secure 8444 admin port directly from within the pod

[223311]

I'm working on a poc using a kong hybrid approach with PostgreSQL as the database in a gke cluster. In this setup, I'm trying to secure the admin API, which is currently accessible by anyone. My goal is to ensure that even when accessing the Admin API directly from within the pod (e.g., via curl to https://localhost:8444/ -k), it should require authentication.

Could someone suggest how to add this security measure?

[ProBrian]

Hi @223311, could you give more detailed information, your kong version, configuration, reproduce steps, etc. Thanks.

[223311]

We are using Kong 3.5 and the Ingress Controller 3.3.1 in Kubernetes, and we are installing it using the Helm command. Once Kong is installed, we can exec into the control plane proxy container pod. Inside the pod, when we execute the command https://localhost:8444/ -k, it successfully returns the configuration.
Now, we want to secure the Admin API by enforcing authentication so that any request, even from within the pod, must provide authentication credentials to access the Admin API. How can we achieve this?

Below is the helm config

cp.yaml

env:
database: "postgres"
role: control_plane
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
pg_host:
valueFrom:
secretKeyRef:
name: postgres-db-secrets
key: host
pg_user:
valueFrom:
secretKeyRef:
name: postgres-db-secrets
key: user
pg_password:
valueFrom:
secretKeyRef:
name: postgres-db-secrets
key: password

image:
repository: ${KONG_IMAGE}
tag: ${KONG_IMAGE_TAG}

admin:
enabled: true
labels:
enable-metrics: "true"
type: ClusterIP
annotations:
konghq.com/protocol: "https"
tls:
enabled: true
servicePort: 8444
containerPort: 8444
parameters: []
ingress:
enabled: true
hostname: ${ADMIN_API_URI}
annotations:
kubernetes.io/ingress.class: "kong"
path: /

proxy:
enabled: false

secretVolumes:

• ssl-key-cert
• kong-cluster-cert

ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
tag: "3.3.1"
env:
publish_service: kong/kong-dp-kong-proxy

cluster:
enabled: true
type: ClusterIP
tls:
enabled: true
servicePort: 8005
containerPort: 8005

clustertelemetry:
enabled: true
type: ClusterIP
tls:
enabled: true
servicePort: 8006
containerPort: 8006

manager:
enabled: true
type: ClusterIP
annotations:
konghq.com/protocol: "https"
http:
enabled: false
tls:
enabled: true
servicePort: 8445
containerPort: 8445
parameters: []
ingress:
enabled: true
hostname: ${ADMIN_GUI_URL}
annotations:
kubernetes.io/ingress.class: "kong"
path: /

=============
dp .yaml

env:
role: data_plane
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
cluster_server_name: kong-cp-kong-cluster.kong.svc.cluster.local
cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
image:
repository: ${KONG_IMAGE}
tag: ${KONG_IMAGE_TAG}

admin:
enabled: false

proxy:
type: NodePort
http:
enabled: false
tls:
nodePort: 11111

secretVolumes:

• ssl-key-cert
• kong-cluster-cert

ingressController:
enabled: false