CNAPP-24034 Kong

[Sanskarzz]

Description

Kong Gateway Integration with SentryFlow

This guide describes how to integrate Kong Gateway with SentryFlow for API security monitoring.

Steps

1. Install Kong Gateway

helm repo add kong https://charts.konghq.com
helm repo update

# Install Kong with default settings (CRDs disabled for kind if preferred)
helm install kong kong/kong \
  --namespace kong \
  --create-namespace \
  --set ingressController.installCRDs=false \
  --set admin.enabled=true \
  --set admin.type=NodePort

2. Install SentryFlow Custom Plugin

We need to mount the sentryflow-log plugin into the Kong proxy container.

Create ConfigMap from plugin files:

# Create ConfigMap
kubectl create configmap sentryflow-log-plugin \
  --from-file=handler.lua=filter/kong/sentryflow-log/handler.lua \
  --from-file=schema.lua=filter/kong/sentryflow-log/schema.lua \
  -n kong

Patch Kong Deployment:

Mount the plugin into the proxy container (usually index 1) and the ingress-controller (index 0).

kubectl patch deployment kong-kong -n kong --type=json -p='[
  {
    "op": "add",
    "path": "/spec/template/spec/volumes/-",
    "value": {
      "name": "sentryflow-log-plugin",
      "configMap": {
        "name": "sentryflow-log-plugin"
      }
    }
  },
  {
    "op": "add",
    "path": "/spec/template/spec/containers/1/volumeMounts/-",
    "value": {
      "name": "sentryflow-log-plugin",
      "mountPath": "/usr/local/share/lua/5.1/kong/plugins/sentryflow-log",
      "readOnly": true
    }
  }
]'

# Enable the plugin in Kong
kubectl set env deployment/kong-kong -n kong KONG_PLUGINS=bundled,sentryflow-log

Note: Ensure the volumeMount is applied to the proxy container.

3. Deploy SentryFlow

Deploy SentryFlow with Kong receiver enabled.

helm upgrade --install sentryflow \
  ./deployments/sentryflow \
  --namespace sentryflow \
  --create-namespace \
  --set image.repository=sanskardevops/sentryflow \
  --set image.tag=latest \
  --set config.receivers.kongGateway.enabled=true \
  --set config.receivers.kongGateway.namespace=kong \
  --set config.receivers.kongGateway.deploymentName=kong-kong

4. Enable sentryflow-log Plugin Globally

Create a KongClusterPlugin to enable logging for all routes.

kubectl apply -f - <<EOF
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: sentryflow-log
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
plugin: sentryflow-log
config:
  http_endpoint: "http://sentryflow.sentryflow:8081/api/v1/events"
  timeout: 10000
  keepalive: 60000
EOF

5. Patch Discovery Engine

Update the discovery-engine ConfigMap (discovery-engine-sumengine) to use SentryFlow and restart the deployment.

kubectl -n agents edit configmap discovery-engine-sumengine 
` ``

```yaml
  data:
  app.yaml: |
    ...
    summary-engine:
      sentryflow:
        cron-interval: 0h0m30s
        decode-jwt: true
        enabled: true
        include-bodies: true
        redact-sensitive-data: false
        sensitive-rules-files-path:
        - /var/lib/sumengine/sensitive-data-rules.yaml
        threshold: 10000
    watcher:
    ...
      sentryflow:
        enabled: true
        event-type:
          access-log: true
          metric: false
        service:
          enabled: true
          name: sentryflow
          port: "8080"
          url: "sentryflow.sentryflow"

kubectl -n agents rollout restart deployment/discovery-engine

Verification Guide

1. Deploy Sample Application

Deploy the Google Microservices Demo frontend service (or any HTTP service).

# Verify frontend service exists
kubectl get svc

2. Create Ingress Resource

Create an Ingress to route traffic through Kong to your service.

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend-ingress
  annotations:
    konghq.com/strip-path: "true"
spec:
  ingressClassName: kong
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: frontend
                port:
                  number: 80
EOF

3. Generate Traffic

Port-forward the Kong proxy and send requests.

# Port forward Kong Proxy
kubectl port-forward -n kong svc/kong-kong-proxy 8000:80 &

# Send traffic
sleep 2
curl -s http://localhost:8000/ > /dev/null
curl -s http://localhost:8000/cart > /dev/null

4. Verify SentryFlow Logs

Check SentryFlow logs to confirm it received the events.

kubectl -n sentryflow logs deployment/sentryflow --tail=50

You should see logs indicating receipt of events:

{"level":"INFO",...,"msg":"Received API Event from kong"}

Related ticket CNAPP-24034

[JonesJefferson]

Please change this to install an actual helm chart from ECR. We can update this section after we merge and create a new release

[Sanskarzz]

done

[JonesJefferson]

also update the default.yaml config and comment the configs out

[Sanskarzz]

can you please explain this more

[JonesJefferson]

theres a file called default.yaml where we need to update this

[JonesJefferson]

please change this to a debug log

[Sanskarzz]

done

[JonesJefferson]

package these lua files with helm. Have helm create config map with these files

[Sanskarzz]

done

[JonesJefferson]

we do need the body regardless. We can have a limit of say 1mb and capture the body

[JonesJefferson]

can we tap into a different phase in that case? We need the body

[Sanskarzz]

i have updated it to capture using kong.request.get_raw_body() and kong.service.response.get_raw_body().

[JonesJefferson]

this will almost never be empty. But even if it is we cannot assume it will be "HTTP/1.1". Could you please confirm this

[Sanskarzz]

I have changed the default protocol fallback to an empty string instead of "HTTP/1.1".

[JonesJefferson]

this should be configured through helm install

[Sanskarzz]

done