Multi-zone authentication
To add to the security of your deployments, Kong Mesh provides authentication of zone control planes to the global control plane. Authentication is based on the Zone Token which is also used to authenticate the zone proxy. See zone proxy authentication to learn about token characteristics, revocation, rotation, and more.
Kong Mesh introduces additional cp
scope. Only tokens with cp
scope can be used to authenticate with the zone control plane.
Set up tokens
To generate the tokens you need and configure your clusters:
- Generate a token for each zone control plane.
- Add the token to the configuration for each zone.
- Enable authentication on the global control plane.
Generate token for each zone
On the global control plane, authenticate and run the following command:
kumactl generate zone-token --zone=west --scope=cp --valid-for=720h > /tmp/token
View the token:
cat /tmp/token
The generated token looks like:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJab25lIjoid2VzdCIsIlNjb3BlIjpbImNwIl0sImV4cCI6MTY2OTU0NjkzOSwibmJmIjoxNjY2OTU0NjM5LCJpYXQiOjE2NjY5NTQ5MzksImp0aSI6IjZiYWYyYzkwLTBlODYtNGM2Mi05N2E3LTc4MzU4NTU4MzRiYyJ9.DJfA0M6uUfO4oytp8jHtzngiVggQWQR88YQxWVU1ujc0Zv-XStRDwvpdEoFGOzWVn4EUfI3gcv9qS2MxqIzQjJ83k5Jq85w4hkPyLGr-0jNS1UZF6yXz7lB_As8f91gMVHbRAoFuoybV5ndDtfYzwZknyzott7doxk-SjTes2GDvpg0-kFNGc4MBR2EprGl7YKO0vhFxQjln5AyCAhmAA7-PM7WRCzhmS-pUXacfZtP2VulWYhmTAuLPnkJrJN-ZWPkIpnV1MZmsgWbzTpnW-PhmCMQfD5m2im1c_3OlFwa9P9rZQQhdhbTp0ofMvW-cdCAcG_lOJI5j60cqPh2DGg
For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API.
Add token to each zone configuration
Enable authentication on the global control plane
If you are starting from scratch and not securing existing Kong Mesh deployment, you can do this as a first step.
Verify the zone control plane is connected with authentication by looking at the global control plane logs:
2021-02-24T14:30:38.596+0100 INFO kds.auth Zone CP successfully authenticated {"zone": "cluster-2"}
Additional security
By default, a connection from the zone control plane to the global control plane is secured with TLS. You should also configure the zone control plane to verify the certificate authority (CA) of the global control plane.
Legacy Control Plane Token
You can still authenticate a control plane using the separate Control Plane Token, but it is deprecated and will be removed in the future.