We are pleased to announce the next release of our flagship enterprise offering, Kong Enterprise 1.5! This follow-up release adds additional stability and features on top of our last major release, Kong Enterprise 1.3, which we announced at Kong Summit 2019. 

Kong Enterprise 1.5 key features include Kong Immunity Consumer Alerts, OIDC improvements, and Kong Developer Portal Application Registration. There are also several smaller features and stability improvements packaged here. Lastly, this release includes substantial improvements to our documentation, including a new getting started guide and a refreshed look!

Consumer Alerts in Kong Immunity

Kong Immunity detects service behavior anomalies using machine learning. The new release extends this functionality with detection of anomalies  scoped to specific API consumers. This means all existing triggered alerts now come in two flavors – (1) endpoint alerts based on traffic belonging to a specific endpoint and (2) consumer alerts based on traffic in a workspace for a specific consumer. With consumer alerts functionality, alerts can now be specifically traced to individuals and teams that access APIs. We’ve also made a few improvements to services and routes pages in Kong Manager to account for these alerts.

OpenID Connect Improvements

The OpenID Connect plugin bundled with Kong Enterprise 1.5 features several improvements and fixes. The biggest addition is support for assertions on client authentication. The plugin is now able to authenticate itself with the OpenID Connect Providers using client_secret_jwt and private_key_jwt authentication methods. 

Application Registration (Beta) 

The ability for developers to create applications that package together a set of backend services is one of the most highly requested features we’ve received from our customers and users. In Kong Enterprise 1.5, we enable this through new features in Developer Portal and Kong Manager. The Developer Portal in Kong Enterprise 1.5 includes a new tab called “My Apps” that allows developers to create new applications (and credentials) and subscribe their applications to specific services/APIs. We also built a new “Portal Application Registration” plugin and added functionality in Kong Manager to provide API owners the ability to approve application access to underlying services. 

Currently, we’ve designated this feature as beta. This page explains the beta label, which is a delineation that we intend to use in a consistent manner moving forward. For beta features, we provide full support only in pre-production environments. In the next release of Kong Enterprise, we plan to make this feature supported in production. By that time, we also plan to have more enhancements and related functionality for this feature based on user feedback from this beta release.

Learn more about Application Registration here.

Other Improvements

Apart from the highlighted features mentioned above, this version of Kong Enterprise includes several smaller features, including full support for storing sensitive data fields in an encrypted format at rest within the database, sortable entity lists in Kong Manager, auto-detection of Apache Cassandra cluster topology without Kong restarts, a new hostname attribute for upstreams, IPv6 support for the IP Restriction plugin, and several other plugin improvements and bug fixes. 

For a complete list of changes, please see the Kong Enterprise 1.5 Changelog.

The post Kong Enterprise 1.5 Released! appeared first on KongHQ.

We are happy to announce the release of Kuma 0.4! This is a major release focused on significantly better observability capabilities that also includes many new features and improvements across…

The post Kuma 0.4 Released With L7 Tracing + Grafana Dashboards! appeared first on KongHQ.

Let’s admit it – web services (SOAP) are here to stay for a few more years, and maybe for a long time in some places where there is no business…

The post Supporting Legacy Web Services With Kong appeared first on KongHQ.

We’re excited to partner with Vertigo Tecnologia, experts in digital transformation, to help companies in Latin America accelerate their transition to microservices and other emerging architectures — which is especially…

The post Kong Partners with Vertigo to Accelerate Digital Transformation in Latin America appeared first on KongHQ.

A modern API gateway like Kong enables organizations to achieve some use cases much more easily than traditional gateways. The reason is older, traditional gateways try to provide as many…

The post How to Secure APIs and Services Using OpenID Connect appeared first on KongHQ.

In his most recent blog post, Marco Palladino, our CTO and co-founder, went over the difference between API gateways and service mesh. I highly recommend reading his blog post to…

The post Exposing Kuma Service Mesh Using Kong API Gateway appeared first on KongHQ.

When protecting your online services, the weakest link is represented by the endpoints – that is, by the end-user devices running web or mobile applications or by external systems leveraging…

The post Protect Your Applications With Cleafy Plugin for Kong appeared first on KongHQ.

Kong for Kubernetes is a Kubernetes Ingress Controller based on the Kong Gateway open source project. Kong for K8s is fully Kubernetes-native and provides enhanced API management capabilities. From an…

The post Kong for Kubernetes 0.8 Released! appeared first on KongHQ.

We are so excited to share that Kong has been certified as a Great Place to Work®! We recognize our certification as a huge achievement for us, as it reflects…

The post Kong Recognized as a Great Place to Work®! appeared first on KongHQ.

It would be an understatement to say that 2020 has been one of the most difficult years many of us have ever experienced. With the latest COVID-19 crisis bringing the…

The post Kongers Unite to Support Australian Wildfire Recovery appeared first on KongHQ.

We are pleased to announce the next release of our flagship enterprise offering, Kong Enterprise 1.5! This follow-up release adds additional stability and features on top of our last major…

The post Kong Enterprise 1.5 Released! appeared first on KongHQ.

We are very proud to announce some very important community updates for Kuma, with the goal of making Kuma more open and more inclusive to the broader open source ecosystem:…

The post Kuma Open Governance and Community Calls appeared first on KongHQ.

Let’s admit it – web services (SOAP) are here to stay for a few more years, and maybe for a long time in some places where there is no business incentive to rebuild them. However, with a decline in new SOAP web services and most applications moving to cloud native architectures, a common query is “how can we support legacy services while moving to microservices?”

The good news is Kong’s versatility of handling multi-protocol traffic and extensibility can help address this question. I recently worked with a customer who wanted to quickly move to microservices but still proxy and integrate existing/legacy SOAP services. After all, existing and new services will likely need to communicate with each other. Its existing solution would not work with microservices architecture (too slow and monolithic), and the customer turned to Kong.  

It was clear to the customer that Kong could handle its journey to microservices, but the key question was: Could Kong handle its existing legacy services?

The key requirement with any digital project is to ensure that there is no impact to the consumers. In this case, it was important to provide the same service interface to the consumer (business partners outside of the enterprise) but perform LDAP authentication against a cloud-based identity store and then proxy the request to the existing application. 

The key design principles were simplicity and modularity so that as other scenarios surface, they can be addressed. Reviewing a number of different options, I came across the Kong Serverless plugin, which provides the ability to execute any code as part of any request in addition to the functionality provided by other plugins. This gave us the flexibility needed with the added benefit of also leveraging Kong plugins to minimize the amount of work we had to do. I’ve done custom logic work in other monolithic API gateways before, but the difference with Kong is that it is a light-weight, multi-protocol API gateway that provides enough extensibility to support a variety of use cases (legacy to microservices and FaaS) while staying clear of becoming a heavyweight ESB.

Let’s go through the details of what we configured. I detail the steps sequentially below (I used Kong Enterprise v1.3 for the testing).

1. Connecting to the Calculator Web Service Directly

Using httpie

http POST http://www.dneonline.com/calculator.asmx?op=Add Content-type:application/soap+xml <<< '<soap12:Envelope xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"><soap12:Body><Add xmlns="http://tempuri.org/"><intA>45</intA><intB>55</intB></Add></soap12:Body></soap12:Envelope>'

HTTP/1.1 200 OK

Cache-Control: private, max-age=0

Content-Length: 325

Content-Type: application/soap+xml; charset=utf-8

Date: Thu, 20 Feb 2020 11:03:23 GMT

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><AddResponse xmlns="http://tempuri.org/"><AddResult>100</AddResult></AddResponse></soap:Body></soap:Envelope>

Using cURL

curl -v \

>>   --url 'http://www.dneonline.com/calculator.asmx?op=Add' \/

>   --header 'content-type: application/soap+xml; charset=utf-8' \

>   --data '<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

>   <soap12:Body>

>     <Add xmlns="http://tempuri.org/">

>       <intA>45</intA>

>       <intB>55</intB>

>     </Add>

>   </soap12:Body>

> </soap12:Envelope>'

*   Trying 45.40.165.23...

* TCP_NODELAY set

* Connected to www.dneonline.com (45.40.165.23) port 80 (#0)

>> POST /calculator.asmx?op=Add HTTP/1.1

> Host: www.dneonline.com

> User-Agent: curl/7.64.1

> Accept: */*

> content-type: application/soap+xml; charset=utf-8

> Content-Length: 316

>

* upload completely sent off: 316 out of 316 bytes

< HTTP/1.1 200 OK

...

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><AddResponse xmlns="http://tempuri.org/"><AddResult>100</AddResult></AddResponse></soap:Body></soap:Envelope>* Closing connection 0

Using Kong Studio:

2. Pre-Function Script

The Lua script below, which I saved as get-ws-creds.lua:

• Extracts the username and password from the SOAP header (WS-Security header)
• Constructs the Authorization header required for LDAP Authentication

local soap_body = kong.request.get_raw_body()
local xml2lua = require("xml2lua")
local tree = require("xmlhandler.tree")
local handler = tree:new()
local parser = xml2lua.parser(handler)
parser:parse(soap_body)
local header = handler.root["SOAP-ENV:Envelope"]["SOAP-ENV:Header"]["SOAP-ENV:Security"]["SOAP-ENV:UsernameToken"]
local username = header["SOAP-ENV:Username"]
local passwd = header["SOAP-ENV:Password"][1]
-- Construct LDAP AuthZ header
local authorization = username .. ':' .. passwd;
local authorizationBase64 = ngx.encode_base64(authorization);
local authorizationHeader = "LDAP " .. authorizationBase64;
kong.log.info("-->>> auth: " .. authorization, " auth_header: ", authorizationHeader)
-- Set AuthZ header
kong.service.request.add_header('Authorization', authorizationHeader)
kong.log.info(“-- set ws creds end”)

3. Configuring Services, Route and Plugins

To test the integration, we use a publicly available Calculator-Web-Service configured in Kong to proxy to URL http://www.dneonline.com/calculator.asmx?op=Add/. The service performs an add operation of numbers passed in the request.

a. Configure Service

Let’s configure a test service with Kong Admin API using httpie CLI

http -f localhost:8001/services name=Calculator-Web-Service url=http://www.dneonline.com:80/calculator.asmx

HTTP/1.1 201 Created

{

    "client_certificate": null,

    "connect_timeout": 60000,

    "created_at": 1582112424,

    "host": "www.dneonline.com",

    "id": "f1b677fe-4fba-41d1-8d1a-91743863775d",

    "name": "Calculator-Web-Service",

    "path": "/calculator.asmx",

    "port": 80,

    "protocol": "http",

    "read_timeout": 60000,

    "retries": 5,

    "tags": null,

    "updated_at": 1582112424,

    "write_timeout": 60000

}

Next, we configure the necessary Kong routes and the Pre-function and LDAP plugins to finalize the setup:  

b. Configure a route /secure-soap-ldap to test

http -f PUT http://<Kong_Admin_API_Host>:8001/services/Calculator-Web-Service/routes/secure-soap-ldap   paths[]=/secure-soap-ldap

c. Configure the Pre-function plugin on the route. Notice we pass the lua script get-ws-creds.lua. This script will execute before the LDAP auth plugin runs.

http -f http://<Kong_Admin_API_Host>:8001/routes/secure-soap-ldap/plugins name=pre-function config.functions=@get-ws-creds.lua

d. Configure the LDAP Authentication Kong plugin on the route. Here, I’ve provided a test LDAP connection and query details, which you can modify to suit your LDAP instance.

http -f <Kong_Admin_API_Host>:8001/routes/secure-soap-ldap/plugins name=ldap-auth-advanced config.ldap_host=ldapconfig.ldap_port=389 config.base_dn=ou=people,dc=api,dc=au config.header_type=ldap config.attribute=cn config.verify_ldap_host=false config.hide_credentials=true

4. Verifying in Kong Manager

Once you’ve used the Kong Admin API to configure the service, route and plugins, you can quickly visualize and verify in Kong Manager what we did programmatically.  

5. Validation

Now it’s time to test. I will use Kong Studio to test since it can handle SOAP/WSDL in addition to REST and GraphQL, in a single tool.  

Let’s try first with correct LDAP credentials passed through the WS-S header in the SOAP envelope, and…. it works! The Pre-function plugin extracts the credentials and seamlessly passes it to the LDAP Authentication plugin to check. Once successful, it proxies the request to the upstream Calculator Web Service to return a SOAP response as below.

Now, I’ll try with some credentials that don’t exist in the LDAP, and I get back an error response with a 403 code.

What Next?

Now that we’ve successfully and securely proxied an existing SOAP service, we have the opportunity to enforce any of the capabilities that the Kong API platform provides, including but not limited to:

• Rate limiting
• Response caching
• Response transformer (for example, to customize the error response)

You can check out all the plugins that Kong provides at the Kong Hub.

I’ve left this last step for you to try as per your requirements and creativity. I welcome your feedback.  

Summary

In a few minutes, we were able to securely proxy an existing legacy web service and add additional Kong security plugins. Flexibility and ease of use are why Kong is so popular with customers across the world and why it’s quickly becoming the de facto solution for their transition to microservices.

The post Supporting Legacy Web Services With Kong appeared first on KongHQ.

We’re excited to partner with Vertigo Tecnologia, experts in digital transformation, to help companies in Latin America accelerate their transition to microservices and other emerging architectures — which is especially crucial in today’s hybrid and multi-cloud environment. 

Vertigo has been developing solutions for complex business issues for more than 20 years. Through Kong’s Go-To-Market (GTM) Partner Program, Vertigo will make the Kong Enterprise full lifecycle API management platform available to their clients, enabling them to effectively secure, connect and manage their APIs and microservices. This will in turn help them adapt to the changing IT landscape more quickly and continue to be competitive in the market.

The post Kong Partners with Vertigo to Accelerate Digital Transformation in Latin America appeared first on KongHQ.

A modern API gateway like Kong enables organizations to achieve some use cases much more easily than traditional gateways. The reason is older, traditional gateways try to provide as many features as possible into a heavyweight monolith, while modern solutions use a best-in-breed approach. These traditional solutions not only try to be a gateway, but they also try to be a business intelligence system, a central logging hub, a monitoring tool and so much more. Unfortunately, this leads to a solution that on paper can do many things but not do one thing particularly well.

A more tactical approach is to leverage best-in-breed solutions that integrate well with each other and are simple to use. Kong’s platform delivers on this approach and provides a modern gateway that’s fast, scalable, easy to use and can easily integrate with other platforms through its pluggable architecture. In this blog post, we will cover how easily Kong integrates with existing identity providers (IdPs) to help secure and govern APIs.

AuthN and AuthZ

The defacto standard for API security today is OpenID Connect with JWT. A few years ago, many gateways heavily relied on being the OAuth/OpenID Connect provider for the whole flow – but today, most IdPs have implemented OpenID Connect, and therefore, customers prefer that the management of keys, tokens and users happen in the IdP versus the gateway to remove the need to manage a separate silo of identity.

Let’s think about a very typical customer scenario we come across: you have a central IdP as the identity manager and central point of truth for authentication as well as groups/permissions of users. A legacy gateway approach would use the IdP for authentication and then in the gateway, you define authorization per endpoint to the groups you want to grant access to the backend services.

This design has two flaws:

1. To attach the users to groups, they must exist in the gateway so you end up having to manage consumers in the gateway.

2. Administrators have to maintain group memberships in the Gateway to grant or revoke permissions.

A Better Approach with Kong

With Kong, you can leverage the IdP for both authentication and authorization without having to manage consumers or groups in Kong, giving you the ability to leverage your IdP to drive access without additional operational overhead and risk. To do this, we can configure Kong to use OpenID Connect groups to attach scopes to the users and let Kong provide access based on the scopes in the JWT tokens. This solves both issues at the same time, and the administration of users and their permissions are now located where they should be: in the IdP.

Let’s see this in practice:

Note: The following example will use Kong Enterprise installed locally. Kong Enterprise provides access to the OpenID Connect plugin needed for this scenario. For the IdP, we will be using KeyCloak. Kong supports many other IdPs. For a full list, see the OpenID Connect plug-ins page (https://docs.konghq.com/hub/kong-inc/openid-connect/).

In order to achieve this, I want to walk you through a small KeyCloak example now. Within KeyCloak, the first thing is creating a new scope, attaching it to a group and then attaching this group to a user:

Keycloak scope creation

Keycloak scope and role mapping

Role to group mapping

User to group mapping

Kong Enterprise settings

Note: I am using httpie as my command line tool of choice – feel free to use Studio, Insomnia, curl, etc. instead.

Let’s begin by creating a service and route in Kong for validation. Replace localhost with the hostname of your Kong installation.

Service and route

http POST localhost:8001/services name=openidconnect url=http://httpbin.org/anything

http POST localhost:8001/services/openidconnect/routes name=openidconnectRoute paths=/oidc -f

OpenID Connect plugin

OK, now let’s configure the openid-connect plugin to connect to the KeyCloak instance:

http -f localhost:8001/routes/openidconnectRoute/plugins \
     name=openid-connect \
     config.issuer=https://keycloak.apim.eu/auth/realms/kong/.well-known/openid-configuration \
     config.client_id=blog_post \
     config.client_secret=a5186adc-b5e2-4501-85a8-eb19a5e1a2a3 \
     config.ssl_verify=false \
     config.consumer_claim=email \
     config.verify_signature=false \
     config.redirect_uri=http://localhost:8000/oidc \
     config.consumer_optional=true \
     config.scopes_required=kong_api_access

Let’s have a look at the parameters.

The config.redirect_uri defines the uri the IDP will redirect the user to after a successful authentication

config.consumer_optional defines whether a Kong consumer should exist to allow access

config.scopes_required defines which scopes are authorized to access. We are defining the JWT returned by KeyCloak must include the scope kong_api_access. Only then Kong will authorize the request and route it to the upstream (backend). The KeyCloak screenshots above show the scope attached to the group of which the user is a member.

Let’s try it

For testing purposes, I have two example users in KeyCloak:

• Blog_with_scope / veryComplexPa55word
• Blog_without_scope / veryComplexPa55word

Open a new browser window (either in incognito mode or with all caches empty) and navigate to http://localhost:8000/oidc. You will notice that the user Blog_with_scope will get access.

But Blog_without_scope is denied even though he is also a valid user in KeyCloak.

The user without the scope will produce a log entry like required scopes were not found [ openid, profile, email ] in your Kong logs.

Last but not least, let’s have a look at the JWT for Blog_with_scope, which includes the scope:

Outlook

In this post, we’ve covered how to secure APIs and services with Kong and an IdP without having to manage local consumers or groups in Kong, allowing the IDd to be the source of truth for identity and entitlements. In a future blog post, we’ll cover how to apply policy (i.e., rate limiting and caching) to authenticated consumers.

We’re hopeful you found this blog post useful.
Drop me an email or a Twitter mention if you have any questions.

The post How to Secure APIs and Services Using OpenID Connect appeared first on KongHQ.

In his most recent blog post, Marco Palladino, our CTO and co-founder, went over the difference between API gateways and service mesh. I highly recommend reading his blog post to see how API management and service mesh are complementary patterns for different use cases, but to summarize in his words, “an API gateway and service mesh will be used simultaneously.” We maintain two open source projects that work flawlessly together to cover all the use cases you may encounter. 

So, in this how-to blog post, I’ll cover how to combine Kong for Kubernetes and Kuma Mesh on Kubernetes. Please have a Kubernetes cluster ready in order to follow along with the instructions below. In addition, we will also be using kumactl command line tool, which you can download on the official installation page. 

Step 1: Installing Kuma on Kubernetes

Installing Kuma on Kubernetes is fairly straightforward, thanks to the kumactl install [..] function. You can use it to install the control-plane with one click:

$ kumactl install control-plane | kubectl apply -f -
namespace/kuma-system created
secret/kuma-sds-tls-cert created
secret/kuma-admission-server-tls-cert created
…

After everything in kuma-system namespace is up and running, let’s deploy our demo marketplace application: 

$ kubectl apply -f https://bit.ly/demokuma
namespace/kuma-demo created
serviceaccount/elasticsearch created
…

The application is split into four services with all the traffic entering from the frontend app service. If we want to authenticate all traffic entering our mesh using Kong plugins, we will need to deploy the gateway alongside the mesh. Once again, to learn more about why having a gateway and mesh is important, please read Marco’s blog post.

Step 2. Deploying Kong for Kubernetes

Kong for Kubernetes is an ingress controller-based on the open source Kong Gateway. You can quickly deploy it using kubectl:

$ kubectl apply -f https://bit.ly/demokumakong
customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created
customresourcedefinition.apiextensions.k8s.io/kongcredentials.configuration.konghq.com created
customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created
customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created
serviceaccount/kong-serviceaccount created
clusterrole.rbac.authorization.k8s.io/kong-ingress-clusterrole created
clusterrolebinding.rbac.authorization.k8s.io/kong-ingress-clusterrole-nisa-binding created
configmap/kong-server-blocks created
service/kong-proxy created
service/kong-validation-webhook created
deployment.apps/ingress-kong created

On Kubernetes, Kuma Dataplane entities are automatically generated. To inject gateway Dataplane, the API gateway’s pod needs to have the following kuma.io/gateway: enabled annotation:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-kong
  ...
spec:
  template:
    metadata:
      annotations:
        kuma.io/gateway: enabled

 Our kuma-demo-kong.yaml already includes this annotation, so you don’t need to do this manually.

After Kong is deployed, export the proxy IP:

export PROXY_IP=$(minikube service -p kuma-demo -n kuma-demo kong-proxy --url | head -1)

And check that the proxy IP has been exported; run:

$ echo $PROXY_IP
http://192.168.64.29:30409

Sweet! Now that we have Kong for Kubernetes deployed, go ahead and add an ingress rule to proxy traffic to the marketplace frontend service. 

$ cat <<EOF | kubectl apply -f - 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: marketplace
  namespace: kuma-demo
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: frontend
          servicePort: 80
EOF

By default, the ingress controller distributes traffic amongst all the pods of a Kubernetes service by forwarding the requests directly to pod IP addresses. One can choose the load-balancing strategy to use by specifying a KongIngress resource.

However, in some use cases, the load-balancing should be left up to kube-proxy or a sidecar component in the case of service mesh deployments. For us, load-balancing should be left to Kuma, so the following annotation has been included in our frontend service resource:

apiVersion: v1
kind: Service
metadata:
  name: frontend
  namespace: kuma-demo
  annotations:
    ingress.kubernetes.io/service-upstream: "true"
spec:
  ...

Remember to add this annotation to the appropriate services when you deploy Kong with Kuma.

3. Add Policy

With both Kong and Kuma running on our cluster, all that is left to do is add a traffic permission policy for Kong to the frontend service:

$ cat <<EOF | kubectl apply -f - 
apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
  namespace: kuma-demo
  name: kong-to-frontend
spec:
  sources:
  - match:
      service: kong-proxy.kuma-demo.svc:80
  destinations:
  - match:
      service: frontend.kuma-demo.svc:80
EOF

That’s it! Now, if you visit the $PROXY_IP, you will land in the marketplace application proxied through Kong. From here, you can enable all those fancy plugins that Kong has to offer to work alongside the Kuma policies.

Thanks for following along 🙂

The post Exposing Kuma Service Mesh Using Kong API Gateway appeared first on KongHQ.

When protecting your online services, the weakest link is represented by the endpoints – that is, by the end-user devices running web or mobile applications or by external systems leveraging open APIs. As a matter of fact, there is a growing number of targeted attacks leveraging sophisticated techniques such as malicious web injections, mobile overlay and API abuse attacks to perform identity hijacking, account takeover, transaction tampering and payment frauds.

Traditional threat detection or anti-malware tools are either unable to detect these advanced attacks or are generating too many false positives that have a heavy operational impact on security teams or are unable to support the need to support the real-time decisions that are required to avoid damages without causing customer friction. This situation is exacerbated as digital transformation (DX), instant/real-time payments and open banking initiatives are extending the exposed security perimeter.

Cleafy, a Kong Hub plugin partner, provides an innovative threat detection and protection technology against the most advanced attacks from web, mobile and API channels. Cleafy is clientless and application-transparent, as it does not require any change to managed applications. Cleafy works by passively monitoring the application traffic between endpoints and backend services, continuously checking the application and communication integrity and assessing in real-time the risk associated to each session, even before the authentication phase. In order to do so, Cleafy can smoothly integrate into the application delivery infrastructure, typically at the ADC or API gateway level. Once threats are identified in real-time, adaptive threat responses can be automatically triggered, such as risk-based authentication or Cleafy dynamic application protection.

As applications become increasingly API-based, the adoption of API gateways is also increasing. In particular, Kong is a fully-fledged and platform-agnostic API gateway solution that is being adopted by leading organizations to enable high volume and low latency. Kong technology has built a solid reputation for being fast, powerful, and stable in supporting core API management requirements, such as routing, rate limiting and authentication. Moreover, Kong provides a plugin-based environment (see https://docs.konghq.com/hub/) which allows third-party vendors to easily develop integrations and extend Kong capabilities.

The “Cleafy plugin for Kong” allows customers to easily integrate Cleafy threat detection and protection in any Kong-powered architecture and thus protect their services and end-users leveraging Kong as integration point for Cleafy. As described here above, in order for Cleafy to be able to verify the integrity of the application end-to-end, Cleafy needs to analyse in real-time all application requests and responses between endpoints and the Kong API gateway. It’s worth noticing that the ability to extend Kong functionality using the Lua language made developing the Cleafy plugin for Kong quite easy.

Integrating Kong with Cleafy

The following figure shows the high-level architecture of the Cleafy plugin for Kong. 

Fig 1: Cleafy high-level integration architecture with Kong

All interactions between endpoints and the backend application service are intercepted by the Cleafy plugin for Kong, thus allowing Cleafy to analyse them. 

Basically, the Cleafy plugin for Kong is made by two main components:

• Response Interceptor: This component is responsible for grabbing each HTTP response served by the application server. Each response is collected and proxied to the original endpoint which originated the corresponding request after instrumenting it so as to be able to (asynchronously) receive a copy of the DOM/API body, once received and executed by the endpoint.

• Message Dispatcher: Each intercepted response is collected and sent to the Cleafy engine. To accomplish this, the dispatcher builds a message that contains the body of each HTTP response and some additional information, including both HTTP request and HTTP response headers.

As soon as Cleafy receives the copy of the response from the endpoint, an integrity check is performed with respect to the original response and any difference is automatically extracted. Such differences may represent malicious code injected on the endpoint or in the communication, thus highlighting potential threats.

Once the Cleafy plugin for Kong is installed and properly configured, no additional configuration is required in order to integrate Cleafy with Kong and have Cleafy ingest and analyse traffic passing through the Kong API gateway. 

The following figure shows how sessions are displayed in the Cleafy web console, with a risk score associated to each event corresponding to a Web/API request issued by the endpoint. Cleafy also provides a comprehensive set of APIs to enable other solutions to take advantage of Cleafy collected and generated information, including risk score, threat evidence and classification.

Fig 2: Cleafy web console displaying sessions with associated real-time risk score.

Conclusions

The “Cleafy plugin for Kong” allows customers to easily integrate Cleafy threat detection and protection in any Kong-powered architecture and thus protect their services and end-users leveraging Kong as an integration point for Cleafy.

Kong’s plugin-based environment allows third-party vendors to easily develop integrations and extend Kong capabilities with additional functionalities such as authentication, traffic control, logging, analytics and monitoring, transformations, and security-related features (such as Cleafy). 

The Kong plugin development environment and the Plugin Development Kit introduced in Kong since version 0.14 is very well documented and easy to extend.

https://docs.konghq.com/0.14.x/plugin-development/

The post Protect Your Applications With Cleafy Plugin for Kong appeared first on KongHQ.

Kong for Kubernetes is a Kubernetes Ingress Controller based on the Kong Gateway open source project. Kong for K8s is fully Kubernetes-native and provides enhanced API management capabilities. From an architectural perspective, Kong for K8s consists of two parts: A Kubernetes controller, which manages the state of Kong for K8S ingress configuration, and the Kong Gateway, which processes and manages incoming API requests. 

We are thrilled to announce the availability of this latest release of Kong for K8s! This release’s highlight features include Knative integration, two new Custom Resource Definitions (CRDs) – KongClusterPlugins and TCPIngress – and a number of new annotations to simplify configuration.

This release works out of the box with the latest version of Kong Gateway as well as Kong Enterprise. All users are advised to upgrade.

Kong as Knative’s Ingress Layer 

Knative is a Kubernetes-based platform that allows you to run serverless workloads on top of Kubernetes. Knative manages auto-scaling, including scale-to-zero, of your workload using Kubernetes primitives. Unlike AWS Lambda or Google Cloud functions, Knative enables serverless workload for functions and application logic of any Kubernetes cluster in any cloud provider or bare-metal deployments.

In addition to the ingress and API management layer for Kubernetes, Kong can now perform ingress for Knative workloads as well. In addition to Ingress resources, Kong can run plugins for Knative serving workloads, taking up the responsibility of authentication, caching, traffic shaping and transformation. This means that as Knative HTTP-based serverless events occur, they can be automatically routed through Kong and appropriately managed. This should keep your Knative services lean and focused on the business logic.

apiVersion: serving.knative.dev/v1

kind: Service

metadata:

  name: helloworld-go

  namespace: default

spec:

  template:

metadata:

     annotations:

         konghq.com/plugins: free-tier-rate-limit, prometheus-metrics

spec:

   containers:

     - image: gcr.io/knative-samples/helloworld-go

       env:

         - name: TARGET

           value: Go Sample v1

Here, whenever traffic inbound for helloworld-go, Knative Service is received, and Kong will execute two plugins: free-tier-rate-limit and prometheus-metrics.

New CRD: KongClusterPlugins

Over the past year, we have received feedback from many users regarding plugin configuration. Until now, our object model allowed for namespace KongPlugin resources.

In this model, Service owners are expected to own the plugin configuration (KongPlugin) in addition to Ingress, Service, Deployment and other related resources for a given service. This model works well for the majority of use cases but has two limitations:

• Sometimes it is important for the plugin configuration to be homogeneous across all teams or groups of services that are running in different namespaces.
• Also, sometimes the plugin configuration should be controlled by a separate team, and the plugin is applied on to an Ingress or Service by a different team. This is usually true for authentication and traffic shaping plugins where the configuration could be controlled by an operations team (which configures the location of IdP and other properties), and then the plugin is used for certain services on a case-by-case basis.

To address these problems, in addition to the KongPlugin resource, we have added a new cluster-level custom resource: KongClusterPlugin.

The new resource is identical in every way to the existing KongPlugin resource, except that it is a cluster-level resource.
You can now create one KongClusterPlugin and share it across namespaces. You can also RBAC this resource differently to allow for cases where only users with specific roles can create plugin configurations and service owners can only use the well-defined KongClusterPlugins.

Beta Release of TCPIngress

In the last release, we introduced native support for gRPC-based services.

With this release, we have now opened up support for all services that are based on a custom protocol.

TCPIngress is a new Custom Resource for exposing all kinds of services outside a Kubernetes cluster.

The definition of the resource is very similar to the Ingress resource in Kubernetes itself.

Here is an example of exposing a database running in Kubernetes:

apiVersion: configuration.konghq.com/v1beta1

kind: TCPIngress

metadata:

  name: sample-tcp

spec:

  rules:

  - port: 9000

backend:

   serviceName: config-db

   servicePort: 2701

Here, we are asking Kong to forward all traffic on port 9000 to the config-db service in Kong.

SNI-Based Routing

In addition to exposing TCP-based services, Kong also supports secure TLS-encrypted TCP streams. In these cases, Kong can route traffic on the same TCP port to different services inside Kubernetes based on the SNI of the TLS handshake. Kong will also terminate the TLS session and proxy the TCP stream to the service in plain-text or can re-encrypt as well.

Annotations

This release ships with a new set of annotations that should minimize and simplify Ingress configuration:

  - konghq.com/plugins

  - konghq.com/override

  - konghq.com/client-cert

  - konghq.com/protocols

  - konghq.com/protocol

  - konghq.com/preserve-host

  - konghq.com/plugins

  - konghq.com/override

  - konghq.com/path

  - konghq.com/strip-path

  - konghq.com/https-redirect-status-code

With these new annotations, the need for using the KongIngress custom resource should go away for the majority of the use cases. 

For a complete list of annotations and how to use them, check out the annotations document.

Upgrading

If you are upgrading from a previous version, please read the changelog carefully.

Breaking Changes

This release ships with a major breaking change that can break Ingress routing for your cluster if you are using path-based routing.

Until the last release, Kong used to strip the request path by default. With this release, we have disabled the feature by default. You are free to use KongIngress resource or the new konghq.com/strip-path annotation on Ingress resource to control this behavior.

Also, if you are upgrading, please make sure to install the two new Custom Resource Definitions (CRDs) into your Kubernetes cluster. Failure to do so will result in the controller throwing errors.

Deprecations

Starting with this release, we have deprecated the following annotations, which will be removed in the future:

- configuration.konghq.com

- plugins.konghq.com

- configuration.konghq.com/protocols

- configuration.konghq.com/protocol

- configuration.konghq.com/client-cert

These annotations have been renamed to their corresponding konghq.com annotations.

Please read the annotations document on how to use new annotations.

Compatibility

Kong for K8s supports a variety of deployments and run-times. For a complete view of Kong for K8s compatibility, please see the compatibility document.

Getting Started!

You can try out Kong for K8s using our lab environment, available for free to all at konglabs.io/kubernetes.

You can install Kong for K8s on your Kubernetes cluster with one click:

$ kubectl apply -f bit.ly/k4k8s

or

$ helm repo add kong https://charts.konghq.com

$ helm repo update

$ helm install kong/kong

Alternatively, if you want to use your own Kubernetes cluster, follow our getting started guide to get your hands dirty.

Please feel free to ask questions on our community forum — Kong Nation — and open a Github issue if you happen to run into a bug. 

Happy Konging!

The post Kong for Kubernetes 0.8 Released! appeared first on KongHQ.

We are so excited to share that Kong has been certified as a Great Place to Work®! We recognize our certification as a huge achievement for us, as it reflects our commitment to putting people first by fostering a team-based, collaborative work environment where everyone can be their authentic selves.

Great Place to Work determines the eligibility requirement based on an employee satisfaction survey that looks at a company’s leadership, business practices, culture and workplace environment. 

At Kong, one of our values is “Real,” which we define as being genuine, principled and confident without attitude. We are humbled that our employees see this in action. According to the survey results, 98 percent of Kongers felt welcomed when they joined the company; 98 percent feel cared for at work, and 98 percent believe management facilitates a real entrepreneurial work environment. 

Our Co-Founder and CEO Augusto Marietti recognizes, “This is another validation that our teams truly care for each other by building a long-lasting community of brave souls and whole hearts that we like to call Kongers.” 

This is Kong’s first time being recognized as a Great Place to Work, so we want to thank our employees for their valuable feedback and commitment to making Kong an amazing place to work! The employee experience is a top priority and something that we will continue to work on every day. 

To view Kong’s Great Place to Work profile and results from the company-wide employee survey, please click here. If you’re curious to learn more about working at Kong, visit our careers website at konghq.com/careers and follow us on social media on Twitter and Instagram! ”

The post Kong Recognized as a Great Place to Work®! appeared first on KongHQ.

It would be an understatement to say that 2020 has been one of the most difficult years many of us have ever experienced. With the latest COVID-19 crisis bringing the world to its knees, I am once again reminded of the way that people unite in the face of hardship. Our ability to mobilize and pull together our resources to create solutions is the silver lining to any crisis.

The country of Australia began the year ablaze, and I wanted to express gratitude from both myself and the Kong Australia team for how the Kong community stepped up to help both in the short term and long term to help our country recover from this disaster.

We were heartbroken to witness the devastation caused by the terrible bushfires that impacted much of Australia, and I want to acknowledge and thank the heroes of the fire service across the country as well as the Australian Defence Force (ADF), who put their lives on the line to protect our people, property and wildlife.

I also want to express my deepest thanks to all the Kongers who reached out to our local team, customers and community expressing concern and with offers to help.

Lastly, I wanted to thank all those that donated money to Kong’s fundraiser to raise money for the Center for Disaster Philanthropy to fund medium- to long-term recovery of areas impacted by the bushfires – matching every dollar donated and raising over $8K in two weeks! 

While Australia faces a long road to recovery, the spirit of this magnificent country and its people can never be underestimated. We want all Australians to know that you are not alone, and at Kong, we are determined to leverage our most valuable asset – our people – to help rebuild and restore our communities through each crisis that we face.

The post Kongers Unite to Support Australian Wildfire Recovery appeared first on KongHQ.