plugin: request-termination
' | kubectl apply -f -
kongplugin.configuration.konghq.com/anonymous-request-termination created
echo '
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  annotations:
    konghq.com/plugins: anonymous-request-termination
    kubernetes.io/ingress.class: kong
  name: anonymous
username: anonymous
' | kubectl apply -f -
kongconsumer.configuration.konghq.com/anonymous configured

Requests with missing or invalid credentials are now rejected, whereas authorized requests using either authentication method are allowed.


curl -i $PROXY_IP/foo/status/200?apikey=nonsense
HTTP/2 401 
content-type: application/json; charset=utf-8
content-length: 37
access-control-allow-origin: *
x-kong-response-latency: 3
server: kong/2.8.1
{"message":"Authentication required"}


curl -i $PROXY_IP/foo/status/200
HTTP/2 401 
content-type: application/json; charset=utf-8
content-length: 37
access-control-allow-origin: *
x-kong-response-latency: 2
server: kong/2.8.1
{"message":"Authentication required"}


curl -i $PROXY_IP/foo/status/200?apikey=hunter3
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 0
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
x-kong-upstream-latency: 154
x-kong-proxy-latency: 3
via: kong/2.8.1


curl -i $PROXY_IP/foo/status/200 -u medvezhonok:hunter2
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 0
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true
x-kong-upstream-latency: 154
x-kong-proxy-latency: 2
via: kong/2.8.1
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023