Kong Gateway Integration with AccuKnox API Security¶
This guide describes how to integrate Kong Gateway with AccuKnox API Security for API security monitoring.
Prerequisites¶
- Kubernetes cluster (e.g., kind, EKS, GKE)
- kubectl configured
- Helm 3.x installed
- AccuKnox agents installed
Steps¶
1. Install Kong Gateway¶
helm repo add kong https://charts.konghq.com
helm repo update
# Install Kong with default settings
helm install kong kong/kong \
--namespace kong \
--create-namespace \
--set ingressController.installCRDs=false \
--set admin.enabled=true \
--set admin.type=NodePort
2. Deploy AccuKnox API Security (Initial - Creates ConfigMap)¶
Deploy AccuKnox API Security with Kong receiver enabled. This creates the sentryflow-log-plugin ConfigMap in the 'kong' namespace containing the plugin Lua code.
Note: This step may show a warning about the
KongClusterPluginfailing validation - this is expected because Kong hasn't loaded the plugin yet. The API Security components and the ConfigMap will still be created.
helm upgrade --install sentryflow \
oci://public.ecr.aws/k9v9d5v2/sentryflow-helm-charts \
--namespace sentryflow \
--create-namespace \
--set config.receivers.kongGateway.enabled=true \
--set config.receivers.kongGateway.namespace=kong \
--set config.receivers.kongGateway.deploymentName=kong-kong \
--set config.receivers.kongGateway.plugin.httpEndpoint=http://sentryflow.sentryflow.svc.cluster.local:8081/api/v1/events \
--set config.receivers.kongGateway.plugin.timeout=10000 \
--set config.receivers.kongGateway.plugin.keepalive=60000
Verify the ConfigMap was created:
kubectl get configmap sentryflow-log-plugin -n kong
3. Patch Kong Deployment¶
Now we need to configure Kong to load the sentryflow-log plugin. This requires:
- Mounting the ConfigMap containing the plugin code
- Setting the
KONG_PLUGINSenvironment variable
Mount the plugin and enable it:
# Mount the plugin ConfigMap
kubectl patch deployment kong-kong -n kong --type=json -p='[
{
"op": "add",
"path": "/spec/template/spec/volumes/-",
"value": {
"name": "sentryflow-log-plugin",
"configMap": {
"name": "sentryflow-log-plugin"
}
}
},
{
"op": "add",
"path": "/spec/template/spec/containers/1/volumeMounts/-",
"value": {
"name": "sentryflow-log-plugin",
"mountPath": "/usr/local/share/lua/5.1/kong/plugins/sentryflow-log",
"readOnly": true
}
}
]'
# Enable the plugin in Kong
kubectl set env deployment/kong-kong -n kong KONG_PLUGINS=bundled,sentryflow-log
Note: The
volumeMountis applied to theproxycontainer (index 1). Adjust if your Kong deployment has a different container order.
Wait for Kong to restart and become ready:
kubectl -n kong rollout status deployment/kong-kong
4. Create KongClusterPlugin¶
Now that Kong has loaded the plugin, re-run the Helm chart to create the KongClusterPlugin resource:
helm upgrade --install sentryflow \
oci://public.ecr.aws/k9v9d5v2/sentryflow-helm-charts \
--namespace sentryflow \
--create-namespace \
--set config.receivers.kongGateway.enabled=true \
--set config.receivers.kongGateway.namespace=kong \
--set config.receivers.kongGateway.deploymentName=kong-kong \
--set config.receivers.kongGateway.plugin.httpEndpoint=http://sentryflow.sentryflow:8081/api/v1/events \
--set config.receivers.kongGateway.plugin.timeout=10000 \
--set config.receivers.kongGateway.plugin.keepalive=60000
Verify the KongClusterPlugin was created:
kubectl get kongclusterplugins
You should see:
NAME PLUGIN-TYPE AGE PROGRAMMED
sentryflow-log sentryflow-log Xs
5. Patch Discovery Engine¶
Update the discovery-engine ConfigMap (discovery-engine-sumengine) to use AccuKnox API Security and restart the deployment.
kubectl -n agents edit configmap discovery-engine-sumengine
Update the configuration:
data:
app.yaml: |
...
summary-engine:
sentryflow:
cron-interval: 0h0m30s
decode-jwt: true
enabled: true
include-bodies: true
redact-sensitive-data: false
sensitive-rules-files-path:
- /var/lib/sumengine/sensitive-data-rules.yaml
threshold: 10000
watcher:
...
sentryflow:
enabled: true
event-type:
access-log: true
metric: false
service:
enabled: true
name: sentryflow
port: "8080"
url: "sentryflow.sentryflow"
Restart discovery-engine:
kubectl -n agents rollout restart deployment/discovery-engine
Verification Guide¶
1. Deploy Sample Application¶
Deploy the Google Microservices Demo frontend service (or any HTTP service).
# Verify frontend service exists
kubectl get svc
2. Create Ingress Resource¶
Create an Ingress to route traffic through Kong to your service.
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: frontend-ingress
annotations:
konghq.com/strip-path: "true"
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
EOF
3. Generate Traffic¶
Port-forward the Kong proxy and send requests.
# Port forward Kong Proxy
kubectl port-forward -n kong svc/kong-kong-proxy 8000:80 &
# Send traffic
sleep 2
curl -s http://localhost:8000/ > /dev/null
curl -s http://localhost:8000/cart > /dev/null
4. Verify API Security Logs¶
Check AccuKnox API Security logs to confirm it received the events.
kubectl -n sentryflow logs deployment/sentryflow --tail=50
You should see logs indicating receipt of events:
{"level":"INFO",...,"msg":"Received API Event from kong"}
Troubleshooting¶
KongClusterPlugin Validation Error¶
If you see:
Error: admission webhook "validations.kong.konghq.com" denied the request: plugin failed schema validation
This means Kong hasn't loaded the plugin yet. Ensure:
- The
sentryflow-log-pluginConfigMap exists in thekongnamespace - Kong deployment has the ConfigMap mounted at
/usr/local/share/lua/5.1/kong/plugins/sentryflow-log KONG_PLUGINSenvironment variable includessentryflow-log- Kong pods have restarted and are
Running
Kong Pods in CrashLoopBackOff¶
If Kong pods crash after setting KONG_PLUGINS:
- The ConfigMap may not be mounted yet
- Apply the patch to mount the ConfigMap and wait for pods to restart