Enforce the Ingress Policy
You can see the following policy is automatically installed when you add the Kong Gateway system.
- policy >> ingress
In the Kong Gateway system Quick Start, step #5 triggers the shell script, repeatedly executes the following HTTP calls in an interval of 30 seconds, and assumes different users to help generate sample data for visualization.
curl -is --user alice:password ingress-kong/finance/salary/alice
curl -is --user bob:password ingress-kong/finance/salary/alice
curl -is --user bob:password ingress-kong/finance/salary/charlie
curl -is --user david:password ingress-kong/finance/salary/bob
curl -is --user david:password ingress-kong/hr/dashboard
curl -is --user eve:password ingress-kong/admin
By default, ingress policy allows all traffic to the example application service. Click on the Decisions tab to verify all the Allowed decisions from the newly created Kong Gateway system.
The Kong Gateway system Quick Start provides a link to replace ingress policy with a sample one. With this ingress policy published, traffic is allowed only on /finance/salary
endpoint of example-app
. Switch to the Decisions tab and verify traffic to path /hr/dashboard
and /admin
are Denied
.